A new trojan popped up at several torrent sites a few weeks ago, one that blocks access to The Pirate Bay and Mininova, while informing its victims that “downloading is wrong.” The trojan edits the hosts file on Windows machines, and redirects the BitTorrent sites to localhost, making them impossible to load.
The trojan in question (Troj/Qhost-AC) identified by anti-virus company Sophos, is a rather unusual one. It doesn’t seem to install spyware or traditional malware, but instead blocks access to the two most popular BitTorrent sites.
It turned out that the trojan originated from a keygen supplied with a copy of pirated software. Instead of generating a key, it modified the hosts file of the computer so that it redirects The Pirate Bay, Suprbay (The Pirate Bay forums) and Mininova to 127.0.0.1, which means that the sites never load.
The bad torrent was removed from The Pirate Bay soon after users commented that the key generator didn’t work, but it is safe to assume that this is not the first and only attempt to spread a trojan like this one.
The question remains, who is behind this? While some might argue that the MPAA, RIAA or other anti-piracy advocates might be the source, we think it more likely that the attack originates from a relatively innocent prankster targeting pirates.
The good news is that it is fairly easy to fix, manually removing the entries from the hosts file solves the problem.