There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).

These (fake) torrents include a .lnk file that executes a script on your Windows


HOW TO exclude from download on qBittorrent.

  • Go to Options -> Downloads

  • Enable “Exclude file names”

  • Add patterns:

(one by line)

*.mp4.lnk  
*.mp3.lnk  
*.mkv.lnk
*.torrent.lnk 

Or exclude all together: *.lnk


Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      39
      ·
      edit-2
      3 months ago

      Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you’re looking for be considered an acceptable result?

      Tack $ on the end of your regex, for fucks sake.

    • ad_on_is@lemm.ee
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      edit-2
      3 months ago

      Microsoft: De nada, amigo! Oh… here’s an ad, btw… and…did you enable Recall already?

      • LiveLM@lemmy.zip
        link
        fedilink
        English
        arrow-up
        18
        ·
        edit-2
        3 months ago

        Weak.
        Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s

  • Daemon Silverstein@thelemmy.club
    link
    fedilink
    English
    arrow-up
    54
    ·
    3 months ago

    When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it’s possible to append binary data other than audio, video or subtitles specifically inside a MKV). The “.lnk” trick only works in Windows and, even there, it’s easy to prevent: Windows Explorer > Options > Advanced > find and check “Always show extensions for files” (i can’t really remember the exact label for this option as I’m not a Windows user, but something like this will be there).

    • American_Jesus@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      17
      ·
      3 months ago

      Sonarr will still pick the release and download GBs of malware, and if you don’t notice your download directly is filled with GBs of fake torrents

  • Bobby Turkalino@lemmy.yachts
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    1
    ·
    3 months ago

    Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default

    • American_Jesus@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      12
      ·
      3 months ago

      On many distros will open with WINE by default, not a big deal, you can just delete ~/.wine. If it does anything

  • N0x0n
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    3 months ago

    For those interested, John Hammond did a video a few months ago about .lnk extension (and other 16 hidden extensions on Windows).

    He doesn’t go to much or to deep into the subject, but you get a general view how this could be exploitable.

    YouTube link

    Piped Link

  • woodgen@lemm.ee
    link
    fedilink
    English
    arrow-up
    17
    arrow-down
    2
    ·
    3 months ago

    that executes a script on your Windows.

    I don’t have a Windows.

  • Lojcs@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    3 months ago

    How is the link file executing malware? Can you put any shell script as the target?

      • montar
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        yep! I’ve found out browsing hacking/spamming site and i’ve found something too good to be true, it downloaded archive nested inside other archive and in it was silngle .lnk file leading to “the resource”. Peeking inside i’ve found powershell executing base64 (or base32?) encoded script (it’s got commandline option for that. if you want to ask wtf ask microsoft, and tell me), it dl’d some exe from some site and ran it, site was down alredy.

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      6
      ·
      3 months ago

      You can put the script itself as the link. Shortcut to: powershell -command “Write-Host ‘Gonna pwn your shit’”

  • LostXOR@fedia.io
    link
    fedilink
    arrow-up
    4
    ·
    3 months ago

    Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.

  • Xianshi@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn’t move it from qbit but better to not DL it in the first place even though its a linux box