There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).
These (fake) torrents include a .lnk file that executes a script on your Windows
HOW TO exclude from download on qBittorrent.
-
Go to Options -> Downloads
-
Enable “Exclude file names”
-
Add patterns:
(one by line)
*.mp4.lnk
*.mp3.lnk
*.mkv.lnk
*.torrent.lnk
Or exclude all together: *.lnk
Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection
thanks Microsoft for hiding extensions by default!
Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you’re looking for be considered an acceptable result?
Tack $ on the end of your regex, for fucks sake.
Is not regex
https://github.com/qbittorrent/qBittorrent/pull/17106Examples
*.exe: filter ‘.exe’ file extension.
readme.txt: filter exact file name.
?.txt: filter ‘a.txt’, ‘b.txt’ but not ‘aa.txt’.
readme[0-9].txt: filter ‘readme1.txt’, ‘readme2.txt’ but not ‘readme10.txt’
Microsoft: De nada, amigo! Oh… here’s an ad, btw… and…did you enable Recall already?
I use Arch btw
What if it executes and install Windows 11 on your machine!?
Oh lord please have mercy! Blacklisting the file extension right now!
That would be the very worst malware. I mean both the malware that installed it and win11…
ackshually the proprietary .lnk shortcut format can only be run on windows 🤓
A Linux executable can’t be named ending on .lnk? 🤔🤔
But its not lnk but an executable that needs to be excecuted manually?
Me too, but don’t want to download GBs of malware and bandwidth
Weak.
Seed the malware. Harbor disaster. Be complicit in their downfall. Spread the fruits of chaos amongst the unworthy. Feed on their agony ^^^/s.lnk files are less than 4kb
That would seem suspicious. I’m sure they have some way to pad out the size.
Anyone paying attention to size would probably also notice they’re just .lnk files.
Not necessarily. Even with “hide extensions” unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I’m surprised antivirus doesn’t know about it already tbh.
Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.
Also Sonarr/Radarr filter torrents by size
PS: had to rename the fine from
.lnkto.comso virustotal could accept
deleted by creator
When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it’s possible to append binary data other than audio, video or subtitles specifically inside a MKV). The “.lnk” trick only works in Windows and, even there, it’s easy to prevent: Windows Explorer > Options > Advanced > find and check “Always show extensions for files” (i can’t really remember the exact label for this option as I’m not a Windows user, but something like this will be there).
I believe you uncheck “Hide extensions for known file types”
Exactly! Thanks! I couldn’t point the exact label, I’ve been using Linux for years in a daily basis so I forgot most of the Windows shortcuts/options.
Even then, that setting doesn’t unhide the “.lnk” file extension, that requires a registry edit: https://www.askvg.com/tip-how-to-show-file-extensions-of-shortcuts-lnk-url-pif-in-windows-explorer/
Although shortcuts are pretty easy to spot in the first place unless you just double-click things without paying attention lol
For those interested, John Hammond did a video a few months ago about
.lnkextension (and other 16 hidden extensions on Windows).He doesn’t go to much and to deep into the subject, but you get a general view how this could be exploitable.
Yet another reminder that piracy on Linux is the way because new files don’t have execute permissions by default
On many distros will open with WINE by default, not a big deal, you can just delete
~/.wine. If it does anythingWine will mount your root folder as a Windows drive by default. So if the malware is scanning all connected drives and encrypting/uploading them you still have a problem.
Not using Windows helps a ton :)
Sonarr will still pick the release and download GBs of malware, and if you don’t notice your download directly is filled with GBs of fake torrents
We just deleted those failed to import periodically with an automation 😁
Could you just add *.lnk?
That’s mentioned near the bottom of the post.
Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.
that executes a script on your Windows.
I don’t have a Windows.
Then just draw on your wall.
How is the link file executing malware? Can you put any shell script as the target?
I am pretty sure a link file can open cmd/powershell with parameters to execute commands
You can put the script itself as the link. Shortcut to: powershell -command “Write-Host ‘Gonna pwn your shit’”
Nice to know! Thank you!
Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn’t move it from qbit but better to not DL it in the first place even though its a linux box
Probably this will help as well at the arr end: https://forums.sonarr.tv/t/automatic-blacklist-malware/37822
