The EU Intellectual Property Office has published a new study into malware and 'potentially unwanted programs' being made available on pirate sites. While many samples of malware and PUPs were found, the EUIPO concludes that copyright-infringing websites and streaming services are not normally considered to be dominant sources of malware.
As part of their strategy to deter the public from using pirate sites, entertainment industry groups have often painted these portals as havens for malware. A new study carried out by the EU Intellectual Property Office investigates the phenomenon.
In the first phase of the research, the United Nations Interregional Crime and Justice Research Institute (UNICRI) collaborated with the European Observatory on Infringements of Intellectual Property Rights to form an expert support group established to provide advice on methodology and to select the websites to be analyzed.
The group was comprised of representatives from Observatory stakeholders, rights holder organizations, academia, law enforcement, and EU agencies. As research spanning all EU Member States wasn’t possible, 10 sample countries were randomly selected from the 28 in the block.
Five movies, TV shows, music, and video games were selected (20 titles in all) for their popularity in one or more of the ten countries at the start of the collection period in June 2017. The titles were subsequently used in online searches to find infringing websites and applications.
Websites suspected of offering infringing content (including streaming, linking, hosting, cyberlockers, and torrent platforms) were selected on the basis that they were popular in the ten sample countries or worldwide and were accessible by the “average user.” These were later studied for the presence of malware and “potentially unwanted programs”, such as those that provide advertisements.
A concurrent analysis of malware and PUPs specific to Android devices focused on streaming, torrent, and hosting applications, providing they facilitated access to a broad range of “suspected” copyright-infringing content.
“The data acquisition phase included two rounds of malware collection and analysis performed during the summer of 2017,” the report reads.
“The first round of malware collection resulted in 1,054 unique domain names and the second round gave 1,057 unique domain names across 10 selected EU Member States. Malware was collected in both a manual and automated manner in order to simulate an average user’s experience.”
The researchers used the Tor browser and a sandbox to collect the malware and PUPs and carried out searches “in a manner consistent with low security-awareness internet browsing.” No ad-blockers were used and all suspicious links and buttons were pressed.
During the two rounds of analysis, the researchers checked their chosen infringing sites (none are named in the study) against VirusTotal’s database, to see whether they were already suspected of “performing malicious activities” or distributing malicious or otherwise unwanted software targeting the end-user. The table below reveals that around 8% had been previously flagged.
“In addition, during the two rounds of malware collection from the identified copyright-infringing websites, several malicious and suspected-of-being-malicious files were collected,” the paper reads.
“These were files directly downloaded from the websites. In addition, several files were acquired upon installation of the directly downloaded files. Those included any kind of side packages, software libraries, and other files that can pose threats to end-users wanting to use them.”
The researchers found 4,000 files in their search, broken down into about 100 different types. (Note: The files for the second round contain only new unique files that were not discovered during the first round of malware collection)
The report details a number of the techniques used by sites to deploy malware and PUPs, or to persuade users to part with personal details such as names, addresses, and email addresses. Some were contained in “useful” tools that may claim to block ads, provide installation or license key files, or facilitate access to infringing content.
After obtaining 60 anti-virus reports from VirusTotal on the files acquired during the collection stage, the researchers decided on the following categories:
• Benign — software that does not cause any harm to users, designed for specific good purposes, such as content-distribution platforms or office programs.
• Potentially unwanted program (PUP) — software that provides advertisements, etc.
• Malware — harmful software that tampers and steals personal data and accesses files on the computer without proper authorization.
• Malware/PUP — a piece of software that can be included equally in both categories.
All pieces of software collected by the researchers were further categorized.
• Fake installers — software that lures users into disclosing personal information or providing payment card details by simulating game installation processes.
• Streaming — software that provides free access to pirated video or audio content.
• ‘Useful’ software — programs that may or may not improve something, yet promote a functionality that may be perceived as useful by some users.
“Most of the programs are known as ‘useful’ software, which advertises various benefits to end-users, such as installing missing drivers and cleaning old files from PCs. Fake game installers and streaming services follow with a smaller share, yet one that is still considerable in comparison with the rest of the analyzed programs,” the study reads.
“Four general categories [of malware] can be distinguished: Trojan, adware, backdoor, and agent. Additionally, ‘-’, in the figure below, means that there was no information available on community accepted malware type even though multiple anti-virus vendors marked files as malicious,” the report adds.
“In this case, the labeling includes following general keywords such as ‘not trusted’, ‘unsafe’, ‘unwanted’, etc., which does not provide any additional semantic information about specific functionality or characteristics of malware. Therefore, in this study, such files were considered as generally malicious without a specific type.”
The researchers say they found “no profoundly harmful” malware samples, such as ransomware, botnets or others. However, most of the collected malware samples were identified as trojans, with some potentially containing additional adware and/or backdoors. Additional analysis also revealed some malware with multiple payloads, including keyloggers, network tampering efforts, and rootkits.
While the existence of malware on any site or service is a cause for concern, the report offers this relatively calming summary, with cautionary advice moving forward.
“At present, suspected copyright-infringing websites and streaming services are not normally considered to be dominant sources of malware or otherwise unwanted software distribution.
“However, considering the increasing popularity of streaming services, increased bandwidth of broadband networks, and the deployment of 4G networks, it cannot be ruled out that they may pose a growing risk moving forward,” the report notes.
The EUIPO notes that the study isn’t designed to provide an assessment of the likelihood of malware or PUP infection from using infringing sites, nor does it seek to offer advice to consumers. That being said, common sense deployed alongside a good anti-virus program and adblocker can nullify many of the threats on sites where the user is especially concerned about security.
It’s also worth noting that the practices of the EUIPO researchers during the study – deliberately clicking all suspect links and buttons while deliberately installing suspect programs – should be avoided at all costs. Equally, users of Android software not distributed by Google Play or Amazon should carefully consider the permissions requested by each application and deny any and all that require access to personal information.
The report is available here (pdf)