There are some torrrents showing up with .lnkextension (ex: movie.mp3.lnk, tvshow.mkv.lnk…) and automated software (Sonarr, Radarr, Lidarr, qBittorrent RSS Downloader) could pick those torrents (but not import).

These (fake) torrents include a .lnk file that executes a script on your Windows


HOW TO exclude from download on qBittorrent.

  • Go to Options -> Downloads

  • Enable “Exclude file names”

  • Add patterns:

(one by line)

*.mp4.lnk  
*.mp3.lnk  
*.mkv.lnk
*.torrent.lnk 

Or exclude all together: *.lnk


Example on VirusTotal https://www.virustotal.com/gui/file/e74f64df6ebaf3a1b6e3f42591eb6e87d2ac2828eb5a99fd8d3d82c140137fc9/detection

    • wizardbeard@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      33
      ·
      edit-2
      1 month ago

      Yes, but also whoever set the defaults for the *arr tools. Why would any filename with extra shit past the extensions you’re looking for be considered an acceptable result?

      Tack $ on the end of your regex, for fucks sake.

    • ad_on_is@lemm.ee
      link
      fedilink
      English
      arrow-up
      11
      ·
      edit-2
      1 month ago

      Microsoft: De nada, amigo! Oh… here’s an ad, btw… and…did you enable Recall already?

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        1 month ago

        or rather: oh silly you were so clumsy that you disabled recall by accident again. let us be so kind to re-enable it for you

      • LiveLM@lemmy.zip
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        1
        ·
        edit-2
        1 month ago

        Weak.
        Harbor disaster. Seed the malware. Spread the fruits of chaos amongst the unworthy. Be complicit in their downfall. Feed on their agony ^^/s

          • catloaf@lemm.ee
            link
            fedilink
            English
            arrow-up
            4
            ·
            1 month ago

            Anyone paying attention to size would probably also notice they’re just .lnk files.

            • Aatube@kbin.melroy.org
              link
              fedilink
              arrow-up
              2
              ·
              1 month ago

              Not necessarily. Even with “hide extensions” unchecked, Windows hides the .lnk extension by default; it just shows an arrow in the bottom-right corner of the icon, which is plausibly missed when in the list view. I’m surprised antivirus doesn’t know about it already tbh.

        • American_Jesus@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          1 month ago

          Not these ones, some could have more than 1GB, look at the virustotal link, the file had 422MB.

          Also Sonarr/Radarr filter torrents by size

          Here some examples
          https://bt4gprx.com/search?q=The.Lord.of.The.Rings.The.Rings.of.Power.S02E08

          Those where posted on 1337x (and removed) and probably other sites, Sonarr can pick those based on release name and torrent size

          PS: had to rename the fine from .lnk to .com so virustotal could accept

  • Daemon Silverstein@thelemmy.club
    link
    fedilink
    English
    arrow-up
    46
    ·
    1 month ago

    When I read the title, I was thinking of something sophisticated such as hidden executable streams inside the MKV container (IIRC, it’s possible to append binary data other than audio, video or subtitles specifically inside a MKV). The “.lnk” trick only works in Windows and, even there, it’s easy to prevent: Windows Explorer > Options > Advanced > find and check “Always show extensions for files” (i can’t really remember the exact label for this option as I’m not a Windows user, but something like this will be there).

  • bad_news@lemmy.billiam.net
    link
    fedilink
    English
    arrow-up
    34
    ·
    1 month ago

    You gotta love how aggressively they prevent users from seamlessly running executables from the internet, a VERY legitimate common use case, but a desktop shortcut from the internet? Run away!

    • American_Jesus@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 month ago

      On many distros will open with WINE by default, not a big deal, you can just delete ~/.wine. If it does anything

    • American_Jesus@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 month ago

      Sonarr will still pick the release and download GBs of malware, and if you don’t notice your download directly is filled with GBs of fake torrents

  • N0x0n@lemmy.ml
    link
    fedilink
    English
    arrow-up
    11
    ·
    edit-2
    1 month ago

    For those interested, John Hammond did a video a few months ago about .lnk extension (and other 16 hidden extensions on Windows).

    He doesn’t go to much and to deep into the subject, but you get a general view how this could be exploitable.

    YouTube link

    Piped Link

  • woodgen@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 month ago

    that executes a script on your Windows.

    I don’t have a Windows.

  • Lojcs@lemm.ee
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 month ago

    How is the link file executing malware? Can you put any shell script as the target?

  • LostXOR@fedia.io
    link
    fedilink
    arrow-up
    4
    ·
    1 month ago

    Also make sure you have file extensions enabled in Explorer, it makes it waaay harder for something like this to work.

  • Xianshi@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    29 days ago

    Nice one OP. Just had sonar pick up one of these today named like a proper release of a trusted group. Sonarr didn’t move it from qbit but better to not DL it in the first place even though its a linux box