June 28, 2011 at 11:57 AM ET
Hackers LulzSec left behind a Trojan horse in one of the files it made available for download as part of its 50-day hacking spree. And even though it warned users about the file, many have apparently downloaded it. Some security researchers believe the Trojan is not harmful. But its existence has caused some confusion.
The Pirate Bay, the file-sharing site where LulzSec posted the files, has now deleted all the files, which included the sharing of undercover plans and personal information, including email addresses and phone numbers, of Arizona law enforcement, as well as files from AOL and AT&T.
Going to the link that LulzSec had given leads to the "not found" page shown above.
"Thepiratebay does not allow files that are mislabeled, or contain virus/trojan's, or child pornography," said The Hacker News. "Being as how this torrent was extremely popular, it may have infected 100's of thousands of people already."
Those who may have downloaded the files can check virus information here, on the VirusTotal website, the site said.
Last Saturday, when LulzSec said it was disbanding, it left a P.S. at the end of its "press release" about one of the files, saying "In 'AT&T internal data.rar,' do not open 'BootableUSB/Program Files/WinRar/WinRar v3.71 exe,' as it is malware (due to AT&T using a pirated copy of WinRar)," a shareware/file compression utility.
"It turns out that the RAR file offered as a torrent download is infected with a backdoor of the 'RBOT' class of malware," wrote Kevin McAleavey on InfoSec Island, a website for IT and security professionals. "This type of malware was commonly used by the lulzsec 'hackers' to own other machines, but is a different variant of the tools they normally used to expand their botnet."
On Monday, "26 of the 42 security companies whose scanning products can be tested on the VirusTotal Web site reported that a file within LulzSec's "AT&T internal data" folder was malware, designed to give hackers remote access to the victim's computer," said Computerworld:
But by Monday night Kaspersky Lab, McAfee and Trend Micro all reported that this was incorrect. According to Roel Schouwenberg, a researcher at Kaspersky Lab, other companies are flagging the file as a Trojan because it used pirated WinRar compression software that made the file look very similar to known malicious programs. These pirated compression programs are often used to compress malicious files and "a lot of companies are quite aggressive with these detections," he said in an interview.
Will the removed files reappear? Hacker News believes they will: "Lulzsec's account on thepiratebay was not banned so they are cleared to upload the same torrent again without the alleged 'trojan.' "
And hacking group, Anonymous, which LulzSec allied itself with in recent weeks in the "Anti-Security," or #AntiSec effort, noted on Twitter:"We will see to get a clean torrent up ASAP."