PPI-Binded *.EXE files: The Latest Scams on Torrents

It looks like the entrenched method of passwording *.rar archives in the torrent has become outdated, especially that now they are automatically and immediately banned on most of the giant trackers like thepiratebay and mininova. Besides the fact these torrents are quickly targeted for removal, the person who uploaded the material is banned as well. Like all things on the internet scams are subjected to evolution, too. It was predictable that scammers would soon try some new way of trapping their victims .It seems that they’ve done that through hidden PPI installers.

The most recent method of torrent scamming uses a certain the practice called "binding EXEs". Very briefly, this basically means combining a ‘clean’ EXE file with a "Pay-Per-Install" (PPI) .exe file(s), so as to conceal the PPI payload installer. Scammers do this through a crypter/binder, like LulzCrypt or D-Packer (but not only). The most vulnerable files/torrents to this procedure are generally small applications or cracks, cracked files/keygens, including games cracks.

The reason small apps are preferred by scammers is that they help them test the binded EXE file before it’s being uploaded to a public tracker. In case it gets easily detected by antivirus/spyware software, it means is not FUD (that would be - fully undetected) and consequently it will (usually) be rapidly removed from the torrent website.

The Risk
PPI installers are quite a pain in the …system, and prove very hard to get rid of. If they are well ‘binded’, they become almost undetectable by many anti-spyware / anti-virus softwaress, plus that they may often come bundled with rootkits and self-replicating adware.
However, don’t think that PPI installers can only be reserved to torrents. They have the ability to be introduced into any (exe) file and shared via any P2P filesharing protocol and to judge from appearances it really pays off.

Recommendations:
Firstly, use private trackers. Most PPI-ers are not brazen enough to upload a bad torrent - one attempt at this would obviously lead to their last login (instant ban). Manual torrent moderation (removal) is something that public trackers don’t usually engage in (due to the sheer volume of new torrents reaching the site each day).

Secondly, if you really need to use public trackers, stay away from *.EXE files (like small apps, cracks, keygens). Preferably, movies and music files should remain the downloads of choice.

Note:— ThePirateBay is more solid in terms of better filtering/ detecting system able to spot these malicious torrents than mininova.

Sites that cater to PPI torrent scams:

— http://www.blackhatworld.com/blackhat-seo/f75-torrents/
— http://www.pay-per-install.org/buy-sell-trade/