On the dangers of popular television series

April 2, 2019

Despite an increasing number of people preferring to stream their TV shows and generally opting for legally obtained content, pirates and BitTorrent sites hold their ground. And because, from a legal standpoint, torrent sites are in a gray-fading-into-black area, they have been a playground of choice for cybercriminals disguising their malicious files as useful stuff.

The serial threat

The easiest to deceive among torrent site users are those looking to download software: Slip in a different executable and the user’s hooked. However, scammers are interested in anything that is popular with users, and television series might be the hottest thing these days, so these, too, are being used as disguise for all kinds of malware. So, we decided to analyze what dangers a wish to download a popular TV show from a torrent site may bring upon you.

We used IMDB and Rotten Tomatoes ratings to select 31 television series and downloaded anonymized statistics on them from our KSN cloud service to find out what types of malware users who dealt with the shows have encountered.

Guessing what show would prove the most popular among scammers was easy: It’s Game of Thrones. According to our statistics, Game of Thrones–related malware species that attacked users in 2018 numbered almost 10,000 — or 9,986 to be exact. These malicious programs attempted to infect the users’ machines more than 120,000 times. That is just the year 2018, and the statistics are limited to users of our solutions, so the total number of attacks worldwide should be far larger.

Most times, malware tries to pass as the first or the final episode. The very first episode of the first season of Game of Thrones, “Winter is Coming,” is the absolute leader in the number of attacks.

The runner-up among TV shows, both in terms of users attacked and the number of attacks, is The Walking Dead. These two lead by a significant margin: Arrow, in third place overall, accounted for about two-thirds the number of users attacked, and in terms of the number of attacks it was used for represents less than one-third.

What you might get instead of your TV show

If someone is seeding something disguised as a TV show, and it’s not a TV show, then it is likely to be real malware: some type of Trojan. Our statistics suggest that you are most likely to encounter the WinLNK Trojan, which is capable of downloading other malware.

Also very likely is becoming the happy owner of one of two types of so-called not-a-virus software: adware or downloaders. Neither of these will bring you any particular joy. Adware throws ads at you whenever possible, and downloaders will likely be an intermediate step to getting adware … or something worse.

How to know you have downloaded malware instead of a TV show

April through May is going to be intense: The final season of Game of Thrones hits the screens first, followed by the third season of the popular Westworld, and then it just goes on from there. That means lots of us will be watching and downloading shows, whereas rogues will be doubling or even tripling their efforts to spread infections camouflaged as the public’s well-loved TV series.

To stay safe you have to be alert. First and foremost, we advise against dealing with illegal distribution channels and in favor of official channels. Yes, you have to pay for those, but that is much safer.

If you still intend to use torrent sites, then at least you need to learn to tell if what you have downloaded is the real thing or a decoy. Here is how to know the difference:

  • Look at the file size. One episode encoded with decent quality will never be smaller than several gigabytes.
  • Never trust downloaders, link files with an.lnk extension or any other intermediates offered for downloading video content. A video file will never have an .exe or .msi extension. Keep your eyes open: Scammers will often name their files something like The.Walking.Dead.S06E04.FASTSUB.VOSTFR.HDTV.XviD-ZT.avi.exe to give them a more legitimate appearance.
  • Before you download or play back anything online — every time — check if you are on the right site. Make sure the URL has absolutely no typos. Scammers are really fond of creating malicious copies of websites with addresses that differ from the original by just a character or two.
  • Read our detailed study on television series and malware associated with them on Securelist. Forewarned is forearmed.
  • Use a reliable antivirus solution. If you are unwilling to pay for content, something tells us that our Kaspersky Free will be the best option for you.