Well, this is definitely the first we have seen of its kind. Typically, when you download a piece of malware to your system, it has some kind of nefarious means. Usually looking to steal information from you or damage precious files or systems. However, in this case, an interesting strain of malware discovered by Sophos does none of the above.
It is still nefarious though. It is just selective over who it is nefarious against. In this case, it is individuals who download pirated applications or games.
By disguising it as a normal game title that one (who downloads pirated material) might be tempted to get their hands on, it quickly wiggles its way into the host system. In some cases, without the promised application or game (sorry, you lose on all fronts).
Upon opening the infected file/program, a familiar error is displayed on the screen claiming the user is missing the required “MSVCR100.dll” file to run the application. This is a fake error that is simply a smokescreen. Meanwhile, it reaches out to the internet for a second file called ProcessHacker.jpg.
That second file attempts to modify the user’s host file, inserting hundreds of entries, all related to various pirate websites (ie, The Pirate Bay). What this does is redirect them to the localhost so that when the user attempts to visit any of these websites, it results in an unsuccessful connection.
This part is a one-time run unless the user opens the infected file again. So if the user fixes their host file, it won’t be written to again in any attempt of follow-up.
It also reports the filename of the file you clicked on to a specific domain. Likely for analytic reasons that can range from determining which releases have the most effect on getting people to click on them, or maybe to simply determine what people are trying to download in general.
The domain has since dropped offline and there is still no idea on who is behind the domain or the malware. It could be someone trying to do something good by trying to slow piracy. Or, it could be an agency or intellectual property owner looking to test the waters to see what kind of damage they could offer to everyone trying to pirate their goods (revenge strategy?). Either way, it makes for a pretty strange strain of malware and another reason you shouldn’t steal from hard-working developers.