TorrentGuard: stopping scam and malware distribution in the BitTorrent ecosystem Michal Kryczka∗†, Ruben Cuevas†, Roberto Gonzalez† Angel Cuevas‡ and Arturo Azcorra† ∗Institute IMDEA Networks †University Carlos III Madrid ‡Telecom SudParis Abstract—In this paper we conduct a large scale measurement associated to fake content. This depicts a 5% increment in the study in order to analyse the fake content publishing phenomenon presence of fake content within the BitTorrent ecosystem in a in the BitTorrent Ecosystem. Our results reveal that fake content period of one year between our two measurement studies. This represents an important portion (35%) of those files shared in BitTorrent and just a few tens of users are responsible for 90% justifies (even more) the necessity of the research conducted of this content. Furthermore, more than 99% of the analysed in this paper. fake files are linked to either malware or scam websites. This In order to fight the fake publishing phenomenon, the first creates a serious threat for the BitTorrent ecosystem. To address step is to properly characterise the fake publishers and their be- this issue, we present a new tool named TorrentGuard for the haviour. The current BitTorrent portals solutions identify fake early detection of fake content. Based on our evaluation this tool may prevent end users from downloading more than 35 millions publishers through the user account that they use to upload of fake files per year. This could help to reduce the number fake torrents to the portal. We show in the paper that this of computer infections and scams suffered by BitTorrent users. technique is inefficient since the fake publisher can generate TorrentGuard is already available and it can be accessed through as many user accounts as needed in those portals. Instead, the both a webpage or a Vuze plugin. parameter that uniquely identifies the fake publisher is the IP address it uses to perform its activity. Surprisingly, our data I. INTRODUCTION reveals that just 20 fake publishers (whose IP we identify) are BitTorrent is one of the most popular applications in the responsible for injecting 90% of fake content in the BitTorrent current Internet. It is daily utilised by millions of users and ecosystem. Moreover, most of these IP addresses belong to is responsible for a major portion of the Internet traffic [26]. Hosting Providers where the fake publishers rent dedicated This success motivated the research community to investigate high-resource servers to perform their activity. different aspects of BitTorrent covering performance [20][25], The fake publishing activity is time consuming since a fake economics [10][13][30] and incentives [17][27] issues. How- publisher needs to manually create the user accounts used in ever, to the best of the author knowledge, the research com- the different portals (in some cases up to 4 accounts per day). munity has put less attention to BitTorrent security aspects. Furthermore, this activity requires dedicated resources (e.g. Some previous works have analysed the vulnerabilities of rented servers). This investment in time and resources can be the BitTorrent protocol to free-riders [21][22][29] whereas only justified by a strong motivation behind the distribution of some others address the lack of privacy offered by BitTorrent fake content. We have downloaded and manually inspected a [8]. More recently, in a previous work [12] we demonstrated large number of fake content published during our measure- arXiv:1105.3671v3 [cs.CR] 19 Apr 2012 that the BitTorrent ecosystem is suffering from a continuous ment period and found 3 different profiles among the fake poisoning index attack resulting in 30% of published torrents publishers: (i) a first group of fake publishers aims to spread associated to fake content. Furthermore, this fake content malware using the popular BitTorrent system; (ii) a second produces 25% of the download events, which means that set of users tries to attract BitTorrent users to scam websites every fourth content download in BitTorrent is fake. These in order to get economical benefit from the victims by using initial results highlight a serious issue that, to the best of the different scam techniques; (iii) the last group is formed by authors knowledge, has still not been covered by the research antipiracy agencies that upload fake versions of those content community. that they want to protect. In this paper we thoroughly analyse the fake publishing Our data shows that more than 99% of the published fake phenomenon in BitTorrent in order to understand its real content is associated with the two first profiles. This supposes impact on the system performance as well as the potential a very serious threat for the BitTorrent ecosystem since the risks of fake content for BitTorrent users. Furthermore, we activity of these publishers may lead to thousands of unde- propose a practical solution to mitigate this problem. We base sirable episodes of scammed users and computer infections. our study on data collected from torrents published in The These findings suggest that new solutions need to be proposed Pirate Bay portal during a period of 14 days from 30-04-2011 in order to eliminate or at least reduce the number of fake to 13-05-2011. The 35% of almost 30K analysed torrents are content available in the BitTorrent ecosystem. Towards this 2 end, we have designed and implemented TorrentGuard. This from March 1st 2012. Instead, they will serve exclusively is a novel detection tool that allows to identify the IP address magnet links [2]. of the fake publisher, thus being able to report as fake each - BitTorrent Trackers: these are servers which manage the content published from this IP address at the moment of its BitTorrent download process of a given content. The set of publication. Based on the performed evaluation, TorrentGuard peers downloading a given file is named swarm. The tracker would be able to avoid more than 35 millions fake content maintains a list with the IP addresses and the download downloads every year. This means, preventing hundreds of progress of all the peers forming the swarm associated to thousands of users to suffer from computer infections or a specific content. Furthermore, when a new peer joins the scam incidents every year. TorrentGuard can be currently used swarm, it contacts the tracker in order to obtain a list of IP through a publicly available website and a Vuze plugin. addresses of other peers participating in the swarm. By doing The rest of the paper is structured as follows. Section II so, the new incomer is able to retrieve pieces of the content presents the background information. In Section III we de- from these peers. scribe our measurement methodology and present our dataset. - BitTorrent downloaders (peers): these are clients forming Next, Section IV characterises fake publishers, while Section the swarm that download and/or upload pieces of the content. V classifies them depending on the goal they pursuit with their We distinguish two types of peers. A seeder is a peer that activity. Section VI shortly characterises the downloaders of possess a complete copy of the content, thus only uploads the fake content. In Section VII we describe and evaluate our pieces whereas a leecher does not have the complete file so solution to improve the detection of fake content. We also that it uploads and downloads pieces. discuss possible countermeasures to TorrentGuard and their - BitTorrent publishers: these are the clients that make avail- efficiency. Section VIII describes relevant works to this paper. able the first copy of the content in the BitTorrent ecosystem. Finally, Section IX concludes the paper. B. Publishing a content in BitTorrent II. BACKGROUND When a publisher wants to publish a content in the BitTor- rent ecosystem, it firstly creates a .torrent file. After creating In this Section we briefly describe the main aspects of the .torrent file, the publisher uploads it to one or more Bit- the BitTorrent ecosystem making an special emphasis on the Torrent portals. For this purpose, it uses a user account (with procedure of publishing content on The Pirate Bay (and by a specific username) created in these portals. Furthermore, the extension on other BitTorrent portals) and specifically, how publisher distributes the first copy of the content by acting fake publishers do it. This is summarised in Figure 1. For a as the initial seeder in the associated swarm. Therefore, the full description of the BitTorrent ecosystem we refer the reader content publisher can be identified by the IP address of the to [19] and [31]. initial seeder distributing the content and by the username utilised to upload the content to a BitTorrent Portal. A. Main elements of BitTorrent ecosystem In this paper we specifically address the fake content - BitTorrent Portals: these are webpages which index .torrent publishing phenomenon in BitTorrent. A fake publisher is a files, classify them into different categories and provide basic user that exploits the BitTorrent ecosystem to publish fake information for each file. These portals serve as rendez-vous content, this is, content that is different than what is expected points between content publishers and BitTorrent downloaders. from the content name. A fake publisher makes available the The publishers upload their .torrent files to BitTorrent portals fake content from a single IP address (or limited number and the clients download them. of IP addresses) that corresponds to the initial seeder of all - .torrent file: this is a meta-information file including relevant its published content. Furthermore, a fake publisher typically information for the BitTorrent protocol such as: (i) the content creates a user account in a BitTorrent portal from which it infohash, this is a unique identifier of the content in the uploads .torrent files associated with its fake content.