qBittorrent official forums

Recently i got fooled into running a trojan.

I tried to find an episode of some show that was missing at that time. But Torrentz returned about 5 links. I downloaded the most popular one. As usual i opened "Content" tab of qBittorrent and double-clicked on .mp4 file. This is where Windows Defender came up with a notification of prevented trojan launch. I was quite baffled by this. Never heard of exploitation on video files before.

I checked Content tab again, verified that it was showing an .mp4 file. But when i opened the folder there was a .scr with that trojan. This file was executed when i clicked on "mp4" inside qBittorrent.

Could someone help me understand what happened? Is there a way to prevent this in the future beside double-checking every file i downloaded?

For the reference, the info_hash of said torrent is REMOVED
CAUTION: THIS TORRENT CONTAINS A VIRUS

Because Windows is easily fooled, if the file extension happens to be a "known" file type that is what it must be.

No, there's something other going on. It's not just good old ".mp4.scr".
qBittorrent shows it as plain .mp4, no reference for ".scr" at all. Windows explorer won't show true extension no matter whether "Hide extensions for known file types" is checked or not.

PS: Actually scratch that, there is true extension but it's written backwards and before supposed .mp4. Like:

XXX S01E02 HDTV x264-BATV ?4pm.scr
(Try selecting and copying this string if you're on windows, UPD: Won't work, see update below)

I think there is some kind of RTL foolery going on. Even as i pasted this string to reply form, the cursor is placed right before "rcs.", and typing moved the text to the right (normally it would be the cursor who would be moving). Perhaps it's the "Spoofed filenames in Windows using the RLO (Right-to-Left Override) Unicode Character".

PPS: I understand that windows is beyond saving (due to some backwards compability issue probably), but surely qBittorrent can handle this character so that it won't spoof filenames.

PPPS: Not sure if you removed info_hash because of security or piracy issue, but i can provide it again, if it will be needed for testing.

UPDATE: Apparently forum software parsed this symbol and turned it into "?". It also reversed the characters. Funny thing is, it wasn't parsed this way in preview (RTO character was present there). Anyway, file name looked like "XXX S01E02 HDTV x264-BATV rcs.mp4".

Windows executable files  do NOT have to be .exe, .scr, .pif or any of the other 'accepted' extensions. Embedding malicious applications in what are apparently 'benign' files is not particularly difficult, particularly when some 'files' are not actual file formats, they are simply containers for other formats. So instead of providing the expected content, the 'loader' causes an error in the application that looks like it is corrupted data while the real payload does it's work. It's a trick that has been around twenty years or more and used to be mainly confined to Limewire and other 'whole file' download protocols.

This situation is not about containers.
These files are plain executables, either .exe or .scr. They're just named in a very particular fashion to mislead users.

Let me use the same file name to demonstrate the method. The bad guys create a file named "XXX S01E02 HDTV x264-BATV [U+202e]4pm.scr".  Where "[U+202e]" is a so called "Right to left override", a Unicode symbol which dictates to the renderer that the part of the string following it will be written right-to-left. So windows (and presumably QT) renders this whole string as "XXX S01E02 HDTV x264-BATV rcs.mp4". But the scary thing is that OS still recognizing this file as .scr and of course qBittorrent executes it on double-click.

Here's couple more links on this subject:
https://blog.malwarebytes.org/online-se ... lo-method/
http://krebsonsecurity.com/2011/09/righ ... l-attacks/

And a video demonstrating creation of such files:
https://www.youtube.com/watch?v=1J1dH49JEM8

UPD: i also uploaded screenshots from qB, Total Commander, and command prompt displaying the sam filename to indicate the problem.

These files are plain executables, either .exe or .scr. They're just named in a very particular fashion to mislead users.

Doesn't matter, the principle is the same, and it is nothing new. It has simply gained a new popularity with "recent" Windows versions that hide the file extension for "known file types" by default. It is all "social engineering" of one kind or another. The simple fact of life is, while ever there are people trying to get something for nothing, ... ... There WILL be others trying to use that to their advantage.

A few years back it was "Missing Codec: You need to download the free Coral player to watch this video"  and when you downloaded it it came along with FAR more than you bargained for. Though to be fair I did get quite a few 'beer tokens' cleaning up various computers after people had done exactly as they were told.
And yes there were many conspiracy theorists claiming that it was the film companies or the Government planting the "fake movies"

The basic rule is: If you are going to steal things, ... ... expect to be caught ... in one way or another. You got caught by the Internet scrotes.

[quote="ciaobaby"]
Doesn't matter, the principle is the same, and it is nothing new. It has simply gained a new popularity with "recent" Windows versions that hide the file extension for "known file types" by default. It is all "social engineering" of one kind or another. The simple fact of life is, while ever there are people trying to get something for nothing, ... ... There WILL be others trying to use that to their advantage.[/quote]
You really are missing the point. This has nothing to do with hiding extensions for known file types by windows. This is qBittorrent (and yes, windows explorer too, but that's beside the point) not ignoring RLO and rendering filenames in misleading fashion.

Look at the screenshots. First is the qB, you can see .mp4 extension, right? But actual extension is .scr. qB has nothing to do with "Hide extensions for known file types" setting of explorer. In fact unchecking it won't change a thing. qB will still show it as .mp4.

This is an obvious security risk, because user have no way to verify the format of downloaded content inside qB and there is no safeguard against running executables. Yes we can say that it's a users responsibility to pick the reliable sources. Until we have an epidemic and we will have to do something about it.

There's is a simple solution: what qB should do is either completely ignore this character, like Total Commander does (second screenshot), or render it as some generic character like command prompt (third one).

You do know that .!qB is an additional extension that is added to files that qbittorrent is downloading and as are yet incomplete, and can be turned off in Options -> Downloads this extra extension is intended to prevent users trying to open a file that is not yet complete and WILL cause an error in the handler application, and may corrupt the payload in the process

  Until we have an epidemic and we will have to do something about it.

Why do 'we' have to do anything about it??

qBittorrent is not your personal Internet Nanny.

qBittorrent is not an Anti-virus application

qBittorrent is not a anti-spyware application


So why does qbittorrent need to 'take care' of people who are ignorant of potential hazards and/or dumb enough to implicitly 'trust' everything that they download.

rendering filenames in misleading fashion

Nope! qbittorrent merely displays file names as they are in the torrent metadata, you simply did not pay enough attention to the names.

YOU have to take responsibility for YOURactions, this particular 'exploit' has been around for TWENTY YEARS or more, and if you were not aware of it .... .... That is NOBODY ELSE'S problem, just your own. As is said in many legal cases; Ignorance of a law is NOT a defence, and the law here is similar to  the "laws of the jungle". Somebody IS always out to get you.
Most of us already know of the "double extension" exploits, it's been around since the days of Windows 3.1 (1992/1993). The only "new" thing you are telling us is that you fell for it. Now whilst we may have some sympathy with you in having to deal with the aftermath, the only advice you are going to get is install a decent anti-virus application and keep it updated, my personal recommendation would be Avast, and pay attention to what you try to open!

ciaobaby wrote: You do know that .!qB is an additional extension that is added to files that qbittorrent is downloading and as are yet incomplete, and can be turned off in Options -> Downloads this extra extension is intended to prevent users trying to open a file that is not yet complete and WILL cause an error in the handler application, and may corrupt the payload in the process

Good grief. I feel like i'm hitting my head against the brick wall. I wasn't talking about ".!qB" extension. When i mentioned qB i meant qBittorrent, as in "the program we're discussing here".

Nope! qbittorrent merely displays file names as they are in the torrent metadata, you simply did not pay enough attention to the names.

Again, here's the screenshot of qBittorrent. What is the extension of this file in you opinion?

ciaobaby wrote:So why does qbittorrent need to 'take care' of people who are ignorant of potential hazards and/or dumb enough to implicitly 'trust' everything that they download.

The simple answer, it doesn't. But it would be nice to at least try to make sure that people see what's going on and what they're opening.
Even if windows is being unreasonable in handling unicode in filenames doesn't mean every other program should.

ciaobaby wrote:YOU have to take responsibility for

Yeah, i hate do interrupt you right here, cause you're just wasting you breath. Because you're wrong, plain and simple. As i tried to explain to you it's not about double extensions (there is extra dot in the file name but it isn't being exploited in the fashion you are talking about). I isn't about "hiding extensions for known types". It isn't present in Windows XP (or 3.1 for that matter), what you would know if you cared to visit any link i posted:


I opened this thread in hope someone would be kind enough to look into this problem and explain it to me. But instead you tried to be extremely aggravating and explained to me how lame i am. Nonetheless i found the root of this issue writing the second post. And you continued to ignore all i wrote and still tried to explain how i don't know anything.

If you can't see the problem of qBittorrent displaying ".mp4" extension instead of it's true one (".scr"), i can't help you. Let's say there is no problem then.

I will however open an issue on GitHub. Thanks for your help.

You simply keep prattling on about this being somebody else's problem and how qbittorrent should protect you from your own stupidity / haste /  lack of attention.

IT IS NOT ANYONE ELSE'S CONCERN it is YOUR machine, YOUR downloads, YOUR choice of what to do.

If you want somebody to whinge at, go and complain to where ever you downloaded it from.  The simple thing is YOU got caught out, LEARN from that and stop looking for someone else to blame!!!!!

It seems a legitimate request to me for qBitTorrent to correctly show the file extensions on what it downloads, especially since Windows cannot be relied upon to do so.

If someone is (knowingly?) sharing computer viruses, it can become many people's concerns really fast.

Please post the link to the issue on Github after you post it.

qBittorrent just shows the names that are in the metadata initially, and there is no manipulation done for displaying names in the content file/folder tree. Whatever the filing system has is what qbittorrent shows.

Ever since there has been any kind of 'file sharing' and 'peer to peer' networking, people have been embedding viral payloads disguised as "the latest movie title", "Best mp3 collection EVER" or whatever, it is NOT something that has just started happening, as I said the "LimeWire" network was rife with fake downloads, as were many others. 

The initial post suggests qBitTorrent has failed at that task.
Sounds like a really bad security problem.
If the first line of defense is to be the user, it would help if the user was correctly informed by qBitTorrent!

Still a bug in qbitorrent 3.3.3

Probably related to QT/libtorrent.

Basically the issue is if i make a torrent and an internal file is named Cool Video Series{RTL CHARACTER}4pm.scr qbittorent UNSAFELY parses the RTL character flipping the file extension to rcs.mp4 (qbittorent thinks its an mp4 file but its really an .scr virus file)
The user trusts the filename data provided by qbitorrent is accurate and it is NOT accurate in this scenario.

However if you look at the payload directory windows DOESN'T parse the RTL character under english (it probably would under an arabic locale) and correctly names the file "Cool Video Series?4pm.scr

This is a unicode issue/security bug in qbittorent and really should be addressed.
The bug is not that its used for virus's the bug is qbittorent parsing an RTL text shift mid filename leading to filetype obfuscation.
You need to regex filter the unicode character u+202e when it is NOT the first/last character in a filename if possible(how its intended to be used..).

This behaviour is probably replicateable on linux.

Offtopic there actually are .mp4 container exploits on windows but 99% of them are patched if your video player software/codecs are up to date. (up to date meaning newer than 2012)