Bitcomet reaching out to UDP connections that are infected with botnet:Blacklist

[Guyver106]

Hello, starting today, I have seen Bitcomet reach out to multiple UDP connections infected with the BOTNET:Blacklist. Has anyone else seen this? 

I have scanned my machine for viruses and it has come up clean. My A/V software is aborting the connections as well. 

[rhuffman61]

Yes i am getting the exact same problem, anyone out there have a fix or know what is going on ?

[Konkar]

Same for me.

[Rhubarb]

It's possible that the file you are trying to download contains the virus and your a/v is simply reacting and refusing to download it. The fault isn't at your end - it's on the machine that's seeding

[Konkar]

The message my antivirus displays:

 

Danger - Botnet:Blacklist

URL - udp://213.152.162.5:47081   < (this changes with every message)

Process - C:\Program files\bitcomet\bitcomet.exe

 

When bitcomet is active, this message keeps showing up and disrupts whatever I'm doing. Even after closing bitcomet, it still shows up for some time before finally stops. I have the same old torrents that have been over a month, but these messages started just few days ago.  This is making using bitcomet nearly impossible.

 

[Rhubarb]

There are a couple of youtube videos abiut it and how to remove it here and here plus a note from Avast saying they're investigating it

[Konkar]

Nope, watched these youtube videos and checked very thoroughly - no viruses, no unknown new programs, no Mail.ru or any other unwanted things anywhere.

Also the note from Avast says to submit the file to their developers for analysis. - does not help - the same file (bitcomet.exe v.1.67) has been fine before and it's not changed or replaced and does not contain virus itself.

So it's not a local problem - something is wrong with UDP connections. 

[Rhubarb]

It's nit Bitcomet that is the problem - if it was, this forum would be swamped with complaints. I run Adaware, updated daily, and there is NO problem. Mail.ru was just an example - it said, in that video, to check on any recently installed programs (round the time that the problem occured). Niot knowing what may be on your computyer, I'd recommend doing as suggested and uninstalling any apps that are from that time period and see if it goes away

[Konkar]

My latest installed program is from 26 May 2020. This problem started just few days ago.

I have checked my computer with antivirus and malwarebytes - nothing found. 

It looks like Bitcomet tries to make udp connections to infected addresses. I know it's not Bitcomet problem, because the same bitcomet.exe had no problems until now.

I suspect the problems are these udp URLs that have become infected. How to prevent Bitcomet from connecting to these infected URLs ?

Is there some way to automatically blacklist these URLs ?

 

 

There is the same problem reported (started just few days ago) with another torrent client: https://www.reddit.com/r/qBittorrent/comments/hir7ym/botnet_blacklist_on_qbittorrent/

So it looks like something global. 

Edited July 1, 2020 by Konkar (see edit history)

[Konkar]

An update - today no more antivirus pop-ups. I guess the infected udp URLs are either blocked, no more infected or just gone. Or maybe some update of the antivirus keeps the pop-ups for showing.

[Rhubarb]

AsI said - you had a virus/trojan (probably from something you downloaded) and it took a while for the a/v definitions to be updated to catch it

[Konkar]

As I said - no viruses. (never had any in more than 20 years - I'm an IT specialist by profesion) And I have not downloaded anything new, just seeding.

Antivirus message said that Bitcomet.exe tried to connect to the udp URLs that are infected. (not that my PC has virus) And it also said that these connections were safely interrupted. 

And the same problem bothered many different people with different torrent clients around the world at a same time - very obviously not something in my PC.

 

For now the antivirus got some update that probably just disables the message.

[Rhubarb]

Trust me - you had a virus that was producing that mesage. Now whether you want to believe it or not - that's what happened. I didn't have it and neitherdid a lot of otherpeople. If it was inherent in Bitcomet, this thread would run to several dozen pages of 'me too's

[Konkar]

How could virus produce a message from Avast antivirus ? (And the message appeared only when running Bitcomet) I checked TaskManager and everything was ok, no unknown processes while these messages appeared, and also checked the process paths to be sure - everything checkd out.

I checked the antivirus logs for the last few days - not a single virus reported, just blocked connections attempts from Bitcomet.exe (Believe me - my system is 100 % virus proof)

The reason that there are not too many users who report it here is that many users don't use Avast. And many users who use Avast, use another torrent client. (I did put a link in earlier post with an example of the same problem with another torrent clients)

The common thing with all these reports is Avast antivirus.

 

No point in talking about viruses anymore - I already know what the problem was. There is a discussion about it in Avast forum and it turned out to be an Avast error. (Avast web shield false positive reports) and it got fixed with the latest update.

 

[Rhubarb]

While that is as my be, I'd never EVER claim that "my system is 100% virus proof" (whether it's on Linux or Windows) and I've been in IT (hardware and software) since 8 bit days.

While it may not be a virus per se, it was enough to trigger Avast (which I don't use - I use Adaware on 'doze and Clam on Linux)

[Konkar]

Well, I know thoroughly everything that goes on with my system and I also know every file and folder and their purposes. I scan my system constantly with different kinds of scanning tools and software and I download only very specific stuff and I always scan it very thorougly. (Every download goes into sandbox first). Also my system is not anything standard - it has been modified heavily for security. As I said earlier - no viruses in my system(s) in over 20 years. (I have also been in IT very long time - my first personal computer was XT)  If I say my system is 100% virus free, then I know what I'm saying.

The stuff that triggered Avast was not in my (or in any other user's) system - it was on these URLs that Avast flagged as infected. 

[Rhubarb]

Colour me unimpressed - I have been  WORKING with computers since before even the Intel 8086 - try the 8080 and Z80 - eight bit machines but I am not as blind as to even THINK that 'my system is 100% secure'.

I repeat - if you are online then you are NOT secure. Many years ago the FBI commented that the only reaolly securecompuer was one that had neverbeen plugged in or even taken out of the box. How do you think that servers get hit with ransomware, etc? Do you believe that the people running those don't have working security apps?

[Konkar]

Hahaha - it's not a d*** measuring contest. (The XT was just the first computer that I owned.) The point is I know what I'm talking about.

Why I claim that my system is 100% secure ?  The same reason I mentioned before - how else do you explain how I'm managed to keep all my systems virus free all the time ?  I could bet a large sum of money and have some security experts check my system. 

 

Always check stuff, then double check with another tools, then, if the stuff is a program, run it in a sandbox first. The system must have more than one shields and firewalls. And it also helps to have a great knowledge about different dangers and about your system's inner works. The biggest enemy to any system is it's user. Always.

 

But it has gotten off topic - the original problem is gone.

 

[Rhubarb]

You started it sunshine by claiming that having an XT (they had to call it eXtendedTechnology cos ET was already copyright ) somehow gave you street cred. I simply pointed out that it was no big deal,having started on even older systems

[Konkar]

Ok, ok, I only mentioned this to illustrate the fact that I am not a noob. 😉

 

There is another question,  (I didn't start a new topic, because I already did it a while ago, but did not get any answer.) - I download different stuff and I have noticed, that after I choose the option "delete task only" in Bitcomet, the task disappears from Bitcomet's list, but the .piece_part.bc! is not deleted from folder. 

Example: I download some file.txt (or any other file type) into my main download folder and after I've seeded it for some time, I need to move the file to another location. I choose the option "delete task only" and now I can move the file.

But if I download some file.txt (or any other file type) into a folder inside my main download folder (some files come within their own folders), then if I need to move the file and choose "delete task only", there will remain the downloaded file along with the file.txt.piece_part.bc!  that I have to delete manually every time. It  wasn't like this before the version 1.58 or something.

It only happens when the downloaded file comes within their own folder, (not when the file gets downloaded into the main download directory without a folder.)

 

[Rhubarb]

What I do normally is to move the file elswehere and then delete all (including downloaded files) - afterall, it doesn't matter if the file isn't there. I can't be 100% certain but the .bc file may be for seeding, which is why it remains.

[Konkar]

Hmm,..  if I want to delete task but want to have the downloaded file itself remaining, deleting task should remove the .bc temp file. And it does so if I download into the main (dedicated) download location. But if the downloaded file comes within it's personal folder (many files come this way), then the .bc file is not removed when I delete task.

It looks like the Bitcomet cannot delete .bc if it's inside a folder that's inside the default download location.

 

I have tried to completely remove Bitcomet (using Revo Uninstaller) and then made a clean install, still the same behavior

This behaviour is occurring since the version 1.58 (or maybe a bit earlier, I can test it with more versions this weekend)

[Rhubarb]

As I said, just move it - that's what I do. I keep my downloads on a separate drive and just move them out of there to an appropriate folder when I consider they've beens eeding long enough (I set the ratio at 4:1 for any files where I'm not the original seed). I then removethe whole shebang to free up space on the torrent dowmload drive.

[Konkar]

That's what I do, but mostly I want to move these downloaded files with their folders and then I still need to manually delete the .bc file from these folders.

[Rhubarb]

The reason the .bc file is there is for seeding. If you aren't seeding, then you need to remove it and manually is the only option (or simply don't copy yhe whole folder to begin with)