Security News

Vladimir Putin embedded in uTorrent binary

Threat Intelligence Team, 11 October 2016

Conspiracy theories about Vladimir Putin abound, but Avast Threat Labs team finds another small mystery around the Russian president.

Is Vladimir Putin almighty? Some say that he’s behind everything that moves the world. We steer clear of any conspiracy theories, but what we can say for sure is that President Putin recently made it to the world of Torrent.

We dug deeper into a file, properly signed by BitTorrent Inc.

sign1-1.png

sign2.png

The claim is that it’s an uTorrent binary:

rsrc.png

Everything looks okay so far … but then we detect the binary! What’s wrong here? To get an answer, we have to look at the end of the file.

inject.png

When we take a closer look, a link catches our attention.

kremlin.png

Kremlin.ru is the official website of the president of Russia, and the link leads to this picture:

putin.png

According to the API functions contained in the small injected binary, it seems that the picture is downloaded under putin.exe name and executed. But, there’s another “but.”

bug.png

Due to the highlighted formal errors in the code of the injected binary, nothing actually happens and the binary is benign. All of this looks like a kind of Easter egg for those who dig deeper into file content. The mystery remains: who embedded young Vladimir into the uTorrent binary?

And now the last question.

How did the author manage to fool the integrity check to pass the digital signature verification? It’s a trick described in detail by our colleague Igor Glücksmann, here: https://recon.cx/2012/schedule/events/246.en.html).

File hash (SHA256): 09F189465AE23D29FC1D4CE5FE982787D0264DF70E74025DF8905F5EEA6B8B7B