Author (#14)May 2006 Archives

The Peer to Peer (P2P) client eMule; quite popular for file sharing and I'm sure illegal downloads (although I would never do that!) has kicked back with a fun, new P2P bot running around on its network. Normally I wouldn't get that interested in a boring old SPIM bot but this one had an interesting twist that grabbed my interest and forced me to crack open the toolbox. As I was minding my own business one day merrily downloading a set of unnamed files on eMule I couldn't help but notice I had two new messages.

http://blog.spywareguide.com/upload/2006/05/ScreenHunter_1-thumb.jpg

(Click Image to Enlarge)

Normally this would not be interesting. However eMule supposedly has URL filtering capabilities for comments in the form of a handy-dandy pattern matcher.

http://blog.spywareguide.com/upload/2006/05/eMuleURLFilter-thumb.jpg

(Click Image to Enlarge)

So as you can see this would normally filter out all http, https, and www; but low and behold in this case it isn't using any of these. This particular little bot is sending across FTP and it is showing up clear as day in my eMule client. Now they have my attention and no it's not from the catchy phrase "women in your town, blah blah". So obviously I fire up the trusty ole' copy of Ethereal and start sniffin'! Let's take a look at what we get.

http://blog.spywareguide.com/upload/2006/05/ftp_net_trace-thumb.jpg
(Click Image to Enlarge)

There's our nice little FTP stream and as we can see from the trace we end up with the file list.html. Looks harmless enough, but what is actually in this list.html and what happens when the browser decides to render this little goodie?

http://blog.spywareguide.com/upload/2006/05/list-thumb.jpg
(Click Image to Enlarge)

Hey! Surprisingly looks like valid HTML and wouldn't you know- it is! For the added "lemon twist" it uses a fun little META tag to refresh that page and send you off to have fun tonight- and maybe even wang chung tonight if you're really lucky.

So what does all this mean to the everday user?

Don't click on links, these guys are tricky little devils, but really not that tricky if you are really alert.

That is a lot of work for a simple little redirect just because eMule tries to filter comments that contain URL's.

Let's recap.....

1) They've written their eMule bot
2) Setup an FTP server
3) Written their crafty little html pages, and probably collected not more than a few cents with adult content.

Well worth wasting a fine Saturday afternoon for- not!

About this Archive

This page is a archive of recent entries written by (Display Name not set) in May 2006.

Find recent content on the main index or look in the archives to find all content.