Recently in P2P / File Sharing Category

I've steered one person away from indulging in the below craziness, and I thought it might be worth mentioning. If you're looking for P2P programs, take note of the following screenshot:

mulee1.png

The program on the right is a version of eMule downloaded directly from the official website. After installing it, you'll see...well....eMule:

mulee5.png
Click to Enlarge

The program on the left is - so they claim - the same version as the one above. However, trying to install it will present you with this a little way into the install:

mulee2.jpg
Click to Enlarge

Yes, you need to send two SMS messages at a cost of 3.00 GBP to obtain an "installation code" that lets you continue with the install. Whether this works, I have no idea. It goes without saying that you should avoid the SMS nonsense and go directly to the official website.

There's quite a few of these around for numerous P2P programs:

mulee3.png
Click to Enlarge

mulee4.jpg
Click to Enlarge

It's easy enough to spot the websites pushing these "pay to install" versions, as they all look very similar and cookie-cutterish:

mulee6.jpg
Click to Enlarge

mulee8.jpg
Click to Enlarge

mulee7.jpg
Click to Enlarge

mulee9.jpg
Click to Enlarge

It's about the first time I've been thankful for hideous websites....

Our CEO, Kailash Ambwani talks on the greynets concept and how the majority of internet traffic has evolved from http to communicative application traffic. Ambwani discussed how enterprises are adopting greynets, how this increases security liabilities, and how FaceTime security products enable and secure greynets. Remember, Facetime is about enablement and controlling these innovations inside of the Enteprise. Why? Because customers are demanding to communicate this way, and often an organization's most sophisticated users- the forward thinkers and innovators willl bring them into the network because they realize their value, but sometimes forget about the security and regulatory risks involved.

Here is part one and I would note to pay particular attention to how anonymizers, like Rodi and / or Tor, can be used to bypass typical forms of defense. Naturally, and Kailash acknowledges this, products like Tor (designed by the EFF), can be used as anti-censorship tools, especially in countries where this is a problem.

However they can be a disaster, a potential legal nightmare for large enterprises and I.T. administrators to manage. Kailash goes on to note how malware is now profit driven...in his limited time he didn't get to explore the use of widgets, (often thin-Ajax clients) or the stripping of content using browser-powered tools allowing the the propagation of content like video across the Enteprise. This can also be problematic given attacks like Windows Meta Frame exploits or exposure to inappropriate content.

In part two Kailash goes on to discuss how Facetime addresses the issues. Once again the focus is on enablement and control. The Internet is changing and we all must change with it.

Del.icio.us Tags: , , , , , , , , , , , , , , , , , , , , ,

Technorati Tags: , , , , , , , , , , , , , , , , , , , , ,

YouTube is probably the hottest of the so-called "Web 2.0" commodities out there right now - and their recent acquisition by Google won't have done any harm to that way of thinking. Of course, the fact that YouTube allows you to share its content raises the possibility that those files might appear in all manner of strange places.

Well, here's a perfect example of people jumping on the Web 2.0 bandwagon, offering up a (frankly bizarre) "media player" that

a) doesn't actually offer up much media and
b) doesn't play them half the time, either.

A group of files have been seen floating around the eDonkey network, and they offer up some surprising results.

http://blog.spywareguide.com/upload/2007/02/ytplayer5-thumb.jpg
Click to Enlarge

No EULA is displayed - depending on which of the two installers you execute, the program will simply run on the desktop or give you a bare bones installation. You'll then see this:

http://blog.spywareguide.com/upload/2007/02/ytplayer10-thumb.jpg
Click to Enlarge

...the introductory splash page might look interesting, but you'll notice that there are very few buttons on the player, and half of what's there isn't actually clickable. When we continually hear a lot about the "value proposition" of installing X in return for Y, this doesn't bode well does it? Pressing the "click here to continue" message brings up a "Locating Videos" message, and you'll note the first advert served up inside the player...in this case, an advert that was apparently for the Wall Street Journal but was eventually revealed to be for GoToMyPc (what you see in the screenshot is all we saw before the YouTube clips started to play. Thanks to a reader for the heads up). I don't personally have (much of) an issue with Adverts served to me inside an application (as opposed to firing all around the outside of it), but some people might take issue with this, especially as there was no EULA and no indication that there would be adverts at all.

Are these targeted ads? Adverts served up based on browsing history? Region specific? Who knows, as nobody told you. At any rate, the supposed "media content" loads up, and you might be surprised to find....

http://blog.spywareguide.com/upload/2007/02/ytplayer6-thumb.jpg
Click to Enlarge

.....YouTube movies!

Completely bizarre YouTube movies, at that - this example is a strange Lute playing session; another notable clip we saw was a 20 second clip of some guy telling us about his new book:

http://blog.spywareguide.com/upload/2007/02/ytplayer4-thumb.jpg
Click to Enlarge


....though the clip is in Italian, the translated version is that he's talking about his new work, "Experiments in Temporary Happiness", a "passionate romantic novel" apparently. Though there's no indication either of these two have any involvement with the player - it seems these are just two random movie files that happened to play more than most - you can learn more about the book writing guys' work here.

Putting aside our foray into the world of romantic literature, you might find yourself disappointed if you're expecting a constant stream of YouTube clips. Apart from the fact that an avid Youtube fan would simply....go to YouTube to watch them in the first place, this program only ever seemed to serve up one of the two clips mentioned above. Sometimes we'd get a flurry of other clips before it died out, but half the time, our research team couldn't even get the movies to play. Geographical targeting, perhaps?

Underneath the movie panel, you'll note three icons - one takes you to an online backgammon site, one takes you to a scratch card game and the other provides you with the option of logging into the Skype website. Why? No idea. That's just the way this thing rolls!

Beside the icons, a banner says "powered by Hobby-Tent.com". However, the truth is a little stranger than that. A site called Zapu.com provides "net acceleration" services, and also offer a toolbar that does much the same thing.

Why is Zapu relevant?

Because they're hosting the text served up by the media player:

http://blog.spywareguide.com/upload/2007/02/ytplayer1-thumb.jpg
Click to Enlarge

In addition, Zapu also hosts some of the smaller image files such as the "powered by hobby-tent" banner.

Exploring Hobby-Tent

This is where it gets really interesting. Hobby-tent is a site that links to a bunch of Youtube movies - aside from that, it's stuffed full of adverts designed to generate income.

http://blog.spywareguide.com/upload/2007/02/ytplayer7-thumb.jpg
Click to Enlarge

The site is currently down, but for some strange reason, there IS one directory still available:

ytplayer8.jpg

..."Papa Player"? What on Earth could that be? Oh well, let's download it and take a look....

http://blog.spywareguide.com/upload/2007/02/ytplayer9-thumb.jpg
Click to Enlarge

Still no product specific EULA, but this time we do have an agreement for WhenU. Ironically, the version of this media player NOT circulating in P2P networks doesn't actually work, as you can see from the below screenshot. Note the "page not found" message, as the program attempts to pull up the "Thank you for using our hottest web videos personal player" text and fails miserably - again, from Zapu.com:

http://blog.spywareguide.com/upload/2007/02/ytplayer12-thumb.jpg
Click to Enlarge

So far, then, we have THREE different versions of a "media player", THREE websites involved in distribution and / or hosting various pieces that make up the whole (we cover the final site below), TWO YouTube movies that made no sense whatsoever (though they made a lasting impression!) and ONE Adware vendor caught in the middle of it all.

There's still one piece of the puzzle left....

DV-Networks.com

Remember the three clickable links in the Media Player that took you to scratchcard games, Skype and backgammon? Well, clicking those links would redirect you to your destination from a site called DV-Networks.com. Visiting the site gives you a holding page, claiming it will redirect you to a site called "Iportent.com", though this never actually happens.

However, some quick digging later and you'll find the below - a bunch of icons, possibly related to some other program, that take you to sites related to "free international calls" and "PC Tune ups". It's the final image that interests me, though:

http://blog.spywareguide.com/upload/2007/02/ytplayer13-thumb.jpg
Click to Enlarge

...note the link to Zapu.com from the final icon, and the Alt text..."Hottest Web Videos", which is the name of the media player. Clicking that link takes you to this page, which seems to be a holding area for numerous streamed movie clips from sites similar to Youtube:

http://blog.spywareguide.com/upload/2007/02/ytplayer14-thumb.jpg
Click to Enlarge

...are these clips supposed to stream via the Media Player too? It's hard to say, though for now it looks like YouTube is the primary focus.

Why is DV-Networks.com particularly interesting? Well, a quick Google didn't reveal much about the site....however, this link is particularly interesting. It's a forum post on Spamcop relating to some application that caused some consternation amongst the users:

3. There are discrepancies regarding the name of the person behind this software. On the referenced website, his name is given as "Barak Abutbul" and yet in the domain name registration, it appears as "Barak Avitbul." My knowledge of Hebrew is limited, but I don't think that sort of discrepancy is due to transliteration issues...he gave the name differently in different situations. For example, he posted information about another of the "MinuteGroup" programs (VCatch) at Winsite, using the "Avitbul" version of his name:

http://www.winsite.com/bin/Info?4754

4. The two partners listed on the "minutegroup" site apparently have had some other joint projects. Here's a mockup of their "DV Networks" site I found on the site of the company that designed the "minutegroup" site:

http://www.121webdesign.com/customers/dvnetworking/

However, when you go to:

http://www.dv-networks.com/

you'll see that this operation is no longer active at that URL, in that it displays a logo for "IPortent" and says "Formely [sic] DVNetworks."

Now, if you check out the About Us page on the Zapu site, one of the founders is named as...Barak Abutbul. The forum post continues:

"5. If you Google "Barak Abutbul," you'll find some rather disturbing references to this man as being part of a group of hackers (or crackers?) who were charged with breaking into computers at the "Pentagon, US Navy, NASA, MIT, Harvard, Yale, Cornell, Stanford, the Israeli Parliament. Hacked two Israeli ISPs obtaining names and passwords of subscribers." The news articles say that Abutbul reached a plea agreement in exchange for testifying against the others."

...is this the same individual? Certainly, Googling the name does indeed return some incredibly troublesome results. Check out the data from a packet capture as the player installed and phoned home:

http://blog.spywareguide.com/upload/2007/02/ytplayer15-thumb.jpg
Click to Enlarge

...note the name "baraka" highlighted in red.

If it's not the same person, it's certainly a strange collection of chance happenings and coincidences. At any rate, I'd be very wary about using this media player - especially as quite a few other Vendors detect this particular file:

http://blog.spywareguide.com/upload/2007/02/ytplayer24-thumb.jpg
Click to Enlarge

"Experiments in Temporary Happiness"? In this case, I'd say that's an entirely appropriate description...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, FSL Threat Researcher
Supplemental / E-Commerce Research: Wayne Porter, Senior Director Special Research

Quicktime's "HREFtracks" feature (a method used to embed url links into moviefiles that will open at a specific point in time) is being used by an enterprising individual to pop open adverts for adult dating services from movie files obtained via P2P Networks. The HREFtrack feature contains URL information that can be opened interactively or automatically, and in this case, files found on the Gnutella network are using this functionality (here's an example of someone getting hit while using Limewire). From the Quicktime site:

An HREF track is a special type of text track that adds interactivity to a QuickTime movie. HREF tracks contain URLs that can specify movies that replace the current movie, load another frame, or that load QuickTime Player. They can also specify JavaScript functions or Web pages that load a specific browser frame or window.

In the example we have below, the movie file is called "Sex Monica Bellucci Malena". Of course, opening the movie up reveals something entirely different - what appears to be someone dancing to music:

http://blog.spywareguide.com/upload/2006/08/monbel1-thumb.jpg
Click to Enlarge

About three quarters of the way through the clip (once it hits the "trigger"), an affiliate link for Adultfriendfinder.com pops open via your browser (in this case, Firefox):

http://blog.spywareguide.com/upload/2006/08/monbel2-thumb.jpg
Click to Enlarge

The observant people out there will have noticed the videoclip in the above screenshot is still at the start - that's simply because by the end of the clip, most of her clothes have fallen off. If you wind the videoclip back and forth with your mouse, you'll continue to repeatedly pop open the same advert manually as you scroll. Of course, the HREFtrack feature is simply doing what it's supposed to do - the interesting thing here is the possibility for someone to use it in a more malicious way. You could pop open a link to a drive-by website that tries to install software without the end-user's permission, or how about a fake "promotional video" for a bank that pops open a "security check" Phishing page? There's a lot of possibilities with this one, and we should probably be thankful that people are currently only using this to spam affiliate links. It probably won't be long until someone pushes the leet hax0r button and things start to go pear-shaped...

Blog Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Vinayak Palankar, Software Engineer

For the enterprise downloading and using free consumer IM clients and P2P file sharing applications can invite viruses, worms and other security risks. Businesses must understand the challenges to their organization and if they are at risk for non-compliance with policies or regulations, intellectual property loss or worse.

Thankfully you don't have to give up IM to protect your enterprise. In this eSeminar learn how Microsoft Office Live Communications Server 2005 enables real-time communications. With proper management, it improves business efficiencies and increases productivity. Many leading organizations are already benefiting from this flexible enterprise IM solution.

Find out how companies are maximizing the value of their Live Communications Server investments with FaceTime Enterprise Edition. With FaceTime, you can stop rogue public IM use, detect and block applications like Skype 2.0 and ensure full compliance with state and federal regulations.

Join Marc Sanders from Microsoft and Eric Young from FaceTime as they explore:

- Pros and cons of enterprise-grade vs. free IM
- Transitioning from multiple public IM clients and P2P applications to a safe, secure, collaboration environment
- An example of how two companies have fully leveraged IM with FaceTime and Live Communications Server

The eSeminar is free click here to register.

Implementing Safe, Secure Enterprise-Grade IM
June 1, 2006 @ 12:30 p.m. Eastern/9:30 a.m. Pacific
Duration: 45 minutes

The Peer to Peer (P2P) client eMule; quite popular for file sharing and I'm sure illegal downloads (although I would never do that!) has kicked back with a fun, new P2P bot running around on its network. Normally I wouldn't get that interested in a boring old SPIM bot but this one had an interesting twist that grabbed my interest and forced me to crack open the toolbox. As I was minding my own business one day merrily downloading a set of unnamed files on eMule I couldn't help but notice I had two new messages.

http://blog.spywareguide.com/upload/2006/05/ScreenHunter_1-thumb.jpg

(Click Image to Enlarge)

Normally this would not be interesting. However eMule supposedly has URL filtering capabilities for comments in the form of a handy-dandy pattern matcher.

http://blog.spywareguide.com/upload/2006/05/eMuleURLFilter-thumb.jpg

(Click Image to Enlarge)

So as you can see this would normally filter out all http, https, and www; but low and behold in this case it isn't using any of these. This particular little bot is sending across FTP and it is showing up clear as day in my eMule client. Now they have my attention and no it's not from the catchy phrase "women in your town, blah blah". So obviously I fire up the trusty ole' copy of Ethereal and start sniffin'! Let's take a look at what we get.

http://blog.spywareguide.com/upload/2006/05/ftp_net_trace-thumb.jpg
(Click Image to Enlarge)

There's our nice little FTP stream and as we can see from the trace we end up with the file list.html. Looks harmless enough, but what is actually in this list.html and what happens when the browser decides to render this little goodie?

http://blog.spywareguide.com/upload/2006/05/list-thumb.jpg
(Click Image to Enlarge)

Hey! Surprisingly looks like valid HTML and wouldn't you know- it is! For the added "lemon twist" it uses a fun little META tag to refresh that page and send you off to have fun tonight- and maybe even wang chung tonight if you're really lucky.

So what does all this mean to the everday user?

Don't click on links, these guys are tricky little devils, but really not that tricky if you are really alert.

That is a lot of work for a simple little redirect just because eMule tries to filter comments that contain URL's.

Let's recap.....

1) They've written their eMule bot
2) Setup an FTP server
3) Written their crafty little html pages, and probably collected not more than a few cents with adult content.

Well worth wasting a fine Saturday afternoon for- not!

As detailed over at Shadowserver.org, this is a particuarly new and nasty beast. Called "Nugache", it has email capabilities, attacks various vulnerabilities and has crazy leet FTP skills. The FTP powers are lying dormant for the moment, however this will surely change when the all singing and dancing Nugache Mark 2 hits the streets.

Currently, the theory goes that (while spreading via P2P), if the IRC-based Command & Control center is shut down, some nifty P2P coding will "reclaim" the potentially lost bots and start the whole thing up again at a later date. Sounds like there's some messed up coding in this thing at present, so it shouldn't hit too hard for the moment. Just be extra careful in P2P land, because at some point this thing is going to bite down hard.

Good news is, we've detected this thing since early January and enterprise customers are safe. Home users will have to remain vigilant for the time being - but then, if you're using P2P you should be anyway...

About this Archive

This page is a archive of recent entries in the P2P / File Sharing category.

Myspace is the previous category.

Phish is the next category.

Find recent content on the main index or look in the archives to find all content.