For several years, none of the companies which propose solutions to fight piracy on the eDonkey network has obtained satisfactory results. Unlike other p2p networks, disrupt counterfeits exchanges on the eDonkey network is certainly possible, but still pretty difficult to achieve. And since several months, our donkeys network had been relatively quiet on this subject.
but it was without counting on a new challenger on the p2p's playground.
P2Pcontrol and its fabulous concept
New on the scene of the fight against piracy, the services offer of this company is so identical to that of this team of locksmiths, that one wonders if these two are not one ... even in their mistakes ; The supreme intelligence of p2pcontrol monitors its rogue websites with some twitter alerts (a) inadvertently indexed by google which would also announcing (b) that key2peer is making an open door operation on one of its servers.
however, there is one notable difference ; p2pcontrol propose to pay users up to $ 100 per month for use their internet access in way to do their anti-piracy job. Besides the fact that this is not a very new concept, it seems to us that the number of needed clients to obtain a good result causes some doubts about this business model. And although this technique seems already now functional on the field, we have not yet to register us successfully to this wonderful program (c).
Note that excepted our hypothetical and scabrous deductions, there is no formal evidence to link what is following and those which precede.
Anti piracy solution from
(a solution ?)
This solution is based on an army of bots that simulate eDonkey clients, in order to disrupt the network, which is a relatively commonplace.
What is innovative is that not content to flood the users searches with decoy files, then they also pollute the network traffic of their victims. In fact, this method is quite effective, but as we think, it contributes mostly to hide a little bit more the real pirates exchanges, which continue to work very well with eDonkey, because an army of some hundreds, or even thousands of bots, can never compromise a network on which that are permanently connected between 3 and 4 millions of true clients. Or in other words, their method works well, but mostly with their files.
The geldings army
To get this brilliant result, we have first to build an army of bots. So, to do this, we can add our own malicious code into some innocuous and free software and make it available on the eDonkey network, as if nothing had happened. But the real version of the software does not match, and it ends up doing really make disorder of pollute the job of others, so we move up a gear by developing our own softwares, which seem also innocuous but with all suitable and hidden features. the users who get this kind of software on the p2p or on some more than doubtful websites (bitroll.com, anti-leech.com, netpumper.com, etc ...) and uses it, then constitute our small army of bots, remotely obedient.
Of course, it can be also very tempting to offer some alternative versions of eMule, Shareaza or from another open source software. And we can solves a lot of problems if we can control it remotely and without the knowledge of the credulous user who uses it.
You can find some details on this side of things by reading the pages of ThreatExpert and Malwaredisaster. otherwise, simply note that the IP listed in these two documents is also involved in what we are talking here ...
Once your army ready, your bots are finely distributed on a multitude of Internet subscribers, on any ISP in the world. therefore, it's impossible to filter them. then, the bot pretends to be an eMule client by connecting to a edonkey server and by declares to share the files that their controller wants to inject on the network. of course, the files should be named appropriately for appearing in the result of the users searches.
This file is mine
There is currently a lot of these files, named to simulate some mp3 or executable files. A simple way to list them is to use one of the keywords included in their name. On the following screen, we can see that
p2pcontrol someone probably uses the evaluations from peerates.net, since the most popular keywords on the network find themselves strangely in the names of their files. So much so that when you are looking for "love", you find results for psp games or a crack for windows 7 (1).
Curiously, the decoy files are sometimes also called with a FOSS name, which have no reason to be "protected" from piracy...
among the collateral victims of the action of
p2pcontrol someone , there is the excellent French software, VLC. When you searching for VLC with a list of clean servers, here are the results you can obtain (2 highlighted lines are decoys).
We note that the bots do not do a bad job, but that the correct files remain on the top on the list ... It's for VLC, but for a Michael Jackson mp3, it's very different and more effective
(3 highlighted lines are decoys).
Peer wait (peanut)
When the user start to download the file, each eDonkey server present in its servers list sends to him dozens of sources IP, relating to the bots which are the only (to pretend to) share these files. The vast majority (95%),of these sources IP are invalid, or in low-id which involves that the client has to send a call back request to each of the servers on which these bots are connected. The problem is that these low-id bots never call back. (Except occasionally, a 'real' (4) client, previously lured or affiliate to
p2pcontrol someone, then having all or part of the file, propose itself as a source via an edk call-back, Sx or kad).
Consequently, these unnecessary call-back requests gives only a system overload, while the remaining 5% of IP sources (high-id) let you wait while an abnormally long period (5) for a so small file (4 MB) and so much rated in the research result (6).
The goal may be to encourage the user to try another download, if possible again with a decoy file, in order to saturate its system and try to disrupt potential exchanges involving pirated files.
We have made several tests including one with the latest version of eMule and a list of servers restricted to the less suspicious of them. The selected file displays over 300 sources and its size is less than 5Mb, 40 min. was needed to complete this download. (against 3 min. with the pirated version of this mp3, which displays 15 sources.) And at the end, this file is not a mp3 (7) but a wmp file integrating a malicious code (8). Note that it is possible to execute code via a wmp file if that code is available (via another viral infection) on the pc 'treated'. And the goal of the game, in addition to prevent user to find the right file and corrupt its system, seems to force the install of a wonderful (9) toolbar.
Call-back is back
by looking well into the system log coming from another of our eDonkey client, we have observed a curious thing ; some incoming requests, from totally unknown ip addresses, asking for the decoy file in progress of download. it looks that these clients had received our address as source for the faked file, even though we had not managed to download half of a byte and that we was always looking for available sources to do so ! During the test, we have seen up to 3 incoming requests each second, ie thousands of unnecessary network exchanges in perspective. And as long the user keeps the rogue download active, the stock of bad IP is regularly renewed and the software works a lot, but for nothing.
However, most of the client softwares for eDonkey are fairly well developed and accepts this overload rather well. And at the end of the race, it is especially the ISP that will profit of that supplementary traffic while on the piracy's side, the users have only to find the right link on a forum, by RSS or even by mail, to quickly download a file efficiently.
Better is the
good ennemy of good
By trying to do better than well, we always end up by let some shits ...
someone could say to itself that a bunch of obsessed morons like us would surely try to dissect their method and in the p2p exchanges recorded in the log of one of our client, here is what we found :
2010/05/22 13:48:55 [EDK] Connect [hl: 16] [md4: DA6060A1970E6C3C1E45DBF91A2E6F13] [ip: 18.104.22.168:13038] [server: 22.214.171.124:4333] [left: None] [tags: (name)=(http://emule-project.net) (version)=(60) (emule_udpports)=(3137714949) (buddy_ip)=(2331950971) (buddy_udp)=(4672) (emule_miscoptions1)=(336806430) (emule_miscoptions2)=(1208) (emule_version)=(50432)]
What is interesting in the bolded information is that this client to which we have never asked anything, but who request for a connection, claims to be connected with a LowID on a server whose ip is 126.96.36.199. There is no active eDonkey server at this address and our client has never communicated with this IP in its previous tcp / ip exchanges.
But its an already known ip (see ThreatExpert and malwaredisaster.) and in fact, it's certainly a hidden eDonkey server wich only accepts connections from certain clients duly authorized to communicate with him. And if this server is inaccessible to us and that some other clients can contact us through it, it's surely because one of the bots relayed the information. This is also a good way (10) to recognize this kind of bot client, eMule displays the information and they are all connected on this ghost edonkey server.
Jean roger S.