Quote:
Originally posted by Dargnoran
One problem with your trojan theory -- none of the hosts returning bogus hits should show chat enabled either. And I talked with the spammer (or one of the spammers). Whoever it was claimed not to know that they were sending bogus search hits, but they did not claim not to know where the chat window suddenly came from. A genuinely innocent, virus-infected computer user would, in the unlikely case the thing had working chat, have freaked out at the opening of an unfamiliar chat app and probably accused me of hacking them -- nothing of the sort happened. Evidently they were using a p2p app and knew exactly what the chat window was. This leaves two possibilities: they're guilty or they have a trojan. If the trojan was a p2p server trojan and they were trying to run a normal p2p app at the same time, I expect something would clash and not work. Probably all p2p traffic would end up at the app or at the virus, and the other would not work. If they remained distinct (different ports?) the search result returned by a virus would not have chat enabled though a legit result from the normal p2p app on the same machine would. That leaves a virus that doesn't actually act as a p2p server itself, but puts spams into the shared folders of any p2p app it detects on one's system. In which case the spams wouldn't be spurious search results, but rather normal search results with spurious file contents. That is happening as well (including with the ipod spams) but this was one of the spoofed search results I chatted to.
The spoofed results must be coming from an abnormal server: they all show a T1 connection speed, instead of being varied, and the name is always derived in one of a few crude manners from your search terms. Anyway, if a trojan created a spam in a normal p2p app's shared folder named o_v_e_r_t_u_r_e.jpg and another .wmv version, they would probably not match any incoming searches. Who does a search for "o_v_e_r_t_u_r_e"?
I think there's dedicated spam hosts generating the spoofed results, AND either dedicated hosts or a virus spreading the spams by "normal" sharing -- fixed file name, varying connection speeds, etc. -- this is evidenced by encountering ipod spams whose file names missed a search term from the search that found them, contained a word not in the search, showed only one or a handful of sources, or showed a non-T1 speed. These are presumably not being shared knowingly by normal p2p users, which leaves the spammers and unknowing sharing. The spammers could have copies shared through normal p2p apps from a variety of vendors set up to claim a variety of connection speeds, given an assortment of names likely to match popular searches. And a virus could place spams named to match popular searches unwittingly in peoples' shared directories if it detects they run p2p apps. These can (either of them, or both combined) explain the ipod spams that come from "legit" search results, but not the spoofed ones. The spoofed results are coming from a decidedly abnormal p2p servent, one that always claims a T1 speed and always has browsing disabled and responds with a hit to every incoming query, named based in one of just four ways on the query, and responding to any response to the hit with the same file. There's around 40 of these within one's horizon at any given time; sometimes they show in two groups, if the ones in your horizon that aren't too busy serving spams have more than one variant of the spam among them. There seem to be several variants, at least of the jpegs, probably to defeat or at least make more difficult attempts at filtering. (Currently they are all the same image dimensions, but as soon as any popular client starts enabling filtering on that criterion, they will probably begin varying that too.) And for whatever reason, these bogus servents have chat capability, often enabled. There's rarely a response to trying to chat, probably because the machines are unattended 99% of the time. As to why chat is enabled, that's something of a mystery. Possibly, the chat function is used to leave instructions for the spammers from head office or something, though you'd think they could just use email...
There is one remaining possibility -- a bogus servent that people actually knowingly install. That is, a seemingly-normal p2p app that offers spoofed search results with a claimed speed of T1 in addition to whatever legitimate search results come from what the user is genuinely sharing, which show their own connection speed. And it has chat capability -- and doesn't show it disabled for the bogus results if the user has enabled chat. If that's the case, then the user might be genuinely baffled by a chat like that ... of course, if chat-enabled bogus result senders are asked what p2p app they use they should turn out to all be the using the same one in this case... |
I think you need to read the Gnutella specs a little closer, if you really think you were chatting with the spammer. See my prior reply.
I will also say that there are not "trojaned machines" that are the source of the spam.
1st) The spammer is probably no longer serving the file. If (s)he is, (s)he is no longer the only source. Other normal people who have also been tricked by the spammer and have defaulted to sharing downloaded files are ALSO sources.
2nd) Files are not requested by NAME in general, they are requested by HASH. Therefore, even if the file you request from me has a different name that you know of, it won't stop me from being a source for the file. Therefore, if FooledUser01 downloads the spam using the filename 'FooledUser01 search term.wmv" because he searched for "FooledUser01 Search Term", and downloaded the resulting spam, he can still serve the file "Other Query String.wmv" to you if it is the same file. Therefore, only the spammer is responding to your query with your specific query terms, however, (s)he is including as alternate sources those other nodes which have recently downloaded from him/her.
I applaud you on your detective work, but alas, the conclusions you draw with regards to the person you chatted with and the method of spamming (trojaned PCs) are not supported by the protocol's design and available data.
-dave-