Gnutella Forums

Gnutella Forums (https://www.gnutellaforums.com/)
-   Open Discussion topics (https://www.gnutellaforums.com/open-discussion-topics/)
-   -   Detecting trojans in search results for mp3s (https://www.gnutellaforums.com/open-discussion-topics/91362-detecting-trojans-search-results-mp3s.html)

epilagus March 17th, 2009 01:48 PM

Detecting trojans in search results for mp3s
 
Perhaps some of you have noticed the play_mp3.exe trojan downloader pop up when trying to play a music file you have downloaded. If you were lucky, or savvy enough you cancelled the attempt and closed the browser window that opened. If not, you might want to run your anti-virus/anti spy on your music folders.

It looks like many of us have fallen for this as the search results are full of these bogus mp3 ( and probably wav) files. At first i thought the p2p interface should filter this stuff (Limewire in my case). yet clearly it did not. Why not? But wait. Limewire will give us clues and I would like to pass them on and see if we can beat this thing.

1) bit rate - a ridiculous bit rate is a clue. 64-256 is all one needs, outside of this, the file is probably corrupt or bogus or a trojan. If there is no bit rate, it is also (more) suspect. 128 bits is pretty standard high quality.

2) file size - real mp3s have file sizes around 1 megabyte per minute of length. Wmas even less. Look for reasonable file sizes for the song length.

3) hover description - if there is no detail about the artist, title, etc. it is suspect.

4) artist - if the artist is included in the title field instead of the Artist field it is suspect. True, we can name a file anything we want, but downloading from people who are sloppy about their library is risky anyway.

That's all I've got so far, but in every case that I downloaded a bogus mp3, one or more of the above was the case. For at least one search, there were no legitimate results (out of ~170), only trojans and fakes.

<-_->

Blackhorse 70V March 22nd, 2009 02:08 AM

This subject is covered in a few posts: http://www.gnutellaforums.com/open-d...uld-aware.html
http://www.gnutellaforums.com/downlo...h-results.html
http://www.gnutellaforums.com/154163-post17.html

epilagus March 23rd, 2009 04:47 PM

Sort of
 
Yes, if we could read all the posts over the last 5 years we might find the answer to our question. These posts are from 2005-2007, and unfortunately, still relevant. We discover polluted search results when we do a search and try to download. Although these "Warning" and "Fake files" posts do cover the issue in a sense, it's a lot of reading for the casual user who just wants to download a song. I'm advocating for useability, and maybe some thread updates and crosslinking.

The hostiles.txt solution seems like a good start (of course I'm on LW4.12 and only works on LW4.13+). Likewise, if you look up the bitprint at bitzi.com some of them are reported, but many are not.

Looking at the search problem more closely, it appears (as noted elsewhere) as though the 'industry' has installed malicious server software to help spread these trojans and fake files. If you want a demo, just search for a non-existant title or fragment thereof and see how many hits you get.

New plan: Do a fake search, ie search for a totally fake title, then select all results as junk. Do this several times so the filter learns. And, voila, not so many bad results in real searches.
Here is my initial results for 'retarded records inc' (826? are you kidding?):
http://31313.org/avoea/retardedrecords.gif



Most of these variants will be found in normal searchs, e.g. (256k quality), (hot new track), (remix), the .au and .snd extensions. The mp3s which show promise do not have a bit rate or length (length column not enabled on screenshot), and no artist, etc.

What this probably shows is that these malicious servers, or perhaps even your machine if infected, are constructing dynamic libraries built from your search terms, on the fly, and populating them with renamed trojans, virii, fake files and miscellaneous hacks.

True, this problem isn't going away. But, it may be managable.

<-_->


All times are GMT -7. The time now is 05:46 AM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.