RE: *Ty / Dylan* eMule suspicious activity?

From: Tabish Hasan <tabish_at_mediadefender.com>
Date: Fri, 22 Jun 2007 12:04:26 -0700

I know this has been put on the FAR back-burner...but just wanted to
point out a new observation...and hopefully refresh this topic so we can
eventually implement this.

 

Whoever is doing this is bypassing eMule's built-in filters. For
example, I put a min file size limit of 50MB, but they were still able
to return all their spam/spyware files that are under 1MB. This is the
case for the other filters I tried as well. They still get their files
through. (I don't know if that's impressive, but I thought it was pretty
cool they can do that)

 

-TH

 

 

 

-----Original Message-----
From: Randy Saaf
Sent: Monday, February 26, 2007 4:43 PM
To: Tabish Hasan; Dylan Douglas; Ben Grodsky; qa
Subject: RE: *Ty / Dylan* eMule suspicious activity?

 

Good call. Ben can test this to see if we get any website traffic from
it for our ad deals.

 

 

-----Original Message-----

From: Tabish Hasan

Sent: Monday, February 26, 2007 3:30 PM

To: Randy Saaf; Dylan Douglas; Ben Grodsky; qa

Subject: RE: *Ty / Dylan* eMule suspicious activity?

 

Once things calm down from the move related issues, I think we should
revisit this. Since our servers are down today and based on the spoof
hits I'm seeing, this definitely has potential.

 

(Just wanted to resurrect this thread in case it gets forgotten)

 

-TH

 

-----Original Message-----

From: Randy Saaf

Sent: Tuesday, January 30, 2007 6:30 PM

To: Dylan Douglas; Ben Grodsky; qa

Subject: Re: *Ty / Dylan* eMule suspicious activity?

 

Agreed, but emule doesn't have a history of changing their code to deal
w us. In fact emule has never rolled out a counter-counter measurle.

 

 

----- Original Message -----

From: Dylan Douglas

To: Randy Saaf; Ben Grodsky; qa

Sent: Tue Jan 30 11:07:07 2007

Subject: RE: *Ty / Dylan* eMule suspicious activity?

 

Yeah, but I could quickly see eMule patching this kind of exploit very
quickly, since it wouldn't take more than a couple lines of code to do
it. And, they seem to roll-out a new version every month or less.

 

-D

 

>-----Original Message-----

>From: Randy Saaf

>Sent: Tuesday, January 30, 2007 11:04 AM

>To: Dylan Douglas; Ben Grodsky; qa

>Subject: Re: *Ty / Dylan* eMule suspicious activity?

>

>This could be very interesting for us.

>

>

>

>----- Original Message -----

>From: Dylan Douglas

>To: Randy Saaf; Ben Grodsky; qa

>Sent: Tue Jan 30 10:51:39 2007

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>It depends. If I remember correctly, selecting the search type is a

>request to the server. I don't think the client does anything with

>regards to filtering. So they might still come through if this is being

>fedup by a non-server.

>

>-----Original Message-----

>From: "Randy Saaf" <randy_at_mediadefender.com>

>To: "Ben Grodsky" <grodsky_at_mediadefender.com>; "qa"

><qa_at_mediadefender.com>

>Sent: 1/30/07 10:26 AM

>Subject: Re: *Ty / Dylan* eMule suspicious activity?

>

>I can't immagine a lot of people would click on those??? They would

>get filtered in an audio only search, correct?

>

>

>----- Original Message -----

>From: Ben Grodsky

>To: qa

>Sent: Tue Jan 30 10:22:23 2007

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>The HTML fake is an empty file just opening and closing web page tags.

>

>These are the contents:

>

><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">

><html> <head>

>

></head>

></html>

>

>

>________________________________

>

>From: Tabish Hasan

>Sent: Tue 30-Jan-07 10:07

>To: Randy Saaf; Dylan Douglas; qa

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>

>

>No, they're exe, zip, and html extensions. The HTML file takes you to a

>webpage, which in turn attempts to install some sort of spyware from

>zango. I've attached the file in case anyone wants to see themselves.

>

>To recreate my search results, search for "pharrell keep it playa

>instrumental" as a global all type search. Eventually you should get

>hit with decoys with extremely high #s.

>

>-TH

>

>-----Original Message-----

>From: Randy Saaf

>Sent: Tuesday, January 30, 2007 3:25 AM

>To: Dylan Douglas; Tabish Hasan; qa

>Subject: Re: *Ty / Dylan* eMule suspicious activity?

>

>Is it installing executables with files that have mp3 extensions?

>

>

>----- Original Message -----

>From: Dylan Douglas

>To: Tabish Hasan; qa

>Sent: Mon Jan 29 17:41:56 2007

>Subject: RE: *Ty / Dylan* eMule suspicious activity?

>

>T-

>

>Not really. Stuff like this has been out there for a while now. It's

>just something in your server list that is returning results using your

>search string. You can usually find them for zips/exe searches, like

>you'll search for "Windows XP iso crack" and get a bunch of 150kB exes

>called "Windows XP iso crack.exe" that will install spyware. I've

>never seen them showing up for music searches. But, whatever, maybe

>they are getting more desperate.

>

>-D

>

>

>________________________________

>

> From: Tabish Hasan

> Sent: Monday, January 29, 2007 5:32 PM

> To: qa

> Subject: *Ty / Dylan* eMule suspicious activity?

>

>

>

> Ty / Dylan,

>

>

>

> Take a look at my eMule screnshot below.

>

> It seems like suspicious results returned. I was searching for

>an instrumental, and after a few minutes when nothing returned, these

>files got returned. Notice the availability #'s returned for these fake

>files. Also notice that my search string got copied exactly, but it was

>a decoy

>

image001.jpg
Received on Fri Sep 14 2007 - 10:56:32 BST

This archive was generated by hypermail 2.2.0 : Sun Sep 16 2007 - 22:19:49 BST