File sharing networks are among the largest sources of malware infections. I guess it’s not news to you. Lots of trojans and worms create infected files in shared folders of installed peer-to-peer applications. That’s how a plague spreads over the Internet. You search for a “cracked” version of some software, but often get malware instead.
Experienced file sharing fans know how to avoid downloading malware. In most cases they can say for sure, which files in a search report look safe, and which seem to be infected. However, even they cannot guarantee that downloaded software isn’t corrupt and works as intended. Audio and video files are just the same. You cannot be absolutely sure which song or movie you’ve downloaded until you open and play it.
That’s the major problem of file sharing. Although it’s really useful, it isn’t safe at all. Malware pushers understood it years ago, and now entire networks such as LimeWire are loaded with all kinds of threats.
But this time it’s not the notorious LimeWire I want to speak about. It’s eMule, one of the most popular and relatively safe peer-to-peer clients. eMule connects to the good old eDonkey network.
Strange search results. Part 1
It all started a few months ago when I used eMule to search for some document. As always, I launched the program, connected to a network and typed document name into the search field. Usually, search results appear immediately and the list of matches continues growing until the search is finally over (a progress bar indicates it). But that wasn’t the case. The search was almost over, but the list of Search Results was still empty. That could only mean that there were no such documents in the entire file sharing network.
“Well, you cannot find just everything in file sharing network”, I thought. But just then a few results appeared. I managed to find so needed and rare file! But then I took a closer look at the results, and I wasn’t so happy anymore. The filename was a complete copy of my search keywords, and the file itself had a different extension. It wasn’t a document, but an executable. Of course, I didn’t download it.
Back then I hadn’t a lot of time, and simply forgot about those strange search results. But I was pretty sure that files I found weren’t legit and safe.
Strange search results. Part 2
I didn’t use eMule for a few months until yesterday. This time I searched for something similar to new corrupt anti-spyware. Don’t ask me why, it’s just a part of my work. Once again I didn’t see any results while search was in progress. But just before it was over a few strange results have appeared. There were 4 files – three Zip archives and one executable. Each of them had search keywords as their names.
This could be a coincidence, so I decided to make a few more searches that usually won’t return any results at all. The search strings were: “2spywaretestemule”, “we search for p2p malware”, and “this is just a test by 2spyware”. I doubt that someone from all those eDonkey users have something like this. Nevertheless, I got the results.
Same four files in each search report! Three Zip archives and one executable. Take a look at their names. They are almost the same as my search strings.
At this time I was pretty sure that I’m dealing with some kind of malware. I made more searches with keywords of different form and even languages, but I still could get odd results.
Being a curious person, I couldn’t keep myself from downloading strange files. Executables had icons similar to those setup files use. Furthermore, they looked like installers for BitTorrent downloader, whatever that means.
Zip files were normal archives containing the Multi_Media and Online_TV executables, which seemed to be the installers for the Multi Media Toolbar and the Online TV Toolbar from PlatformaOnline Ltd. and Conduit Ltd. respectively. At least file details said so.
I scanned all the files I downloaded with my current antivirus and anti-spyware, but my security suite didn’t find any pests. That was strange too. However, I gave it another try and uploaded the files to VirusTotal, a free service for scanning suspicious files using multiple antivirus engines. Results were a bit different this time.
The executables I downloaded appeared to be downloader trojans with the common aliases of Trojon.Dropper-322 and Trojan.W32.Inject.ba.
The executables within Zip archives appeared to be not infected. However, I wouldn’t describe them as safe. Both install advertising-supported Internet Explorer toolbars with possible hijack functionality. Right after you install them you get pop-ups and noticeable system slowdowns.
Of course, it would be interesting to know, who or what spreads file sharing malware. I’m not speaking about typical worms that simply drop files with meaningful names to shared folders on compromised computers. The answer is clear. What I want to find out is what kind of software can intercept user search keywords and give back generated results. I didn’t see anything like that in peer-to-peer networks before.
What’s this? A new kind of sophisticated worm or has it something to do with eD2k server configuration? Or maybe my test computer is infected with something that neither my security suite nor numerous online scanners can find? Why I don’t get same results while searching in alternative eDonkey network clients like aMule? That’s a mystery to me right now.
I must confess I don’t have all the technical knowledge of file sharing. Moreover, a thorough research requires a lot of time. While it’s a big problem for me right now, I plan to come back to this issue as soon as possible. I hope to do this in my feature posts here, on 2-Spyware.com.
If you have any thoughts about these or any other interesting examples of file sharing malware, please leave your comments here. You can also discuss this write-up on our forum.
To be continued…
GTO, 2-Spyware.com forum moderator