Shareaza

[netweasel]

Fake Files Filter by The Netweasel [20 Jul 2009].zip

Hello, everyone!

Someone in these forums recently posted a question about a recent flurry of fake files on the Gnutella networks -- numerous "hits" with file sizes of 649 and 651 kB. These files are so numerous that they tend to fill up one's search results. I want to respond to that person's plea, and offer a partial solution.

I also want to offer a Shareaza filter that I have created that may help.

I have been studying the many fake files on the G1, G2 and eDonkey networks for some months now. I have made it my mission to download these files, viruses included, analyze them, and report their contents to Bitzi so that anyone with sense enough to investigate what he is downloading (with a right-click, and "view Bitzi Ticket") can obtain an accurate description of the file and perhaps be forewarned of danger.

This new class of fake files, with the above-mentioned file sizes, represents a new kind of attack on P2P users. As stated above, there are two groups: 649 kb and 651 kb. Within each group, there are -- I estimate -- somewhere between 70 and 80 unique files. Within a given group, the file size is precisely the same, the file name is always the same, and the infection is always the same: Trojan-Downloader.Win32.Clopack!IK (A-Squared). I figure that the clever miscreant who is promulgating these malicious files is working overtime, trying to flood our search results with so many fake files that Shareaza will become unusable. Unfortunately for him, altering even a single byte within a file also alters its MD5 sum and its various hashes, so we can catalog each file and compile a block list!

I decided to put a stop to this vulnerability to fake files, and so created a filter that I think will help. The file name is "Fake Files Filter by The Netweasel [20 Jul 2009].xml" It consists strictly of the hashes for fake files that I have discovered. It contains no IP numbers, since those are constantly changing and of no real use in blocking fake files. Using it myself, I have found that it drastically reduces the number of fake-file "hits" in my own Shareaza search results, so I am encouraged to share it with other Shareaza users. Unfortunately, the forum software will not allow me to upload a file with an .xml extension, so now I am wondering what to do next. Maybe if I "zip" it ... ?

Well, that seemed to work -- the .zip file I mean -- although I'm not sure where it went or how my readers will lay hold of it. This new forum is new to me.

I also intend to offer my fake files blocklist over the P2P networks themselves. I shall be curious to see whether there is any demand for it.

Now with all this, I am done! If anyone has a suggestion or any help to offer me, then I am of course open to suggestion.

[cyko_01]

I have also tried this, but it seems there are about 20 new hashes created daily which makes our efforts pretty futile

[zigozag]

Hi Netweasel,

From time to time, I deactivate all the filters on Shareaza and search for a random string and then analyze and report bitprint to Bitzi (I thought about Donkeyfakes which is used by eMulePlus too, but it's rarely updated). The tools I used for analysis are Avast which offers on-access scan, permanent monitoring of Shareaza's default download folder and all this with a high detection rate and ClamWin which doesn't feature on-access scan and which has a rather low detection rate (but it doesn't conflict with other AV applications and it's useful as an additional scanner). The one thing that baffles me is how often these files are uploaded to others when they sit in my shared folder for just 5 minutes.

In all cases feel free to attach your filter here. This forum should accept your xml file if you zip it or if you create a tarball.

[netweasel]

Hi, zigozag!

I use an on-line virus scanner to check these fake files that uses numerous virus programs simultaneously including Arcavir, Avira, A-Squared, Avast, Nod32, Kaspersky, VBA32, ClamAV, and a good many others. You can try it here: http://virusscan.jotti.org/.

I shall try to attach the zipped version of my .xml fake-files block list to this post.

As an added note, on the evening I added these blocks to my security filter, it drastically reduced the occurrence of fake files my search results. How long it will continue to do so is a matter for experimentation ... but I don't think I'd have any trouble keeping it up to date if there is any interest. It is an easy list to make. Heck, anybody could do it.

Thanks for the feedback, everyone!

[netweasel]

Okay, I am going to try one more time to upload the attachment, using a different browser (IE). If that doesn't work then perhaps someone can find it using Shareaza itself and attach it for me, or help in some other way. I am going to go crank up Shareaza immediately I'm done here. Maybe I can post a Magnet link, though I've never done that before, not sure how.

I have had problems attaching to posts on other forums as well -- no clue what the problem is.

Thanks!

[cyko_01]

you do realize the irony of making the filter a zip file and then telling them to search for it by title, right?

[netweasel]

Yes, Cyko, I realize the ha-ha involved, but I also offer it in plain .xml format for those who shun zipped files.

What I need to do is find some way to advertise it so that potential users will clearly see what it is ... and find a way to neutralize its detractors.

Heck, it hasn't even yet been evaluated -- how could it have been: nobody has seen it but me, its author -- but already it is has somehow been declared useless. I wonder about that, and about the "why" involved.

I worked hard on this fake-files blocklist. I spent days assembling this contribution to P2P security. And nobody has seen it but me. I tried to upload it as an attachment so others could test it, but something prevented that upload from working. I tried to offer it on the P2P networks, but nobody was interested. Why is that? Could it be that there is resistance here at home?

It is not a G1 blocklist, or even a G2 blocklist. It is a Shareaza blocklist involving G1, G2, and eDonkey as well: all three together. In fact, most of the entries in it contain all three hashes, not just the G1 thing, although those are there as well sometimes. The last version of it in unzipped format was around 113 kb.

I don't know what the cause of the resistance is, but if it has anything to do with G1, then please understand that I am not interested in supporting G1 as opposed to G2 -- or G2 as opposed to G1, for that matter. I am only trying to enhance security for all file sharers, regardless of what clients they use: LimeWire, eMule, Shareaza, mu-Torrent, whatever, I don't care.

And with this, the Fake Files Filter project by The Netweasel is hereby dead. I shall hold onto the filter file I have for a few more days, because I'm not the spiteful sort -- but I'm about to abort the project and move on to some other P2P security effort that people will accept. I have no idea what that new project will be, but I'm sure it will have nothing to do with the Shareaza forums.

Best wishes to all.

[cyko_01]

upload it on http://sure-raza.com/backups/ (free, and no waiting to download) or rapidshare so you can at least get some sources on shareaza. Nobody is trying to prevent you from sharing it. I would actually like to download it so I can compare and combine it with my own version of your filter

[netweasel]

Thanks, but I've already deleted the file and abandoned the project. Sorry.

[zigozag]

[ocexyz]

[wiggindesigns]

His was probably more comprehensive.. But for now, I have 172 SHA1 hashes included in this which greatly reduces the spam, if anyone wants to look at it. Would probably need at least weekly updates to be efficient, and searching for things like TERM SEARCH -"SEARCH TERM" would do just as well(the format may be wrong, but you get the idea), I figured since weasel abandoned it I would give it a head start for anyone that wanted to take it on.

edit:

Note- You dont actually need to download the spam. While I did download a lot to a virtual machine(they are the VUNDO trojan), its not necessary in order to get the sha1. Just search, start downloading the files and pause them all. Right click > Advanced edit, copy sha1 and save it as "sha1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" in a notepad document until you need to actually put the list into a rule.

Best way to search for spam is just a random bunch of letters.. (grekjghqea for example) so you minimize real results.

[ocexyz]

Many thx

[cyko_01]

[wiggindesigns]

The only problem with that one is you have one rule for each hash.. With 172 just right now, wouldnt that flood the security rules page?

[cyko_01]

[wiggindesigns]

Ya, but its not really like other things like IPs where its best to have separate. I'll just use notepad++ to cut out everything cut the hashes and condense to one for mine

[draganglas]

Greetings,

Has anyone tried the blocklist from Bluetack's Blocklist Manager? It has a option to convert it to Shareaza XML format.

The list itself comprises a variety of sources, including:

Ad Trackers (Ad trackers and bad porn)
Bogon (Bogon address list)
Hijacked IP List
Spiders (Webspiders and Bots)
Spyware (Spyware/Malware)

Any comments?

Kindest regards,

Dragan Glas

[ocexyz]

It can be done, of course.

I personally prefer to use PeerGuardian2 or Peerblock as separate software because: 1) it runs auto updates 2) it prevents also when Shareaza is off 3) prevent when any of my software (not only Shareaza) or even any existing but undetected malware/spyware tryies to go out with connection atempt.

I use PG2 or PB and Cyko's filter together.

[diztrancer]

Don't take all those PeerGuardian/PeerBlock recommendation seriously. PG/PB have no effect on spam that appears in Shareaza's search tab. Spammer don't use IPs that are in bluetack IP lists. For security reasons use normal firewall if you need. And don't try to use those huge IP lists in Shareaza - Shareaza can't use even 1000 security rules, so if u try 12MB of rules in Shareaza ....

The simplest way to not obtain those spam hits is to use minimum file size parameter when u search for something.

P.S. Who is responsible for default security rules - please update ED2K related rules !

[draganglas]

Greetings,

Thanks, diztrancer, for the info - I'd just wondered if it would be of any use. [I'd used it for years on another computer with Agnitum's Outpost Pro firewall with great success with WinMX. Never had any such problems as I've had with Shareaza - despite only using this for a few days!!]

Personally, it would be much better if TPTB for Shareaza blocked anyone who attempted to "share" malware of any sort - until they cleaned their systems (assuming the user is unaware of their system being infected...). Certainly blocking troublemakers would help considerably.

Regarding the "minimum size" feature in the "Filter" window...

...Personally, I'd have thought that being able to block files fitting known sizes of malware would be more useful - I've seen fake files like "REMIX - (search term) - the best" appear often, all with the same file sizes, similar to what Netweazel mentioned.

In fact, I was wondering if the spammers are simply using a program to randomly name fake files by taking the search term(s) and adding "REMIX" and "the best" (and other stock phrases) to create fake file names before sharing them on the networks!? (Hence the rate at which they appear.)

Kindest regards,

Dragan Glas

[ocexyz]

From my observation spammers use program which generates fake names of files which contains I don;t know what - most probably an unpleasant and unwanted "surprise". They can be .zip small files like 700B .avi or 1,5KB .avi. The size of fakes seems to me be related to kind of searches - many times it is enough to set filter (Shareaza right low corner > filter) in searches higher then fakes, or type in "-zip" exclude zip files "-mp3" exclude mp3 files or any other string like sex, porn, hot etc. etc. - spammers got very limited vocabulary or are very focused on their favourite hobby. Look in wiki about how to search smarter for files, how to use Shareaza built-in tools.
Shareaza security rules I don't know if they will be able to handle 12MB, I doubt and I think Diz is right about this. that is why I use Cyko all-in-one filter. Also this tool is not quite comfortable about updates etc.
I disagree with Diz about PG2 and PB: however they don't solve all problems but in my case have limited amount of spam. This spam which was not stopped usually come from one or just a few IP addresses, so I just ban it/them. Here should be mentioned that spammers can change IP, dynamic IPs, so I would be happy if Shareaza would have "ban temporary - till end of current session" and separate menu item "ban permanently" as they would be useful for not to ban permanently IP which can be useful just next day. Current ban in searches is permanent, as add permanent rule to security rules, I think. Anyway I clean install at last once per month so I delete all manually added bans.
Also rules can be added to firewall.
All that depend also on what user wants to do, skills and if want to make some experiments with firewall etc..

Rules, block lists, bans IMHO changes so they to be effective must be changed and updated also. Anyway good collection of good rules can make life easier.

[siavoshkc]

Hi
Using hashes to filter out fake files is a good idea. I have an idea about taking it into practice. The problem is that if I offer you my own Fake File Hash List (FFHL) then I may include hashes of non-fake files in it. For example I don't like that movie so no one should watch it. Or mistakenly added files. So:
- FFHL should be validated by a group of users somehow
- FFHL should be updated
My solution:
Say we have a standerd FFHL file name ffhl.xml that is shared. This ffhl.xml has a hash itself. When we search for something, Shareaza should display the items filtered by this file. It can show them in red background for example. The users then see if the filter is working right or not. If they noticed a wrongly filtered file they right click on it and "File is not fake" option in context menu is chosen and the hash is deleted from FFHL.
Shareaza will update ffhl.xml file from hubs automatically. Because most of Shareaza users are trying to make FFHL correct, hubs will always have a valid and updated version of ffhl.xml. Hubs will gather ffhl.xml files from connected users and will extract common hashes among the FFHL files. Then they create a master ffhl.xml ready to be downloaded by their clients. When Shareaza downloads a new ffhl.xml from a hub, it adds new items to its own list. So keeps its private hashes still.


This way Netweasel's FFHL will help whole network even if he does nothing to promote it.

[old_death]

This does not work. Say we have a group of malicious users controlling 100-200 computers on which Shareaza is installed. If they all add the same false positive hashes to this block list, there will be more than 100 entries for the same hash, so according to your logic, this hash will be marked as spam, even if the file is not really spam. The inverse situation is also true: if there are enough users marking a virus file as harmless, it will be excluded from the filter despite its dangerousness.

mfg,
Old


PS.: And there are groups controlling much more PCs than only 100 working against P2P networks in general and G2 more specifically.