Outline · [ Standard ] · Linear+ Try to detect a fake server, sending bogus search results

[AraldoL]

since some days I noticed on nearly every search I get one single fake search result (obviously a dangerous executable) with a very high number of sources so it's always on first position on the search results. The filename is always built of my search term and "_ShareAccelerator.exe", i.e. if I do a global search on "schafkopf" (a german cards game, there are several freeware versions floating around) I get "schafkopf_Shareaccelerator.exe" with about 6500 full sources. There must be at least one bogus server that builds this filename from my search term.

Of course I use a big and weekly updated ipfilter.dat! And I use a self compiled version of current CVS with an self made addition to prevent adding any servers which are located in the United States according to ip2country. So I have no US servers in my list.

To investigate which server it is I tried to find the location in source where the server results are added to the list. I wanted to write a debug line with the server's ip to the debug log to find out which server it is as a first step.

Can someone point me to the proper file and function in source where both server ip and filename from global search results are available?

Araldo

[Aw3]

CODE

        switch (uOpcode)
        {
            case OP_GLOBSEARCHRES:
            {
                CSafeMemFile    pckStream(pbytePacket, dwSize);
                uint32            dwLeft;
                uint16            uResults;
                byte            byteTmp;

#if 0
pServer->GetListName()
pServer->GetFullIP()
#endif
                if (g_App.m_pSearchList->AllowUDPSearchAnswer())
                {
...
                }

[AraldoL]

Thank you Aw3! Now I know I always searched in the wrong files (SearchList.cpp, SearchListCtrl.cpp, ...). Now I'll try to find out which server (or several servers?) is responsible to add it to ipfilter.

Another idea I had is to drop all search results with more than 2000 or 3000 full sources from a single server on global search. I never had a realistic result like this and such a file would still get enough sources from smaller servers too.

Araldo

[Fuxie - DK]

Another idea I had is to drop all search results with more than 2000 or 3000 full sources from a single server on global search. I never had a realistic result like this and such a file would still get enough sources from smaller servers too.

Some of the VERY popular movies (e.g. Lord of the Rings, when it was released) and games, does infact have 2000+ valid sources...

[AraldoL]

Some of the VERY popular movies (e.g. Lord of the Rings, when it was released) and games, does infact have 2000+ valid sources...

In total, yes. But not so much complete sources on one single server, so if you do a global search for such a popular file you could even drop a 2000+ result of one or two of the biggest servers but you still get more than enough search results of the same file from smaller servers. If you start such a download the other sources are found by source exchange, of course.

Araldo

[Vladimir (SV)]

instead of dropping, have you considered the possibility of filtering results for strings?.

Let say an "result filter" with badwords or something like that. IMHO that will protect you just from undesired result, and to avoid the little probability of drop a real result from the search.

[muleteer]

instead of dropping, have you considered the possibility of filtering results for strings?.

No, because the fake result shows a filename that is made specially, based on the search string. No bad words are present.

I like this idea. So far we've been depending on publicly updated ipfilters for weeding out the bad servers. Time we got more proactive.

[Vladimir (SV)]

instead of dropping, have you considered the possibility of filtering results for strings?.

No, because the fake result shows a filename that is made specially, based on the search string. No bad words are present.

It's like file name cleaner, it does not has to be the exact string to filter, let say you want to filter results with "_Shareaccelerator.exe" string present, which will be any string compossed with it, like "This is not fake_Shareaccelerator.exe", "Believe me_Shareaccelerator.exe", "this is the file_Shareaccelerator.exe", etc.

Anyway, any method to delete fake servers is welcome

[AraldoL]

Back again with results:

It's "BiG BanG 12" (IP: 80.239.200.111) that sends those bogus exe results, I added him to my ipfilter list. Didn't get such fake results from any other server in my list.

Araldo

[muleteer]

Thanks. Nice proof of concept, to show that it can be done.

[Captain_Shiner]

Mmm... I was interesting in this result about BigBang12... so I conncected eMule+ to BB12 and tried some searches using "server" method, but I didn't find such fakes called "...shareaccelerator.exe".

Can anybody test this server and report its behaviour?
Thanks.

[Fuxie - DK]

It's "BiG BanG 12" (IP: 80.239.200.111) that sends those bogus exe results, I added him to my ipfilter list. Didn't get such fake results from any other server in my list.

How can you be sure??

BiG BanG-servers have always been trusted servers, and they ALWAYS have IP 80.239.200.*, so it's pretty hard to fake the IP..

I tried to do your search on schafkopf, and with Global Search, I also got the virus file.. But when I switched to BB12-server and did a search more (this time only a server search), I didn't get the virus file, thus indicating, it must come from another server..

EDIT: Just saw Captain_Shiner reported the same thing before me

This post has been edited by Fuxie - DK: Dec 27 2006, 15:19

[Vladimir (SV)]

Captain_Shiner, sometimes, server behaviours are bases upon client country.

I don't get the fake file too with that server. Just three low sources files.

[AraldoL]

I was surprised too. To validate it without my code modifications:

- Have BiG BanG 12 in your server list, i.e. use following link
ed2k://|server|80.239.200.111|3000|/
- Connect to a different server
- Global search for "schafkopf" -> you get the bogus result
- Delete BiG BanG 12 from your server list (use settings that don't auto add servers otherwise this server will return into list)
- Global search again -> clean

BB12 was the only server my patch logged yet, none of the other BiG BanG did this. I didn't download this EXE to check what it does but I'm sure it's not healthy

Araldo

UPDATE: Hmm, currently I don't get this bogus result again from BB12 or any other server. I'll investigate if it returns ...

This post has been edited by AraldoL: Dec 27 2006, 15:53

[muleteer]

Good move. Downloading the dubious exe is asking for it.