I just posted this same message 2024-09-20 on a 2021 forum thread I found here
https://forum.tixati.com/support/7165 .
Thank you for taking the time to read and hopefully respond. I would very much like feedback and to know if anyone else has the same or similar experiences. I think this is a very important topic with serious consequences, and all P2P communities, users, and developers should be very concerned.
As of 2024-09-20, Malwarebytes has blocked 294 separated outbound communication attempts in approximately 30 days of non-continuos transfer activity. I have not counted unique address but sorted by address, there are clearly multiple attempts to a single addresses, as well as single or small number attempts. There are many dozens of unique addresses. I have researched 6 of these addresses at present (more to come), through Virustotal which returns positive flags for malware, trojans, etc from multiple antivirus vendor's. All IP's have (usually) extensive profiles on Crowd Sec Threat Intelligence detailing the various forms of attack vectors used, and links to MITRE ATT&CK for much more detailed explanations. I fully expect the rest of the IP address will follow suite, I will continue work as possible.
This is a very scary scenario that seems to be developing, for as long as I have been in the P2P community ( was a Napster early adopter) this is the first time I have seen such seeming evidence of targeted malware propogation through P2P. I would appreciate any idea's, information, direction, resources, etc. helping me understand the general process these malware sites are propogated through the P2P communities and what if anything can be done. newtrackon.com show many new trackers up and running for mere days to hours. Some are in geopolitical areas know for this activity. Maybe some trackers are part of the problem. I do not know if there is any developmental solution or approach to combat this, but you never know what could happen if enough people get involved. Given the very real and disasterous potential here I hope to motivate prople to get involved.
I would be happy to share the tracker add and block lists I am developing with anyone interested.
Regards
What I know and have done.
1. I am using brand new, mostly udp trackers confirmed three days ago, through
https://newtrackon.com/
2. I have a tracker setting to add new know good trackers to all new transfers.
3. I've built a list of old dead trackers present in many of the transfers I see and have them taken out of new transfers.
4. When MalwareBytes notifies of a new IP blocked I check active transfers for peers with matching IP's, remove matching connections, and update the Blocked IP list I'm building. Most of the blocked IP's are not peers, most of the time I can not find blocked MWB blocked IP's in Tixati's DHT Event log either. I assume they are part of the swarm somehow.
5. The good news is short tem Tixati's IP filter should allow those IP's to be dropped.
The six IP addresses research with virustotal and crowdsec results.
209.141.40. https://www.virustotal.com/gui/url/99e041c9b5b126344f3cd3bf1a90a5d99ef3777699518cd396964bc96fa6e14e/details
185.189.112.27 https://www.virustotal.com/gui/url/4d494b0e0577e6b63dae58fab806a3d8761f16691f320a7957c55958a1f37279
186.224.241.182 https://www.virustotal.com/gui/url/6bc4a57773fc48caeca973638099d0850332d9d99d41542fe5076f6b0fcf4a74/detection
185.230.4.150 https://www.virustotal.com/gui/url/a5d434009a152abfcb7d1cd19222d342672fe109c23942233ae50d6562d1d6b2
195.154.181.225 https://www.virustotal.com/gui/url/c0645be723fbf73cf67ee157655f31ea374738e2fb54cbf4dcc6bd8ace1b2ec3 5/96 https://app.crowdsec.net/cti/195.154.181.225
195.206.105.203 https://www.virustotal.com/gui/url/c82fd4840fa0c6101213115dcc9f5715fd21f4984b40f1e633eef8adac20baaf 2/91 https://app.crowdsec.net/cti/195.206.105.203
213.152.176.135 https://www.virustotal.com/gui/url/6bc4a57773fc48caeca973638099d0850332d9d99d41542fe5076f6b0fcf4a74 5/97 https://app.crowdsec.net/cti/213.152.176.135