Help and Support
Ask a question, report a problem, request a feature...
<<  Back To Forum

Dozens of IP ddresses tagged by antivirus, Virustotal, Miter ATT

by gobbledyegoop on 2024/09/20 11:22:58 PM    
I just posted this same message 2024-09-20 on a 2021 forum thread I found here https://forum.tixati.com/support/7165  .

Thank you for taking the time to read and hopefully respond. I would very much like feedback and to know if anyone else has the same or similar experiences. I think this is a very important topic with serious consequences, and all P2P communities, users, and developers should be very concerned.

As of 2024-09-20, Malwarebytes has blocked 294 separated outbound communication attempts in approximately 30 days of non-continuos transfer activity. I have not counted unique address but sorted by address, there are clearly multiple attempts to a single addresses, as well as single or small number attempts. There are many dozens of unique addresses.  I have researched 6 of these addresses at present (more to come), through Virustotal which returns positive flags for malware, trojans, etc from multiple antivirus vendor's.  All IP's have (usually) extensive profiles on Crowd Sec Threat Intelligence detailing the various forms of attack vectors used, and links to MITRE ATT&CK for much more detailed explanations. I fully expect the rest of the IP address will follow suite, I will continue work as possible.  

This is a very scary scenario that seems to be developing, for as long as I have been in the P2P community ( was a Napster early adopter) this is the first time I have seen such seeming evidence of targeted malware propogation through P2P. I would appreciate any idea's, information, direction, resources, etc. helping me understand the general process these malware sites are propogated through the P2P communities and what if anything can be done. newtrackon.com show many new trackers up and running for mere days to hours. Some are in geopolitical areas know for this activity.  Maybe some trackers are part of the problem.  I do not know if there is any developmental solution or approach to combat this, but you never know what could happen if enough people get involved. Given the very real and disasterous potential here I hope to motivate prople to get involved.  

I would be happy to share the tracker add and block lists I am developing with anyone interested.
Regards

What I know and have done.
1. I am using brand new, mostly udp trackers confirmed three days ago, through https://newtrackon.com/
2. I have a tracker setting to add new know good trackers to all new transfers.
3. I've built a list of old dead trackers present in many of the transfers I see and have them taken out of new transfers.
4. When MalwareBytes notifies of a new IP blocked I check active transfers for peers with matching IP's, remove matching connections, and update the Blocked IP list I'm building. Most of the blocked IP's are not peers, most of the time I can not find blocked MWB blocked IP's in Tixati's DHT Event log either. I assume they are part of the swarm somehow.  
5. The good news is short tem Tixati's IP filter should allow those IP's to be dropped.

The six IP addresses research with virustotal and crowdsec results.

209.141.40. https://www.virustotal.com/gui/url/99e041c9b5b126344f3cd3bf1a90a5d99ef3777699518cd396964bc96fa6e14e/details
185.189.112.27 https://www.virustotal.com/gui/url/4d494b0e0577e6b63dae58fab806a3d8761f16691f320a7957c55958a1f37279
186.224.241.182 https://www.virustotal.com/gui/url/6bc4a57773fc48caeca973638099d0850332d9d99d41542fe5076f6b0fcf4a74/detection
185.230.4.150  https://www.virustotal.com/gui/url/a5d434009a152abfcb7d1cd19222d342672fe109c23942233ae50d6562d1d6b2
195.154.181.225  https://www.virustotal.com/gui/url/c0645be723fbf73cf67ee157655f31ea374738e2fb54cbf4dcc6bd8ace1b2ec3 5/96  https://app.crowdsec.net/cti/195.154.181.225
195.206.105.203  https://www.virustotal.com/gui/url/c82fd4840fa0c6101213115dcc9f5715fd21f4984b40f1e633eef8adac20baaf  2/91  https://app.crowdsec.net/cti/195.206.105.203
213.152.176.135  https://www.virustotal.com/gui/url/6bc4a57773fc48caeca973638099d0850332d9d99d41542fe5076f6b0fcf4a74     5/97  https://app.crowdsec.net/cti/213.152.176.135

by Guest on 2024/09/24 05:47:28 AM    
Computer security industry promises to solve problems for those who can't or won't be investing in teaching themselves “all that stuff”, but in reality it largely parasitize on illiterate customers.

To be honest, you're doing a lot of nonsense. “Viruses” can't “spread” via bittorrent if the files are not themselves malware at the moment of creation of the torrent. No matter who your peers are, they can't send you file data that is different from the original, because block hash won't match. Unless there's an exploit in program or system network code (which is rare and very expensive), peer from “filthy” addresses can't do anything different from peers from “clean” addresses.

There are certain hosting providers who accept anyone who's paying. So one of their clients may have a seedbox there, next to it is a RIAA subsidised bot that scans all the peers on all the torrents, next to it is a web server serving viruses under the guise of free ebook downloads. How does the latter affect the former? You believe that being on the same subnet “infect” the bits and bytes somehow.

When a firewall gives you a warning, it is just a warning. YOU then have to figure out whether this is an intentional connection or not, tracker connection or peer connection, if it's a sign of something going on on your system, or just completely regular operation. This means understanding the topic. Instead, you read all the gobbledygook on VirusTotal, and write down bureaucratic identifiers from MITRE with pen and paper, trying to divine something from the squiggles.

At the moment, a significant number of fraudulent websites use free CloudFlare service to hide the original server from automated checks. Do you block CloudFlare addresses? Probably not. Document and file cloud storage from Google or Microsoft is often used to spread fishing bait using “innocuous” links. Have you already banned Google and Microsoft?
by Guest on 2024/09/28 05:02:44 PM    
That's a good reply.

The most important info there is the part about the hash checks on files. If you trust the source of your torrent (ie. the site you got it from and the uploader) then by implication you trust the file(s) you're trying to download. The hash checks in the torrent guarantee you can't get anything other than the data which was hashed at the time of torrent creation, whoever may be connected. You may have seen Tixati drop peers in the peer list with the legend "Bad data" - that means that peer is sending something other than the data that should be in the torrent at that piece location. THOSE are the IPs you should probably block, but Tixati is already blocking them from sending anything that's not part of the original torrent.
by Guest on 2024/10/01 01:45:41 AM    
Nice replies to the initial post. Solid reasoning and good info.

I'm a nube -- who will likely not live long enough to ever become facile. Thank you more experienced posters. I couldn't make it without you. I am also a canny analyst of information and security and privacy minded.  Like Hemingway said about writers: I have a built in, shock proof crap detector. I'm not at your level, but I can tell the reply posts are solid.

Me: I'm more of a pointy end of a fire hardened stick kind of guy.  I hope I can return to you and your community before I'm done.
Thanks
by Guest on 2024/10/01 02:08:45 AM    
One more thing from my limited personal experience:

In a public library, I once observed an associate who was trying to resolve their perceived problems on a windows system.  They had paid for, and installed one of the many anti-virus software offerings.  It may be that said anti-virus "notified" them of a problem, I don't know.

I do know, that my associate started using their live tech support.  Their horror and exclamations drew my attention, and I watched, in real time, as the paid anti-virus live tech report started removing things from their computer, while claiming my associate had no right to have them in the first place.  Some of the files removed included writing and essays for brick and mortar classes we were taking together, personal photos, and most troubling -- music that my associate created themselves.

It is my opinion that most of these anti-virus/malware offerings are designed and promoted spyware.  The first reply hit the mark with the idea that the majority does not know f#%kall, and doesn't want to learn -- but they will rely on mother culture's constant whispering to stop trying, learning and to just drown quietly in our american convenience.




This web site is powered by Super Simple Server