Distributing malware over ed2k network

While searching for some legitimate content on e2dk p2p network I’ve stumbled into some strange search results. Those results were looks like forged from the search query. I’ve searched then for surely non existing files and got same forged results.

Quick check of the files shows that at least one of them contains malware.

Malicious server forge ed2k link for every query, by only changing the name of the file, while MD5 remains the same. The malicious server then connects to one of the biggest ones in the network. Users that will use Global search (trans-server) will receive the link on mostly every search and the result may look very legitimate due to good availability of the file. Malicious files are very well shared and will be downloaded in the matter of seconds.

Share
  • http://secdev.zoller.lu Thierry Zoller

    This is pretty common, Gnutella has been completely taken over by this, try searching for your name you’ll find pictures, software, fake vids etc. The just answer “Yes I have this file” to everything.

  • http://www.BeyondSecurity.com Lev

    I guess new p2p protocols / applications will take security issues more seriously into consideration.

  • ethernode

    I also noticed hash collisions on kad: just do a kad search, look for comments, sometimes the comment request has multiple file responses

  • http://gfdsa.gfdsa.org gfdsa

    I don’t think that if new p2p protocols will will consider security of any more importance, it will stop people to download malware and viruses from p2p… There are people that just can’t stop clicking and they click-click all the day long until they download some stuff they are not suppose to. It’s not even a social engineering, it’s a clinic psychiatry.