9 Apr 2012 09:11
DHT: 'Zo' Client
Adrian Ulrich <torrent <at> blinkenlights.ch>
2012-04-09 07:11:58 GMT
2012-04-09 07:11:58 GMT
Hello,
I've noticed a strange client that identifies itself as 'Zo\x00\x05' (and sometimes \x04).
Does someone have an idea on what this client is?
The client creates quite some DHT traffic and seems to like IPv6 for some strange reason:
More than 50% of all queries received via IPv6 are sent by this client.
(However: Most source IPs are Teredo addresses).
These clients are also sending announces with bogus info hashes (google doesn't know about them -> they
don't seem to belong to a real torrent).
such as '8eaaaba009ce93f2a678d9fb6dcd39170c5fc1e0':
All clients 'announced' to this info_hash are also using the ZO brand and seem to speak some sort of the
BitTorrent protocol...
..but they do not support ut_metadata :-/
So what is this? Is it some kind of Botnet?
The DHT-Queries look normal:
"y" => "q",
"a" => {
"id" => "7\335\234H\340\177\235\374\332\246\325\341Tc\303\373\203`WK",
"token" => "r\22!\ <at> #q\231#\26\$\$\230\30%\203\ <at> W",
"port" => 30121,
"info_hash" => "\217\223\353\301O\376\27\nk/\371\352I\314]n\312\21\276\237",
"seed" => 1
},
"q" => "announce_peer",
(Continue reading)
RSS Feed