Why is the #2 torrent in DHT a 25Mb file named AF.dat?
btdigg.orgLooks like this piece of Windows malware: https://malwr.com/analysis/NDI4YmUxNjM0ZTUwNDY0OWFhNjM3YzFiZ...
It uses a data file called AF.dat and connect to bittorrent.
Aha, the long .torrent file it drops matches the magnet link too. The MD5 of AF.dat from that page doesn't match what I've got but maybe it gets modified...
Interesting, whilst downloading the bittorrent client ID strings were all "LT/1.0.3.0", maybe a connection to the Lineage malware from that page?
i'm pretty sure the most popular torrent in the DHT doesnt have 644 downloads in the last week.
this must be measuring downloads/hits from btdigg.org (only), so someone is linking directly to it and relying on them to jump clients into the DHT perhaps?
I can't imagine btdigg can scrape the whole DHT, but I think the idea is that the traffic they see by running many "fake" nodes is proportional to the whole, because the DHT spreads all traffic around fairly equally? I'm presuming they're using a method similar to the one presented here: https://www.usenix.org/legacy/event/woot10/tech/full_papers/...
For the curious, the magnet link is: magnet:?xt=urn:btih:a4a75d2e4095d457467777673e96cd331575b511&dn=AF
file(1) has nothing to say about it but at a glance it doesn't look like a uniform encrypted blob...
If I was making a botnet I would use the DHT to download updates, settings etc. Not sure what else.
That whole list is kind of fascinating. Interesting to see the movies and shows that are particularly popular when it comes to piracy (Marvel, Marvel, Marvel...)
..and GTA San Andreas? That game is more than 10 years old!
I'm going to guess at a password database of some kind, perhaps a "rainbow table". There seem to be frequent occurrences of long strings of the alphabet. Byte value counts are almost equal.
Aren't rainbow tables EXTREMELY large?
Somewhat Related: http://daniel.haxx.se/blog/2015/11/16/the-most-popular-curl-...
Discussion: https://news.ycombinator.com/item?id=10574011
SHA256:459b05fe2dbd56cb0f31babdf722c40bd7ce061c7701fdbb56dfb382e8cd2371
File name: AF.dat
Detection ratio: 0 / 55
https://www.virustotal.com/en/file/459b05fe2dbd56cb0f31babdf...
There's another curious entry too, "x86", with filenames consisting of a random collection of unzipping .dlls and other weird stuff... Why would anyone want to torrent such a seemingly useless collection of random files?
I think this has something to do with a Korean antivirus program called ALYac.
P2P update for a videogame?
Malware or child porn