Why uTorrent 3.4 connects MarkMonitor?

[Frei14]

This behavior was detected on ver. 3.4 build 30620 right after launch of uTorrent with no active torrents and even after clean reinstall with no torrents at all.

 

I’m wondering why the program without any tasks connects to some servers? Why it connects MarkMonitor in subnets 54.224.0.0 – 54.239.255.255, 176.32.96.0 – 176.32.103.255, etc.? Which data it tries to send?

 

Why it connects 67.215.242.139 (Secured Private Network)? Which uTorrent’s service belongs to this IP?

 

[Beasly]

http://en.wikipedia.org/wiki/MarkMonitor

   The internet providers and copyright holders have begun using peer-to-peer (P2P) surveillance methods to try to sniff out when copyrighted content is uploaded or shared illegally. A company called MarkMonitor has been contracted to join BitTorrent networks (the most common way to illegally share files) and search for the names of copyright-protected movies, music, and TV shows.

   The list of those names is provided by the MPAA, RIAA, and NCTA. When MarkMonitor finds a file in violation, they snag the IP address of the user who's sharing the file and send it off to that user's internet provider, who issues a series of escalating warnings.

[Frei14]

Beasly, I know what is the MarkMonitor, but wondering why uTorrent tries to connect it. I've detected it while I have no active torrents at all (just an 'empty' program itself) but uTorrent tried to connect MM's servers by its own.

[DreadWingKnight]

Using TCP or UDP?

[Frei14]

DreadWingKnight, TCP, port 80.

[DreadWingKnight]

Ok, so you're using overparanoid blocklists in something like peerblock and are believing their delusions that ALL of amazon AWS is associated with anti-p2p groups then.

[Frei14]

Hmm... I don't need to believe or not believe, that isn't the question of belief just becourse WHOIS clearly states: that is MarkMonitor' subnets. What's next? Incorrect data in WHOIS? The same error for 10+ different blocks?

 

Whatever, the primary question was: why uTorrent with no torrents in list and disabled autoupdate tries to connect some servers? Let us assume that it was a Pirate Bay servers, or Disney, or EFF: why it connects them?

[DreadWingKnight]

that isn't the question of belief just becourse WHOIS clearly states: that is MarkMonitor' subnets.

the 54.224.x.x subnet you listed above is AWS, not MarkMonitor.

 

# ARIN WHOIS data and services are subject to the Terms of Use# available at: https://www.arin.net/whois_tou.html###'>https://www.arin.net/whois_tou.html### The following results may also be obtained via:# http://whois.arin.net/rest/nets;q=54.224.0.0?showDetails=true&showARIN=false&ext=netref2#NetRange: 54.224.0.0 - 54.239.255.255CIDR: 54.224.0.0/12OriginAS: AS16509NetName: AMAZON-2011LNetHandle: NET-54-224-0-0-1Parent: NET-54-0-0-0-0NetType: Direct AllocationRegDate: 2012-03-01Updated: 2012-04-02Ref: http://whois.arin.net/rest/net/NET-54-224-0-0-1OrgName: Amazon Technologies Inc.OrgId: AT-88-ZAddress: 410 Terry Ave N.City: SeattleStateProv: WAPostalCode: 98109Country: USRegDate: 2011-12-08Updated: 2012-01-06Comment: All abuse reports MUST include:Comment: * src IPComment: * dest IP (your IP)Comment: * dest portComment: * Accurate date/timestamp and timezone of activityComment: * Intensity/frequency (short log extracts)Comment: * Your contact details (phone and email) Without these we will be unable to identify the correct owner of the IP address at that point in time.Ref: http://whois.arin.net/rest/org/AT-88-ZOrgNOCHandle: ROLEA19-ARINOrgNOCName: Role AccountOrgNOCPhone: +1-206-266-4064OrgNOCEmail: noc@amazon.comOrgNOCRef: http://whois.arin.net/rest/poc/ROLEA19-ARINOrgNOCHandle: AANO1-ARINOrgNOCName: Amazon AWS Network OperationsOrgNOCPhone: +1-206-266-2178OrgNOCEmail: aes-noc@amazon.comOrgNOCRef: http://whois.arin.net/rest/poc/AANO1-ARINOrgTechHandle: ROLEA19-ARINOrgTechName: Role AccountOrgTechPhone: +1-206-266-4064OrgTechEmail: noc@amazon.comOrgTechRef: http://whois.arin.net/rest/poc/ROLEA19-ARINOrgTechHandle: AANO1-ARINOrgTechName: Amazon AWS Network OperationsOrgTechPhone: +1-206-266-2178OrgTechEmail: aes-noc@amazon.comOrgTechRef: http://whois.arin.net/rest/poc/AANO1-ARINOrgAbuseHandle: AANO1-ARINOrgAbuseName: Amazon AWS Network OperationsOrgAbusePhone: +1-206-266-2178OrgAbuseEmail: aes-noc@amazon.comOrgAbuseRef: http://whois.arin.net/rest/poc/AANO1-ARINOrgTechHandle: AC6-ORG-ARINOrgTechName: Amazon-com IncoroporatedOrgTechPhone: +1-206-266-4064OrgTechEmail: NOC@amazon.comOrgTechRef: http://whois.arin.net/rest/poc/AC6-ORG-ARINOrgNOCHandle: AC6-ORG-ARINOrgNOCName: Amazon-com IncoroporatedOrgNOCPhone: +1-206-266-4064OrgNOCEmail: NOC@amazon.comOrgNOCRef: http://whois.arin.net/rest/poc/AC6-ORG-ARINOrgAbuseHandle: ROLEA19-ARINOrgAbuseName: Role AccountOrgAbusePhone: +1-206-266-4064OrgAbuseEmail: noc@amazon.comOrgAbuseRef: http://whois.arin.net/rest/poc/ROLEA19-ARIN## ARIN WHOIS data and services are subject to the Terms of Use# available at: https://www.arin.net/whois_tou.html#

So in short, whatever tools you're using to look these up are broken.

[DreadWingKnight]

% This is the RIPE Database query service.% The objects are in RPSL format.%% The RIPE Database is subject to Terms and Conditions.% See http://www.ripe.net/db/support/db-terms-conditions.pdf% Note: this output has been filtered.% To receive output for a database update, use the "-B" flag.% Information related to '176.32.96.0 - 176.32.103.255'% Abuse contact for '176.32.96.0 - 176.32.103.255' is 'ec2-abuse@Amazon.com'inetnum: 176.32.96.0 - 176.32.103.255netname: amazon-EU-IAD-PRODdescr: PROD IADcountry: NLadmin-c: MA11338-RIPEtech-c: AJ176-RIPEstatus: ASSIGNED PAmnt-by: MNT-ADSImnt-domains: MNT-ADSIsource: RIPE # Filteredperson: Alan Judgeaddress: Amazon Data Services Irelandaddress: Digital Depotaddress: Thomas Streetaddress: Dublin 8address: Irelandphone: +353 1 645 8937fax-no: +353 1 645 8933nic-hdl: AJ176-RIPEsource: RIPE # Filteredperson: Marla Azingeraddress: One Kilmainham Squareaddress: Inchicore Road Kilmainhamaddress: 8 Dublin 8address: IRELANDphone: +35316458950nic-hdl: MA11338-RIPEmnt-by: MA99006-MNTsource: RIPE # Filtered% This query was served by the RIPE Database Query Service version 1.71 (WHOIS3)

[DreadWingKnight]

And SPN looks like the internet-facing proxy for a bittorrent inc owned server.

 

Sorry, your unfounded paranoia and broken tools are showing.

[Frei14]

 

Whatever, the primary question was: why uTorrent with no torrents in list and disabled autoupdate tries to connect some servers? Let us assume that it was a Pirate Bay servers, or Disney, or EFF: why it connects them?

 

[Firon]

DHT connects to everyone around the world as part of a distributed network. It's what makes magnet links work, among other things.

Why disable autoupdates anyway?