Could you shed some light onto this subject?

[Kurz]

Note I found this post in a thread at AnimeSuki. http://forums.animesuki.com/showthread.php?t=43280

I hope I could hear some sort of response on the subject.

For all those out there using uTorrent...

I just caught uTorrent making cloaked emails to:

PROCESS NAME: utorrent.exe

URL: 10001264536.0000028728.acesso.oni.pt:110

DIRECT IP: 213.58.83.225

REMOTE PORT: POP3

PROTOCOL: TCP

As long as AVG was monitoring the email traffic directly, it would close the port immediately upon connection and not send anything outward.

However, once AVG was not monitoring the traffic anymore, the connection was made immediately and a packet of data was dropped off at that server, and a payload was delivered to my machine and written somewhere.

Unlike many other Bittorent clients out there, uTorrent does not open it's source code to anyone. So, anything can be hidden in there. Has anyone found their systems compromised after using uTorrent? Can anyone verify what uTorrent sends and received via this email?

This is NOT the "update" process! That does a different connection elsewhere.

Another thing I have noticed as well. Once you CLOSE uTorrent, it takes about 2 minutes before it "closes" and the application does not register as uTorrent anymore - HOWEVER - it is still running in the background, but now without a name. It is seeding off files from your machine to Bittorrent networks around the world.

The only way to completely close uTorrent is to shut down your machine and re-start it. Dont use uTorrent.

[ben]

i believe someone said it had to do with some people using ports such as 25(smtp) to send data through the client, and your firewall software thinking its suspicious.

[Animorc]

That's correct ben. Or rather, they set the port to 25 so that your client is sending data on port 25.

And Kurz: If you want more information:

http://forum.utorrent.com/viewtopic.php?id=1568

http://forum.utorrent.com/viewtopic.php?id=1634

[chaosblade]

How many times was this issue raised before? Oo

And i thought AnimeSuki had significantly smarter people..

[slayers]

Another thing I have noticed as well. Once you CLOSE uTorrent, it takes about 2 minutes before it "closes" and the application does not register as uTorrent anymore - HOWEVER - it is still running in the background, but now without a name. It is seeding off files from your machine to Bittorrent networks around the world.

This is the only thing worth comenting, it still amazes me the reaction that false positives create on ignorant people.

It has happened in the past that uT would not close properly and remain in the background. With Task Manager, you could easily shut it down without any ill effects. If the OP can consistently reproduce this behaviour he should report it as a bug.

[1c3d0g]

That ignorant person who made that stupid post should be taken out back and shot! :mad: Bah! I still can't get over some people's incompetence! :mad:

[hofshi]

and still, I think that we can try to be a little bit more polite, and less angry in our responses.

[splintax]

I dunno about 'shot', but I agree that what that person said is completely ridiculous.

They have no proof, and if this results in µT getting banned from anywhere.. bah.

edit: can someone with an AnimeSuki account reply to that thread and link them back here so they can see what's going on?

[Firon]

It doesn't take 2 minutes to close, it takes UP TO 15-30 seconds, usually far less (depends on tracker status I guess)

I'd post there but I can't be arsed to register

I love firewalls, they give so many false positives, and their users tend to not be very smart...

[Animorc]

Redleer and DWKnight has posted in that topic (and hopefully cleared some rumors).

[Kurz]

Thanks for the inquery. Sorry about this being discused earlier I was searching on the forums though I guess I didnt use the right parameters.

I thought it was a false positive so I though why not make a thread in utorrent forums to link too if i get a response for you guys.

[Firon]

Nope, definitely not the peer's fault...

After doing some more research:

(1) It is definitely uTorrnet sending the emails - nothing else

(2) uTorrent automatically begins to make several hundred connections upon startup now that that one email has sucesfully worked - and I have no torrents in my list to work on - it just starts sending stuff from computer to hundreds of computers all over the place.

(3) The email traffic is definitely outgoing email from my computer to elsewhere.

(4) I have no idea what the contents of the email actually is yet

In the meantime, I've turned uTorrent over to a security research group. It may take a few days, but I will have some official information about it sometime soon. I have stopped using uTorrent for obvious reasons. It's too bad that a potentially great program has to be marred by stuff like this.

Apart from the fact that I'm lol'ing at that last statement (silly firewall users), he's wrong on every damn point, and the security research group is gonna laugh him out of the country as well.

This isn't the first time we've had AVG users' e-mail protection go insane like this, or hell, any other firewall (none of them actually examine the packet, they just do port-based filtering)

1) No e-mails are being sent, you're just connecting to peers who use a remote port of 25 (the SMTP port). It's regular BitTorrent data. If you honestly are that paranoid, install Ethereal, Winpcap, and capture packets that are using port 25, simple as that... Then you can easily examine the contents (and see that it's just regular BT data)

2) The 'hundreds' of connections are UDP packets being sent out for DHT. Since UDP is connection-less, the firewall probably registers every single packet as a connection.

3) Read #1

4) Read #1

This is why I don't like the technically less inclined to have firewalls, especially not 'dumb' (ones that don't analyze packets) firewalls that pop up silly alerts like this. But there's not much we can do about it...

I'd post this there myself but I can't be arsed to register.

[Leech_Hunter]

That guy/gal koitenshi should drag himself away from his japanese cartoon shows & read some books on networking & security topics...perhaps the embarrasment at being so wildly wrong will make him/her commit seppuko

[bleh]

Whaha, this is just too much Seriously, it's pretty bold making these kinds of accusations if you can't even analyse one packet

Firon, you're right on the money with using etheral, in fact... I'm doing my first lab session next week with that application

[ColdArmor]

READ THE FAQ

[stevvi]

Hmm... I am amazed at all this. Seeing that Ludde is clever enough to make uTorrent as good as it is, I am quite sure that, if he so wished, he's clever enough to enable spyware in a far more subtle and less detectable way than sending out damn emails... especially knowing how paranoid the BT community is.

I am in no way inferring that uT does actually contain spyware

[1c3d0g]

That ill-informed Koitenshi person should've kept his mouth shut and be thought a fool, than to open it and resolve all doubt, which in this case, he has. :mad:

[ColdArmor]

especially knowing how paranoid the BT community is.

Where have I been?

[Firon]

every community on the internet is paranoid