uTorrent sends personal data w/o permission.

[cyblivious]

I've been using uTorrent for quite sometime now and i think it's great. I've used it with ZoneAlarm free version w/o any problems. But i was quite disturbed after upgrading to ZoneAlarm Pro and enabled the ID-Lock feature (which detects if a program sends any data defined in it's rules, in this case are my first and last name, and also my email address) and received prompts from different intervals that uTorrent is trying to send either my first name, last name or email address to some IP address. And i'm not even sure if that's all it sends since i just created firewall rules to block unauthorized data sending of only my name and email address, how about other personal data not in the rules lists? I'm sure i haven't entered any of those info in any torrents and settings. Care to explain?

Screenshot of the firewall prompt of uTorrent sending personal data.

The picture shows that uTorrent is sending my first name somewhere, it also happened for my last name and email address on different occassions. I'm just not sure if it's the same destination. I've always checked my system to be free of any viruses, adwares and spywares so it's out of the question.

I tried to run a trace on the destination IP address and it was headed to somewhere named bezeqint.net which i discovered is used to monitor users.

[cyblivious]

For now, i'm not making any conclusions and just want this to be explained.

[Ultima]

I never used ID-Lock on ZoneAlarm, so I don't know if this normall happens or not (I highly doubt it). Anyway, redownload µTorrent from the main page. If it still happens, get Process Explorer and check what's hooked onto utorrent.exe.

[cyblivious]

I've already done that the first time i encountered it. Still the same. I'm still getting prompts of utorrent sending it.

[Ultima]

And you checked Process Explorer like I said?

[cyblivious]

Of course. I've done it many times before.

[Ultima]

Mind providing screenshots of the hooked DLL and Handles list? Along with the stacks for the four utorrent.exe threads?

[penguinix]

I just did a search through my peer gaurdian records and didn't find any connection attemps to 84.110.240.247. So it's probably not utorrent that's doing this.

[Ultima]

Thanks for the confirmation, I've no access to logs at the moment. Anyhow, that gives more reason to make sure nothing suspicious is hooked onto the process.

[cyblivious]

I got a different IP address destination before. It seems to be random.

I checked the firewall log and here are the other IP destinations of the personal data by uTorrent...

84.143.160.217

24.252.77.127

172.212.165.235

85.221.151.225

[Ultima]

Hm, those don't look suspicious, but we don't see the whole list, and those other things I asked for ;P

Oh, and add the path column while you're at it (and make sure we can see the paths... hide whatever path you deem private). Version number I guess you can hide, as it's kinda useless to us.

[cyblivious]

[cyblivious]

Got another alert of it sending my First Name again to 64.223.179.104. Tracert points it to Verizon.

[Inf]

bzq-84-110-240-247.red.bezeqint.net is just an israely isp, iirc it belongs to one of their adsl ip pools, so it look pretty much like a normal peer ip. Don't know about pool-64-223-179-104.man.east.verizon.net, but this looks like a peer ip either.

IMHO, its just ZA-Pro false alarm. My assumption would be that ZA simply looks for your personal info inside the IP packets payload, and alrets you each time it finds something. Note that in this case, if your first name is just 3..5 letters, and you are trafficing gigabytes of encrypted data (that looks more or less random) it WILL find it from time to time.

Just out of curiosity, what is your first name ?

[Dark Shroud]

This is one of the reasons you shouldn't use Zonealarm with p2p traffic.

[cyblivious]

But why also my email address?

[cyblivious]

My first name is 8 characters long while my last name 10 characters long. It's quite hard to have a coincidence. It even sends my email address.

[cyblivious]

It's just that it's kinda wrong if it sends out my personal information without permission.

[Ultima]

Indeed it's odd, but hasn't been reported before, and I'm pretty sure other people do actually do deeper analysis of µTorrent's packets, which leads me to believe it's something else hooking onto the process.

[Inf]

Maybe ZA does a partial lookup. I don't know, it just sounds pointless for ut to send your personal data anywhere, and it's definitly pointless sending it to other peers. Another thing is, encryption would effectively circumvent any detection, so if ludde would really want to do it, he would simply encrypt the data.

If ZA can dump the particular packet it found the info in, please post the dump here, at least we can know what causes the false alerts.

[µtorrent-Guest]

it does not send your NAME out.

it sends out packets with bytes. since the alphabet just have 26(?) letters it is NOT unlikely that it sends out packets that has the same byte order as what you call "Name".

This really stupid function and its uselessness was for example explained in a lecture by some german hackers from the Chaos computer club.

due to the high traffic that p2p generates its plainly stupid to run such "forbidden names and data" function in the personal firewall.

Your programm is simply wrong.

It can not differenciate your "Name" 'ANTON' from a string "bogotANTONatosimus" and if the string "bogotantonatosimus" is send in one of this massive packets it freaks out and pops the alarm.

[jroc]

I was gonna say the same thing. Norton has a similar feature. I used it to block the last 3 digits of my SS number from going out without my knowledge. I use Yahoo messenger and a temp file has the the same numbers as the last 3 of my SSN in it. Norton flagged it. Whats wilder is that in ZA u have to put your whole SS number in for it to monitor it. At least with Norton u could choose to just monitor how many u want. And Yahoo messenger was the only thing that caused Norton to flag it. It did it when I tried to listen to Yahoo radio while using messenger.

[cyblivious]

those are valid points, if i used only a few characters of my name, but like i've said before, i placed my whole name and email in the filter! Not just a few characters like what you people are trying to say. So you mean those packets included by whole email address by chance? Had my whole last name also by chance? Kinda creepy if so.

[cyblivious]

I'll try to post a screenshot of the email. I'll also try sniff the packets with ethereal, but it would be kinda hard since uTorrent did it at random intervals.

[Ultima]

Erf, it very well may be ZoneAlarm being overly paranoid, but I tend to doubt the coincidence also... I'm still of the opinion that there might be something hooked onto the process, and you still haven't provided everything I asked for ;P (I know it's a lot of screenshots, but we can't verify anything otherwise)