
Why is the #2 torrent in DHT a 25Mb file named AF.dat? - lcrs
https://btdigg.org/top100.html
======
eli
Looks like this piece of Windows malware:
[https://malwr.com/analysis/NDI4YmUxNjM0ZTUwNDY0OWFhNjM3YzFiZ...](https://malwr.com/analysis/NDI4YmUxNjM0ZTUwNDY0OWFhNjM3YzFiZmY1YmQ4ZDU/)

It uses a data file called AF.dat and connect to bittorrent.

~~~
lcrs
Aha, the long .torrent file it drops matches the magnet link too. The MD5 of
AF.dat from that page doesn't match what I've got but maybe it gets
modified...

------
slater
[http://www.exterminate-it.com/malpedia/file/af.dat](http://www.exterminate-
it.com/malpedia/file/af.dat) maybe?

~~~
lcrs
Interesting, whilst downloading the bittorrent client ID strings were all
"LT/1.0.3.0", maybe a connection to the Lineage malware from that page?

------
jondumbau
i'm pretty sure the most popular torrent in the DHT doesnt have 644 downloads
in the last week.

this must be measuring downloads/hits from btdigg.org (only), so someone is
linking directly to it and relying on them to jump clients into the DHT
perhaps?

~~~
lcrs
I can't imagine btdigg can scrape the whole DHT, but I think the idea is that
the traffic they see by running many "fake" nodes is proportional to the
whole, because the DHT spreads all traffic around fairly equally? I'm
presuming they're using a method similar to the one presented here:
[https://www.usenix.org/legacy/event/woot10/tech/full_papers/...](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Wolchok.pdf)

------
lcrs
For the curious, the magnet link is:
magnet:?xt=urn:btih:a4a75d2e4095d457467777673e96cd331575b511&dn=AF

file(1) has nothing to say about it but at a glance it doesn't look like a
uniform encrypted blob...

------
geoah
If I was making a botnet I would use the DHT to download updates, settings
etc. Not sure what else.

------
untog
That whole list is kind of fascinating. Interesting to see the movies and
shows that are particularly popular when it comes to piracy (Marvel, Marvel,
Marvel...)

~~~
ant6n
..and GTA San Andreas? That game is more than 10 years old!

------
J_Darnley
I'm going to guess at a password database of some kind, perhaps a "rainbow
table". There seem to be frequent occurrences of long strings of the alphabet.
Byte value counts are almost equal.

~~~
teach
Aren't rainbow tables EXTREMELY large?

------
brudgers
Somewhat Related: [http://daniel.haxx.se/blog/2015/11/16/the-most-popular-
curl-...](http://daniel.haxx.se/blog/2015/11/16/the-most-popular-curl-
download-by-a-malware/)

Discussion:
[https://news.ycombinator.com/item?id=10574011](https://news.ycombinator.com/item?id=10574011)

------
rverbitsky
SHA256:459b05fe2dbd56cb0f31babdf722c40bd7ce061c7701fdbb56dfb382e8cd2371

File name: AF.dat

Detection ratio: 0 / 55

[https://www.virustotal.com/en/file/459b05fe2dbd56cb0f31babdf...](https://www.virustotal.com/en/file/459b05fe2dbd56cb0f31babdf722c40bd7ce061c7701fdbb56dfb382e8cd2371/analysis/1448148451/)

------
0x0
There's another curious entry too, "x86", with filenames consisting of a
random collection of unzipping .dlls and other weird stuff... Why would anyone
want to torrent such a seemingly useless collection of random files?

~~~
oakwhiz
I think this has something to do with a Korean antivirus program called ALYac.

------
mappu
P2P update for a videogame?

------
oh_sigh
Malware or child porn

