Follow the Bouncing EMule

Published: 2006-12-07. Last Updated: 2006-12-07 20:45:19 UTC
by Tom Liston (Version: 1)
0 comment(s)
Robert Danford, one of the other ISC Handlers, happened to mention in the Sooper Secret ISC Handler Chat Room that a co-worker was investigating a local spike in traffic to port 1755 TCP.  In looking at the DShield data, we're seeing levels jumping all over the place.  By capturing packets, Robert's co-worker, Dan Frasnelli, was able to pin down what was flying by: eMule traffic.  Doing a little searching (Google is your friend), we found that the kidz (in response to Eeeeevil ISPs throttling P2P traffic) have decided to use 1755 TCP.  Why?  Well, because Windows Media Server lives on that port, and they believe that they'll stand less chance of getting throttled.  We've seen them move ports before: from 4662 -> 6662.

You know... if some of the people putting all of the thought and energy into obfuscating JavaScript, writing malware, getting P2P around ISPs, etc... want to stop by my house, I've got a "honey-do" list about 10 pages long that they could work on.
Keywords:
0 comment(s)

Comments


Diary Archives