Qtox: "Malwarebytes - Malicious Website Protection" regarding qtox?
Currently I'm checking out Malwarebytes trial period to decide if I like it - so far all is quiet, but the real time protection goes crazy with incoming connections to qtox, seemingly originating from other countries I (to my understanding) shouldn't have any tox-connection with.
I'm aware that for "Who and why is that IP blocked?" I need to ask Malwarebytes, but maybe someone of you can identify this traffic and tell me if a) there's nothing to worry about, because qtox doesn't react to these requests anyways or b) someone exploits a security flaw or c) this is a normal process from common user roaster providers or something?
Of course, if anyone knows why these IPs got blocked and what's behind them - I'd appreciate any intel, since currently I'm a bit worried. But to provide a reference of what I'm talking about, here's today's Malwarebytes protocol:
Malwarebytes Anti-Malware
www.malwarebytes.orgProtection, 01.06.2017 08:01, SYSTEM, PCNAME, Protection, Malware Protection, Starting,
Protection, 01.06.2017 08:01, SYSTEM, PCNAME, Protection, Malware Protection, Started,
Protection, 01.06.2017 08:01, SYSTEM, PCNAME, Protection, Malicious Website Protection, Starting,
Protection, 01.06.2017 08:01, SYSTEM, PCNAME, Protection, Malicious Website Protection, Started,
Update, 01.06.2017 08:47, SYSTEM, PCNAME, Scheduler, IP Database, 2017.5.30.4, 2017.5.31.1,
Update, 01.06.2017 08:47, SYSTEM, PCNAME, Scheduler, Domain Database, 2017.5.31.8, 2017.6.1.1,
Update, 01.06.2017 08:47, SYSTEM, PCNAME, Scheduler, Malware Database, 2017.5.31.7, 2017.6.1.2,
Protection, 01.06.2017 08:47, SYSTEM, PCNAME, Protection, Refresh, Starting,
Protection, 01.06.2017 08:47, SYSTEM, PCNAME, Protection, Malicious Website Protection, Stopping,
Protection, 01.06.2017 08:47, SYSTEM, PCNAME, Protection, Malicious Website Protection, Stopped,
Protection, 01.06.2017 08:47, SYSTEM, PCNAME, Protection, Refresh, Success,
Protection, 01.06.2017 08:47, SYSTEM, PCNAME, Protection, Malicious Website Protection, Starting,
Protection, 01.06.2017 08:47, SYSTEM, PCNAME, Protection, Malicious Website Protection, Started,
Detection, 01.06.2017 10:01, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:01, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:01, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:01, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:04, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:04, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:06, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:11, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:14, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:14, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Windows\System32\svchost.exe,
Detection, 01.06.2017 10:15, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:15, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Windows\System32\svchost.exe,
Detection, 01.06.2017 10:15, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 95.84.240.30, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:15, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 95.84.240.30, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:16, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:20, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:20, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:20, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:20, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:20, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:20, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:21, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.6, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:22, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:22, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:22, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:22, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.29, 33445, Inbound, C:\Windows\System32\svchost.exe,
Detection, 01.06.2017 10:36, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:36, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Windows\System32\svchost.exe,
Detection, 01.06.2017 10:37, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:37, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Windows\System32\svchost.exe,
Detection, 01.06.2017 10:37, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,
Detection, 01.06.2017 10:39, SYSTEM, PCNAME, Protection, Malicious Website Protection, IP, 91.209.77.28, 33445, Inbound, C:\Program Files\qTox\bin\qtox.exe,(end)
And the requests keep coming. Should we attempt to have these IPs unblocked, should we worry, should we ignore?
rbmib
All 6 comments
The connections to your PC happen because Tox is a peer to peer protocol and needs to communicate with other peers all over the world.
sudden6
on 1 Jun 2017
Thanks for taking the time to consider this and for your hint. I just think you might be dismissing this a bit too easily? qtox works - we're using it to communicate for quite a while now - we can find people and connect, send files, chat... everything fine and dandy and never ever the Malwarebytes routine blocks anything that seems to be related to our communication. That's what your statement applies to - a peer-to-peer network where the participating clients communicate directly with one another.
Now, in addition to this traffic, there are connections (as mentioned above) that originate from systems that seem to have nothing to do with the valid traffic _and_ are blacklisted as being malicious (sadly I don't know where to look up their blacklist yet, so I can't tell for what these have been blacklisted). I just think it might be worth looking into these requests as they may point at a possible security flaw within qtox.
Or of course, if someone could pinpoint these to a defined service (maybe 3rd party client roaster, or internal process with routing), it'd be much appreciated out of interest for the technology.
rbmib
on 2 Jun 2017
Now, in addition to this traffic, there are connections (as mentioned above) that originate from systems that seem to have nothing to do with the valid traffic
The point here is that not only the connections between you and your friend (audio/video/chat) are valid, but also those to other "random" IPs. This is because Tox uses a DHT in order to find the IP for your friend and to handle friend requests.
are blacklisted as being malicious
If their blacklist really contains a malicious node this would be bad and someone could be running an attack against toxcore, I guess however that it's only their heuristics going wrong because of lots of connections to "random" IPs.
Feel free to ask more questions about this, maybe we can even put this into our wiki.
sudden6
on 2 Jun 2017
Thanks alot for the follow up. So the hash tables get distributed over all clients, hence there might be incomming connections from unknown/other tox clients asking mine to provide it? This really would explain those incoming connections and why they seem unrelated.
I found intel in the qtox.log from core.cpp:423 mentioning some IPv4, IPv6 and some FQDN in context with "Connected to the DHT" in :387. Looks outbound - is there any history of who got it from my client? Can I check the connection protocol or a list of who my client is/was talking to (incoming/outgoing and about what)? Tried to find those IPs (after unloading MWB) in there, but no luck. Can't see dates there either - the log doesn't seem to feature date stamps along with UTC?
I think a "live view" of connections with protocol for some minutes and optional log would be very interesting to have and look at - maybe a feature request? :-)
Anyhow, thanks again. Reading up on DHT could lift my concerns. Is it possible to inspect the current data my client has in stock and could/would provide?
rbmib
on 8 Jun 2017
I found intel in the qtox.log from core.cpp:423 mentioning some IPv4, IPv6 and some FQDN in context with "Connected to the DHT" in :387. Looks outbound - is there any history of who got it from my client?
This is part of the bootstrapping process, your client trying to connect to a list of known nodes in the DHT. See https://nodes.tox.chat/
Can't see dates there either - the log doesn't seem to feature date stamps along with UTC?
IIRC we decided to not include dates in logs, to enhance privacy and because they aren't really needed for debugging.
Can I check the connection protocol or a list of who my client is/was talking to (incoming/outgoing and about what)? Tried to find those IPs (after unloading MWB) in there, but no luck. Can't see dates there either - the log doesn't seem to feature date stamps along with UTC?
I don't think they are exposed by toxcore and we haven't come across a significant usecase where they would be needed.
Anyhow, thanks again. Reading up on DHT could lift my concerns. Is it possible to inspect the current data my client has in stock and could/would provide?
I can't really answer this question, you should ask this in #toktok on freenode or in https://github.com/TokTok/c-toxcore
sudden6
on 8 Jun 2017
Hey there, awesome reply! Thanks again for taking the time to answer all this. It's really helpful :+1:
(and sorry for the high response delays)
rbmib
on 13 Jun 2017
Related issues
akhilman
路
7Comments
ovalseven8
路
4Comments
ghost
路
3Comments
anthonybilinski
路
3Comments
dcapeletti
路
4Comments