Fake Emule MD4 Hashes & File Sizes: How To Spot Them

TL;DR

Yes, both Emule MD4 hashes and file sizes can be faked. However, it’s not trivial for a large number of files simultaneously. Fake hashes are more common than fake file sizes. Checking against known good sources is the best defence.

How File Sizes Can Be Faked

1. The Problem: Emule relies on clients reporting their file sizes correctly. A malicious user can tell Emule they have a larger (or smaller) file than they actually do.
2. Detection: This is usually caught quickly by the network as other users download and verify the actual size. The fake source will be penalised.
3. Impact: Primarily causes wasted bandwidth for those who attempt to download from a faked source, and can lead to incomplete downloads. It’s less damaging than a fake hash.

How MD4 Hashes Can Be Faked

1. The Problem: A malicious user can provide an incorrect MD4 hash for a file. This makes Emule think it’s downloading the correct file when it isn’t.
2. Methods of Faking:
   • Single File Replacement: The easiest method is to replace parts of a legitimate file with malicious content while keeping the same filename and hash (difficult for large files).
   • Hash Collisions: Theoretically possible, but extremely difficult in practice. Finding two different files with the same MD4 hash requires significant computing power. MD4 is considered cryptographically broken, meaning collisions are easier to find than they should be, but still not simple.
   • Fake Server Software: A malicious server could report a false hash for any file it offers.
3. Detection & Verification:
   • Multiple Sources: Download from multiple sources simultaneously. If the hashes don’t match, something is wrong.
   • Known Good Hashes: Compare the hash against a trusted source (e.g., a reputable file-sharing website or forum).
   • Hash Checking Tools: Use a dedicated MD4 hashing tool to verify the downloaded file yourself.

     md4sum filename

     (This command is available on many Linux systems; Windows users will need a separate utility.)

Steps To Protect Yourself

1. Download from Multiple Sources: This is the most important step. Emule’s verification system works best when you have multiple sources to compare against.
2. Check Known Good Hashes: Before downloading, search for the file on reputable websites or forums and verify the MD4 hash matches.
3. Scan Downloaded Files: Always scan downloaded files with an up-to-date antivirus program before opening them.
4. Be Wary of New Sources: Be cautious when downloading from sources you don’t know or trust.
5. Use a Firewall: A firewall can help prevent malicious software from communicating with the internet.

   iptables -A INPUT -p tcp --dport 6881 -j DROP

   (This example blocks incoming connections on port 6881, Emule’s default port. Adjust as needed.)

6. Keep Emule Updated: Newer versions of Emule often include security improvements and bug fixes.

Cyber security Considerations

Fake hashes are a common vector for distributing malware through peer-to-peer networks like Emule. Always prioritize verifying the integrity of downloaded files before using them.