Malware Prevalence Malware Prevalence in the Kazaa File- in the Kazaa File- Sharing Network Sharing Network Authors: Authors: Seungwon Shin, Seungwon Shin, Jaeyeon Jung, Jaeyeon Jung, and Hari Balakrishnan and Hari Balakrishnan Internet Measurement Conference Internet Measurement Conference 2006 2006 Presented by: Presented by: Arun Krishnamurthy Arun Krishnamurthy
30
Embed
Malware Prevalence in the Kazaa File-Sharing Network
Malware Prevalence in the Kazaa File-Sharing Network. Authors: Seungwon Shin, Jaeyeon Jung, and Hari Balakrishnan Internet Measurement Conference 2006 Presented by: Arun Krishnamurthy. The Outline. Intro and problems of Kazaa How Kazaa works? Problem isn’t just piracy? - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Malware Prevalence Malware Prevalence in the Kazaa File-in the Kazaa File-Sharing NetworkSharing Network
Authors:Authors: Seungwon Shin, Seungwon Shin,
Jaeyeon Jung,Jaeyeon Jung, and Hari Balakrishnan and Hari Balakrishnan
Internet Measurement Conference Internet Measurement Conference 2006 2006
The OutlineThe Outline Intro and problems of KazaaIntro and problems of Kazaa
How Kazaa works? Problem isn’t just piracy?How Kazaa works? Problem isn’t just piracy?
Krawler: The Kazaa Web CrawlerKrawler: The Kazaa Web Crawler What does it do? How does it work?What does it do? How does it work?
Experimentation and ResultsExperimentation and Results What nasty stuff did Krawler find? How did they What nasty stuff did Krawler find? How did they
propagate? propagate?
My CommentsMy Comments What was good? What was bad? How to improve?What was good? What was bad? How to improve?
Let’s talk Kazaa!Let’s talk Kazaa!
Intro to KazaaIntro to Kazaa A file sharing software created in 2000 A file sharing software created in 2000
by Sherman Networks.by Sherman Networks.11
Main program contains Main program contains spyware/adware.spyware/adware. Variations of Kazaa do not contain malware.Variations of Kazaa do not contain malware.
Uses supernodes to search for a file.Uses supernodes to search for a file. Unlike Napster that uses a centralized Unlike Napster that uses a centralized
server for searching.server for searching.1 Wikipedia
Centralized Server SearchingCentralized Server Searching(Like Napster)(Like Napster)
Problems with KazaaProblems with Kazaa The problem isn’t just piracy!The problem isn’t just piracy!
We also have to worry about We also have to worry about malware!!!malware!!! Malware created by malicious peers to Malware created by malicious peers to
attack other peers’ computers.attack other peers’ computers. Dummy files created by RIAA and MPAA to Dummy files created by RIAA and MPAA to
track and sue illegal track and sue illegal uploaders/downloaders!uploaders/downloaders!
Krawler: A Kazaa Web Krawler: A Kazaa Web CrawlerCrawler
What’s a Crawler?What’s a Crawler? A web crawler is a program or A web crawler is a program or
automated script which browses the automated script which browses the World Wide Web in a methodical, World Wide Web in a methodical, automated mannerautomated manner11..
1 Wikipedia
Give me data!
Data
Web Crawler (Spider)
World Wide Web
Krawler: A Kazaa CrawlerKrawler: A Kazaa Crawler Browses Kazaa in search of malicious Browses Kazaa in search of malicious
programs.programs.
Two components:Two components: DispatcherDispatcher
Maintains list of Supernodes.Maintains list of Supernodes. FetcherFetcher
Communicates with dispatcher.Communicates with dispatcher. Updates a set of supernodes to crawl.Updates a set of supernodes to crawl. Sends query strings to individual supernodes.Sends query strings to individual supernodes.
Krawler: A Kazaa CrawlerKrawler: A Kazaa Crawler(Basic Idea)(Basic Idea)
Begin with a set of IP addresses of 200 known Begin with a set of IP addresses of 200 known supernodes and a set of query strings associated with supernodes and a set of query strings associated with the seeking files.the seeking files.
Try to connect to each supernode.Try to connect to each supernode. If failed, then wait next round to get IP address.If failed, then wait next round to get IP address. If connected, exchange handshake message with If connected, exchange handshake message with
supernode.supernode.
Retrieve a supernode refresh list consisting of 200 Retrieve a supernode refresh list consisting of 200 supernode IP addresses. Save list in dispatcher.supernode IP addresses. Save list in dispatcher.
Send out a set of queries to each supernode and wait Send out a set of queries to each supernode and wait for responses. Download any matches and scan for for responses. Download any matches and scan for viruses.viruses.
Experimentation and Experimentation and ResultsResults
Collecting DataCollecting Data Three machines used:Three machines used:
2.1GHZ Dual Core CPU w/ 1GB RAM2.1GHZ Dual Core CPU w/ 1GB RAM 2.1 GHZ CPU w/ 1.5GB RAM2.1 GHZ CPU w/ 1.5GB RAM 1.42 GHZ CPU w/ 1 GB RAM1.42 GHZ CPU w/ 1 GB RAM
Allowed Crawler to investigate 60K Allowed Crawler to investigate 60K files/hour.files/hour.
File information is only limited to file names that File information is only limited to file names that matched query string.matched query string.
Many viruses create multiple copies with Many viruses create multiple copies with different legit file names to increase chances of different legit file names to increase chances of being downloaded.being downloaded.
Only .exe files are investigated.Only .exe files are investigated.
In 2002, security vendor sites have In 2002, security vendor sites have found more than 200 viruses found more than 200 viruses propagating from P2P.propagating from P2P. Krawler has 71 content hashes of these Krawler has 71 content hashes of these
viruses.viruses.
Kazaa content hash is 20 bytes in size.Kazaa content hash is 20 bytes in size. First 16 bytes for MD5 signature.First 16 bytes for MD5 signature. Last 4 bytes for length of file.Last 4 bytes for length of file.
Malware DistributionMalware Distribution Krawler has found 45 viruses in Feb Krawler has found 45 viruses in Feb
06 and 52 viruses in May 06.06 and 52 viruses in May 06.
SdDrop infected the most number of SdDrop infected the most number of clients!clients!
ICQ and Trillian had the highest ICQ and Trillian had the highest chance of being infected (over 70%)!chance of being infected (over 70%)!
Virus PropagationVirus Propagation Many viruses disguise themselves as Many viruses disguise themselves as
legit filenames.legit filenames. Adobe Photoshop 10 full.exeAdobe Photoshop 10 full.exe WinZip 8.1.exeWinZip 8.1.exe ICQ Lite (new).exeICQ Lite (new).exe
Many viruses use peers to propagate.Many viruses use peers to propagate. They are placed on folders used for file sharing.They are placed on folders used for file sharing.
Some viruses don’t just use p2p for Some viruses don’t just use p2p for propagation.propagation. Emails, web sites, messengers, etc.Emails, web sites, messengers, etc.
Characteristics of Characteristics of Infected HostsInfected Hosts
Krawler found 1,618 infected hosts in Feb Krawler found 1,618 infected hosts in Feb 06.06.
Krawler found 2,576 infected hosts in May Krawler found 2,576 infected hosts in May 06.06. 78 (about 5 percent) infected hosts were still 78 (about 5 percent) infected hosts were still
infected since Feb!infected since Feb!
Many infected hosts were used as botnets, Many infected hosts were used as botnets, DoS attacks, and spam relaying.DoS attacks, and spam relaying.
Characteristics of Infected Characteristics of Infected HostsHosts
(Attack Methods Chart)(Attack Methods Chart)
My CommentsMy Comments
StrengthsStrengths Identifies many types of viruses in the Identifies many types of viruses in the
Kazaa network.Kazaa network.
Identifies the infected programs as well!Identifies the infected programs as well!
Easy to understand and possibly Easy to understand and possibly implement.implement. So easy, a caveman can understand it!So easy, a caveman can understand it!
WeaknessesWeaknesses Only searched the Kazaa network.Only searched the Kazaa network.
How about BitTorrent, LimeWire, Morpheus, How about BitTorrent, LimeWire, Morpheus, etc?etc?
Only searched .exe files.Only searched .exe files. Mp3 files can also be a problem (think RIAA).Mp3 files can also be a problem (think RIAA).
Experiments could have lasted a bit longer.Experiments could have lasted a bit longer. Feb 06 to May 06 is a little short.Feb 06 to May 06 is a little short. How about conducting for 6 months or 1 How about conducting for 6 months or 1
year ?year ?
SuggestionsSuggestions Scan viruses from other file extensions.Scan viruses from other file extensions.
Mp3, mov, dll, doc, etc.Mp3, mov, dll, doc, etc.
Scan virues from other P2P applications.Scan virues from other P2P applications.
Scan and filter out any dummy files from Scan and filter out any dummy files from those RIAA and MPAA those RIAA and MPAA <explicit <explicit deleted>!deleted>!
ConclusionConclusion Piracy isn’t the only problem in Kazaa and Piracy isn’t the only problem in Kazaa and
other P2P networks.other P2P networks. We also have to worry about malware!We also have to worry about malware!
Krawler does a very good job in finding Krawler does a very good job in finding malicious programs in Kazaa.malicious programs in Kazaa. Also easy to understand!Also easy to understand!
Would love Krawler to search for other file Would love Krawler to search for other file extensions and conduct longer extensions and conduct longer experiments.experiments.
Anti-Piracy PSAAnti-Piracy PSA
Piracy Hurts! Piracy Hurts! Piracy not only hurts well-paid artists!Piracy not only hurts well-paid artists!