Malware Prevalence in the Kazaa File-Sharing Network

Malware Prevalence Malware Prevalence in the Kazaa File-in the Kazaa File-Sharing NetworkSharing Network

Authors:Authors: Seungwon Shin, Seungwon Shin,

Jaeyeon Jung,Jaeyeon Jung, and Hari Balakrishnan and Hari Balakrishnan

Internet Measurement Conference Internet Measurement Conference 2006 2006

Presented by:Presented by:Arun KrishnamurthyArun Krishnamurthy

The OutlineThe Outline Intro and problems of KazaaIntro and problems of Kazaa

How Kazaa works? Problem isn’t just piracy?How Kazaa works? Problem isn’t just piracy?

Krawler: The Kazaa Web CrawlerKrawler: The Kazaa Web Crawler What does it do? How does it work?What does it do? How does it work?

Experimentation and ResultsExperimentation and Results What nasty stuff did Krawler find? How did they What nasty stuff did Krawler find? How did they

propagate? propagate?

My CommentsMy Comments What was good? What was bad? How to improve?What was good? What was bad? How to improve?

Let’s talk Kazaa!Let’s talk Kazaa!

Intro to KazaaIntro to Kazaa A file sharing software created in 2000 A file sharing software created in 2000

by Sherman Networks.by Sherman Networks.11

Main program contains Main program contains spyware/adware.spyware/adware. Variations of Kazaa do not contain malware.Variations of Kazaa do not contain malware.

Uses supernodes to search for a file.Uses supernodes to search for a file. Unlike Napster that uses a centralized Unlike Napster that uses a centralized

server for searching.server for searching.1 Wikipedia

Centralized Server SearchingCentralized Server Searching(Like Napster)(Like Napster)

Peer 1

Peer 2

Peer 3

Pirate

Peer 4

Peer 5

Peer 6

Main Server

I want “A Pirates Life for me”!

Peer 6 has “A Pirates Life for me”

“A P

irate

s Life

for

me.mp3

”

Supernodes SearchingSupernodes Searching(Like Kazaa)(Like Kazaa)

Hook

I want Peter P

an

movie

Hook wants Peter Pan movie

Hook wants Peter Pan

movie Alligator has Peter Pan movie!

LAWSUI’D!!!

404’D!

Problems with KazaaProblems with Kazaa The problem isn’t just piracy!The problem isn’t just piracy!

We also have to worry about We also have to worry about malware!!!malware!!! Malware created by malicious peers to Malware created by malicious peers to

attack other peers’ computers.attack other peers’ computers. Dummy files created by RIAA and MPAA to Dummy files created by RIAA and MPAA to

track and sue illegal track and sue illegal uploaders/downloaders!uploaders/downloaders!

Krawler: A Kazaa Web Krawler: A Kazaa Web CrawlerCrawler

What’s a Crawler?What’s a Crawler? A web crawler is a program or A web crawler is a program or

automated script which browses the automated script which browses the World Wide Web in a methodical, World Wide Web in a methodical, automated mannerautomated manner11..

1 Wikipedia

Give me data!

Data

Web Crawler (Spider)

World Wide Web

Krawler: A Kazaa CrawlerKrawler: A Kazaa Crawler Browses Kazaa in search of malicious Browses Kazaa in search of malicious

programs.programs.

Two components:Two components: DispatcherDispatcher

Maintains list of Supernodes.Maintains list of Supernodes. FetcherFetcher

Communicates with dispatcher.Communicates with dispatcher. Updates a set of supernodes to crawl.Updates a set of supernodes to crawl. Sends query strings to individual supernodes.Sends query strings to individual supernodes.

Krawler: A Kazaa CrawlerKrawler: A Kazaa Crawler(Basic Idea)(Basic Idea)

Begin with a set of IP addresses of 200 known Begin with a set of IP addresses of 200 known supernodes and a set of query strings associated with supernodes and a set of query strings associated with the seeking files.the seeking files.

Try to connect to each supernode.Try to connect to each supernode. If failed, then wait next round to get IP address.If failed, then wait next round to get IP address. If connected, exchange handshake message with If connected, exchange handshake message with

supernode.supernode.

Retrieve a supernode refresh list consisting of 200 Retrieve a supernode refresh list consisting of 200 supernode IP addresses. Save list in dispatcher.supernode IP addresses. Save list in dispatcher.

Send out a set of queries to each supernode and wait Send out a set of queries to each supernode and wait for responses. Download any matches and scan for for responses. Download any matches and scan for viruses.viruses.

Experimentation and Experimentation and ResultsResults

Collecting DataCollecting Data Three machines used:Three machines used:

2.1GHZ Dual Core CPU w/ 1GB RAM2.1GHZ Dual Core CPU w/ 1GB RAM 2.1 GHZ CPU w/ 1.5GB RAM2.1 GHZ CPU w/ 1.5GB RAM 1.42 GHZ CPU w/ 1 GB RAM1.42 GHZ CPU w/ 1 GB RAM

Allowed Crawler to investigate 60K Allowed Crawler to investigate 60K files/hour.files/hour.

Two Measurement Methods:Two Measurement Methods: Query StringsQuery Strings Virus SignaturesVirus Signatures

Collecting DataCollecting Data(Query Strings)(Query Strings)

File information is only limited to file names that File information is only limited to file names that matched query string.matched query string.

Many viruses create multiple copies with Many viruses create multiple copies with different legit file names to increase chances of different legit file names to increase chances of being downloaded.being downloaded.

Only .exe files are investigated.Only .exe files are investigated.

Collecting DataCollecting Data(Virus Signatures)(Virus Signatures)

In 2002, security vendor sites have In 2002, security vendor sites have found more than 200 viruses found more than 200 viruses propagating from P2P.propagating from P2P. Krawler has 71 content hashes of these Krawler has 71 content hashes of these

viruses.viruses.

Kazaa content hash is 20 bytes in size.Kazaa content hash is 20 bytes in size. First 16 bytes for MD5 signature.First 16 bytes for MD5 signature. Last 4 bytes for length of file.Last 4 bytes for length of file.

Malware DistributionMalware Distribution Krawler has found 45 viruses in Feb Krawler has found 45 viruses in Feb

06 and 52 viruses in May 06.06 and 52 viruses in May 06.

SdDrop infected the most number of SdDrop infected the most number of clients!clients!

ICQ and Trillian had the highest ICQ and Trillian had the highest chance of being infected (over 70%)!chance of being infected (over 70%)!

Malware DistributionMalware Distribution(Top 10 Viruses Graph)(Top 10 Viruses Graph)

Malware DistributionMalware Distribution(Most Infected Files Graph)(Most Infected Files Graph)

Virus PropagationVirus Propagation Many viruses disguise themselves as Many viruses disguise themselves as

legit filenames.legit filenames. Adobe Photoshop 10 full.exeAdobe Photoshop 10 full.exe WinZip 8.1.exeWinZip 8.1.exe ICQ Lite (new).exeICQ Lite (new).exe

Many viruses use peers to propagate.Many viruses use peers to propagate. They are placed on folders used for file sharing.They are placed on folders used for file sharing.

Some viruses don’t just use p2p for Some viruses don’t just use p2p for propagation.propagation. Emails, web sites, messengers, etc.Emails, web sites, messengers, etc.

Virus PropagationVirus Propagation(Breakdown Chart)(Breakdown Chart)

Characteristics of Characteristics of Infected HostsInfected Hosts

Krawler found 1,618 infected hosts in Feb Krawler found 1,618 infected hosts in Feb 06.06.

Krawler found 2,576 infected hosts in May Krawler found 2,576 infected hosts in May 06.06. 78 (about 5 percent) infected hosts were still 78 (about 5 percent) infected hosts were still

infected since Feb!infected since Feb!

Many infected hosts were used as botnets, Many infected hosts were used as botnets, DoS attacks, and spam relaying.DoS attacks, and spam relaying.

Characteristics of Infected Characteristics of Infected HostsHosts

(Attack Methods Chart)(Attack Methods Chart)

My CommentsMy Comments

StrengthsStrengths Identifies many types of viruses in the Identifies many types of viruses in the

Kazaa network.Kazaa network.

Identifies the infected programs as well!Identifies the infected programs as well!

Easy to understand and possibly Easy to understand and possibly implement.implement. So easy, a caveman can understand it!So easy, a caveman can understand it!

WeaknessesWeaknesses Only searched the Kazaa network.Only searched the Kazaa network.

How about BitTorrent, LimeWire, Morpheus, How about BitTorrent, LimeWire, Morpheus, etc?etc?

Only searched .exe files.Only searched .exe files. Mp3 files can also be a problem (think RIAA).Mp3 files can also be a problem (think RIAA).

Experiments could have lasted a bit longer.Experiments could have lasted a bit longer. Feb 06 to May 06 is a little short.Feb 06 to May 06 is a little short. How about conducting for 6 months or 1 How about conducting for 6 months or 1

year ?year ?

SuggestionsSuggestions Scan viruses from other file extensions.Scan viruses from other file extensions.

Mp3, mov, dll, doc, etc.Mp3, mov, dll, doc, etc.

Scan virues from other P2P applications.Scan virues from other P2P applications.

Scan and filter out any dummy files from Scan and filter out any dummy files from those RIAA and MPAA those RIAA and MPAA <explicit <explicit deleted>!deleted>!

ConclusionConclusion Piracy isn’t the only problem in Kazaa and Piracy isn’t the only problem in Kazaa and

other P2P networks.other P2P networks. We also have to worry about malware!We also have to worry about malware!

Krawler does a very good job in finding Krawler does a very good job in finding malicious programs in Kazaa.malicious programs in Kazaa. Also easy to understand!Also easy to understand!

Would love Krawler to search for other file Would love Krawler to search for other file extensions and conduct longer extensions and conduct longer experiments.experiments.

Anti-Piracy PSAAnti-Piracy PSA

Piracy Hurts! Piracy Hurts! Piracy not only hurts well-paid artists!Piracy not only hurts well-paid artists!

Hurts producers!Hurts producers! Hurts directors!Hurts directors! Hurts low paid workers!Hurts low paid workers! Also hurts consumers!!!Also hurts consumers!!!

Higher prices to counter lost sales.Higher prices to counter lost sales.

Piracy is not only wrong, it’s a Piracy is not only wrong, it’s a CRIME!!!CRIME!!!

PROPAGANDA WARNING!!!

Put an end to piracy…

…use open source materials instead!

Find out more at Free Software Foundation and Creative Commons.