Self-Replication Using Gnutella

[advisory+gnutella () BOS BINDVIEW COM (Seth McGann)]

Self-Replication Using Gnutella
Team RAZOR - Seth McGann <smcgann () razor bindview com>
5/09/00

Remember the game telephone? Yeah, you know...someone whispers something to you, and you're __supposed__ to whisper 
that to
someone else, and so on and so on? And the guy at the end of the chain got a whisper that sounded nothing like the 
original
whisper. Well, Gnutella is similar in many ways.

--- Excerpt from Gnutella homepage (emphasis added)

  Gnutella is a protocol recently re-released after a brief period with no official home.  Now at a new domain and back 
under
official development, Gnutella is poised to revolutionize media distribution.  Along with its new method of media 
distribution
it provides some interesting routes for abuse.  In light of the recent "ILOVEYOU" worm, and general rekindling of public
interest in worm design, here is another potential vector that may soon be used by to distribute malicious content.

=Protocol Overview

Alice:   A user searching for a file.
Bob:     A user who has the file Alice wants.
Carl:      A user who has the file Alice wants (behind firewall).
Mallory: A malicious user.

  The key component of Gnutella is a piece of software dubbed a "servent" by the designers.  This servent both accepts 
and
sends Gnutella messages.  When a user wants to join the network, he picks a few known hosts from a seed list provided 
by the
Gnutella web site and connects.  The user could also create a private Gnutella network with no exterior connections 
(remember
no centralization).  All that is needed for this subset to become a part of the larger public GnutellaNet is a single
connection:

A --> (GnutellaNet) <-- B <-- | Firewall | <-- C <-- (Other Servents)

  Each servent has a unique 128-bit identifier that is used to determine which packets should be forwarded.  Discovery 
of
hosts is done both actively and passively.  Passive discovery occurs when Alice recovers hosts from the packets she is
routing.  Active discovery occurs when Alice sends out a "ping" packet.  This ping elicits a "pong" containing the IP 
address
and port of every servent that receives it.  Searching for content is conducted as follows:

(1) Alice generates a "query" packet and forwards to all her connections.
(2) Each recipient searches its local database, decrements TTL and forwards to each of its connection.
(3) Bob receives the packet, and replies with a "query-reply" containing his IP address and port.
(4) These packets are forwarded back along the search path eventually returning to Alice.
(5) On receipt of the response, Alice attempts to initiate a direct connection with Bob and transfer the file.
(6) In the event that she cannot connect for some reason (perhaps Carl has the file instead of Bob) a "push-request"
    containing Alice's IP address and port is sent by Alice.
(7) On receipt of this packet, Carl will attempt to create an outbound connection to Alice to transfer the file, 
circumventing
    the firewall.

For further information on the protocol see the Gnutella homepage [1], but this should be sufficient to understand the
following attacks.

=Attacks

=Self Replicating Servents

  The most significant problem is that there is no way to verify the source or contents of a message.  A particularly 
nasty
attack is for Mallory (a servent attached to GnutellaNet in an arbitrary location) to simply respond to all query 
packets.
This results spoofing attack is a known issue covered in the Knowbuddy FAQ [2] and is conducted as follows:

(1) Alice generates a query packet and forwards.
(2) Mallory receives one of these packets and responds with a query-reply.
(3) If Alice decides to pick the reply provided by Mallory she will receive potentially malicious content.

This content could be an executable containing a trojan horse, such as BO2K [3].  A more sinister payload would be to 
create a
trojan that when executed attaches to the GnutellaNet.  Once attached to the net, it would respond to all queries and 
provide
itself as the content. To increase the probability of Alice executing the file, it would be renamed to something 
containing
the original query.  For instance, a search for "crack" would elicit a reply of "crack.zip".  Other extensions could 
also be
used besides ".zip" and ".exe".  A Winamp ".pls" file exploiting an overflow in Winamp could be used for example. With 
source
code available for both Windows and *nix servents, creating a self-propagating servent is trivial.  The worm could even 
update
itself using GnutellaNet to distribute signed updates in a manner similar to the "wormnet" described in Michael 
Zalewski's "I
don't think I really love you" post.
  What is disturbing here is the combination of low accountability and trust of the individual servents.  In a web, 
ftp, or
email transaction if malicious content is discovered on a server the administrator can be notified.  On Napster [4], if 
a user
is distributing malicious content, his account can be disabled.  If removal was not possible, at the very least a 
warning
could be posted regarding a particular site or Napster user.  With Gnutella anyone can attach to the network and provide
malicious content tailored to specific search requests with relatively small chance of detection. The IP address of each
transaction could be recorded, as Zeropaid [5] has done with their listing of people attempting to retrieve child 
pornography.
The official servent does not display IP addresses.  In addition, Mallory only has to infect one host and the infection 
will
spread automatically.   Once victims begin executing the content the GnutellaNet can be used to mask the interactions 
with the
victims.  In most traditional backdoors, a direct connection is required between the attacker and the victim.  With 
Gnutella,
no direct connection is needed for a bi-directional channel.
  The most obvious covert channel for controlling these rogue servents is already being used to allow chatting among 
Gnutella
users:

(1) Alice and Bob both turn on their search monitors (which display all the queries passing through them.
(2) When Alice wants to talk she searches for the chat message ("Hi Bob!").
(3) Bob will see this query appear in his monitor.  He then searches for the reply ("Hi Alice").

  Another stealthier channel is the 128-bit GUID.  This would allow relatively undetectable signaling between Mallory 
and her
rouge servents.  There are several other fields available but queries and GUIDs are the most significant.

==Man in the Middle Attacks

  There are two flavors of man in the middle attacks. For these to work, Mallory has to be in the path between Alice 
and Bob
(or Carl).  The first attack goes as follows:

(1) Alice generates a query packet and Bob responds.
(2) Mallory receives one of these query-reply packets and rewrites it with her IP address and port instead of Bob's.
(3) Alice receives Mallory's reply first.
(4) Alice decides to download the content but connects to Mallory instead of Bob.
(5) Mallory downloads the original content from Bob, infects it and passes I on to Alice.

  The second attack relies on push-request interception:

(1) Alice generates a query packet and Carl responds.
(2) Alice attempts to connect but Carl is firewalled, so she generates a push-request.
(3) Mallory intercepts the push-request and resends with her IP address and port.
(4) Carl connects to Mallory and transfers his content.
(5) Mallory connects to Alice and provides the modified content.

=Gnutella Port Scanner

  If Mallory wants to check what ports on a given host are accessible she can perform the following steps:

(1) Alice sends a query and Bob responds with a query-reply.
(2) Mallory rewrites the query-reply passing through to point at the IP address and port to be scanned.
(3) Since most likely the port is not listening, Alice will generate a push-request.
(4) If the port happens to be listening and is not running the Gnutella service, no push-request will be generated.
(5) Mallory repeats the process several times to make sure she has an accurate determination of the port's state.

  Using this procedure a network can be slowly scanned using servents.  This process will generate a significant amount 
of
noise, which can be used to decoy another attack.  Another way to generate Gnutella noise is for Mallory to send pong 
packets
with the IP address of hosts she wants others to attempt to connect to.  Each servent receiving her pong will add these 
to its
table of potential hosts.  As servents exhaust their host tables these entries will be tried eventually resulting in 
spurious
connections to a given network.

=Conclusions

  Gnutella is gaining popularity quickly and has already been featured in several mass media outlets.  As it stands now 
it
provides an almost ideal environment for the spread of self-replicating malicious agents with the additional bonus of
providing anonymous control.  With full source available, parties previously unable to craft a worm of their own now 
have a
robust framework to build on.

=References

-1- - Gnutella Homepage - http://gnutella.wego.com
-2- - Knowbuddy FAQ - http://www.rixsoft.com/Knowbuddy/gnutellafaq.html
-3- - Back Orifice 2000 - http://www.bo2k.com
-4- - Napster - http://www.napster.com
-5- - Zeropaid - http://www.zeropaid.com/busted/