RE: Infecting the KaZaA network?

["Andrew McClymont" <andrewmcclymont () d-link net>]

First of all, sorry for posting this subject in this list.  My english
is pretty ugly, I didn't realize it was the worng place. I apologize.

The special thing about the kazaa install file is this:
"When kazaa detects a new version, probably quering the central server,
it prompts you if you want to upgrade.  Answer yes and automatically
KaZaA starts downloading the new version from some other user. Once
downloaded, the update is automatically executed. Kazaa has been
upgraded."

As others said, if you don't have an AV, you get what you deserve.  But,
big but, anyone can write virii stuff.  Just a few days of this infected
kazaa upgrade being shared and a great damage could be done.

All this is solved if KaZaA updates are crypto-secured. 
This way, the origin of the update can be verified against a certificate
authotiyy (like verisign), and the contents can be verified if they have
been tampered with.  I don't know if FastTrack.nu is using this kind of
technology.  Actually no one in the list knows, either.
By the way, morpheous is the same as kazaa, both use the fasttrack.nu
engine and network, just like bearshare and limewire use the same
gnutella network and technology. I think.

Maybe a fasttrack.nu insider could help us out here.

Hope it helps,
-andy

-----Original Message-----
From: Moorhouse, Walt P [mailto:WaltPMoorhouse () eaton com] 
Sent: Thursday, February 07, 2002 12:52 PM
To: 'Andrew McClymont'; bugtraq () securityfocus com
Cc: 'info () kazaa net'
Subject: RE: Infecting the KaZaA network?


Andrew,

That is indeed a frightening thought, and although I am not affiliated
with KaZaA in any way, I do have some input on the matter.  If anyone
from KaZaA or any other Bugtraqer can confirm or disprove this, please
post, as this is mostly speculation on my part.  :-)

First, let's look at downloading normal (non KaZaA install) files from
the network.  Say I search for "Cheesy Love Song" by "The Too Young to
Know Love Boyz".  In the search window KaZaA will display 1 entry with a
plus beside it that lists all users that have that song.  I can have
multiply songs with the same title, but different sizes (different rips,
or bitrates, etc.)  So my window might have:
    Song                           Size (kB)
[+] Cheesy Love - The Boyz         5,423
[+] Cheesy Love - The Boyz         5,674
[+] Cheesy_Luv - Da_Boyz           5,423

So, what we hope is that this same logic will apply to your trojaned
installer, and KaZaA will ignore it.

Second, let's assume that you found a way to make it think your trojaned
version is the real one.  There are thousands of users (or hundreds of
thousands as the case may be) online, so the chances of you being picked
are slim, unless you have a broadband connection. (I assume this isn't
totally random, but rather based on available bandwidth, etc.)

The question that I have is this: How does the KaZaA client know when an
update is out?  I read somewhere that KaZaA had started connecting to a
central server for some reason, and there was speculation this would be
their downfall.  I don't know if this was correct, or even if it was if
they still do that.  Anyway, if they DON'T connect to a central server
to tell it what the latest download is, theoretically you could create a
trojaned "update" by adding your trojan and changing the version number
to one higher than the current release.  If the network accepted this as
a valid update, it should propagate through the entire system (assuming
all user click the "Update" button when the dialog asks.)  That's what I
would be worried about.  One way around this would be putting some kind
of signature in the updates.  Maybe some hash of the version number,
file size, and a secret KaZaA key?  Maybe they already have something
like this in place.

Thoughts?

Walt Moorhouse

-----Original Message-----
From: Andrew McClymont [mailto:andrewmcclymont () d-link net]
Sent: Wednesday, February 06, 2002 3:11 PM

What happens if I infect the files under "My shared folder" with a virii
or some trojan, every user that gets their KaZaA client from my computer
gets screwed, right?  And then, the victim himself will be sharing the
KaZaA client infected to new victims.