Kazaa Delivers More Than Tunes

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/business/0,1367,61852,00.html

By Kim Zetter
Jan. 09, 2004

Forty-five percent of the executable files downloaded through Kazaa,
the most popular file-sharing program, contain malicious code like
viruses and Trojan horses, according to a new study.

Out of 4,778 files downloaded in one month, Bruce Hughes, director of
malicious code research at security firm TruSecure, found that nearly
half of them contained various types of nefarious code.

Some code was designed to infect every file in a computer user's Kazaa
download directory with a virus. Other code would steal the user's AOL
Instant Messenger password or install a program on their computer to
allow the attacker to surreptitiously send spam through it or
otherwise take over the machine remotely to steal personal data and
files on the computer.

Hughes said the code he found in shared files got there in one of
three ways: The person hosting the shared file embedded the malicious
code in a file on purpose; the code was a peer-to-peer worm designed
to scour the network and drop itself into download directories; or, in
the case of some viruses, once the user downloaded an infected file,
the malicious code automatically infected other files in the user's
file-share directory so that the user inadvertently infected the
computers of other users who downloaded those files.

Some 3 million users are logged onto Kazaa at any one time. Hughes
said this has made the file-sharing network increasingly attractive as
a channel for distributing malware.

According to the Wild List, a list that tracks viruses and worms that
are currently in circulation, the number of types of viruses
circulating through Kazaa increased 133 percent in 2003. In January,
the list recorded nine different viruses passing through Kazaa; at the
end of the year the number was up to 21.

Hughes used such keywords as "Britney Spears," "Microsoft XP," "nude"  
and "porn" to choose the files he downloaded on Kazaa, focusing on
some of the common files that users might share and the most popular
keywords placed in search engines. He looked only at executable files
-- program files that launch when a user double-clicks on them and
that usually end with .exe extensions in the file name. These are the
types of files that most often contain malicious code.

He said a lot of the malicious code he found was embedded in program
files that are designed to bypass or break copyright protections
placed on software files like Microsoft Office to allow users to share
pirated copies of the software.

So far, however, music, picture and movie files have not been infected
with malicious code, because they aren't executables, Hughes said. You
can't run them simply by clicking on them. You need to open them
through another program, such as a multi-media program like Real
Player.

Hughes said an attacker could trick a user into thinking a malicious
file is a music or movie file by changing the name of the file
extension to .wav (for music) or .jpg (for images). He also said that
it is possible for someone to eventually find a way to infect movie
and music files, but no one has discovered a vulnerability in these
files yet.

"It's one of the things that we worry about, though," said Hughes.

Hughes said that this year there will likely be a significant surge in
the amount of malware that is intentionally posted and unknowingly
shared on peer-to-peer file sharing networks.

Hughes said that 80 to 95 percent of the malicious code on Kazaa can
be detected with anti-virus software, depending on the detection
program. But he said that people often don't update their software
with current virus definitions.

They can also be infected if the malicious code is new and not yet
detected. And some malicious code is designed to shut down anti-virus
programs and firewalls if it does get past the detection programs.

"Organizations need to warn their employees about file-sharing
applications and the danger they pose to them at work and at home,"  
Hughes advised. "Anti-virus is one way to stop the stuff from
happening, but you also need policies in place to make sure employees
aren't using dangerous software like Kazaa."

He also said that parents should watch what their kids are downloading
and make sure they have updated anti-virus programs on their computer.

"You'll really need to be careful what you're doing," he said.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.