Malware Prevalence in the Kazaa File-Sharing Network

1
Malware Prevalence in the Kazaa File-Sharing
Network

• Authors
• Seungwon Shin,
• Jaeyeon Jung,
• and Hari Balakrishnan
• Internet Measurement Conference 2006
• Presented by
• Arun Krishnamurthy

2
The Outline

• Intro and problems of Kazaa
• How Kazaa works? Problem isnt just piracy?
• Krawler The Kazaa Web Crawler
• What does it do? How does it work?
• Experimentation and Results
• What nasty stuff did Krawler find? How did they
  propagate?
• My Comments
• What was good? What was bad? How to improve?

3
Lets talk Kazaa!
4
Intro to Kazaa

• A file sharing software created in 2000 by
  Sherman Networks.1
• Main program contains spyware/adware.
• Variations of Kazaa do not contain malware.
• Uses supernodes to search for a file.
• Unlike Napster that uses a centralized server for
  searching.

1 Wikipedia
5
Centralized Server Searching(Like Napster)
Peer 6 has A Pirates Life for me
Peer 6
Peer 1
Main Server
A Pirates Life for me.mp3
I want A Pirates Life for me!
Peer 2
Peer 5
Peer 4
Peer 3
Pirate
6
Supernodes Searching(Like Kazaa)
404D!
Hook wants Peter Pan movie
I want Peter Pan movie
Hook wants Peter Pan movie
Hook
Alligator has Peter Pan movie!
LAWSUID!!!
7
Problems with Kazaa

• The problem isnt just piracy!
• We also have to worry about malware!!!
• Malware created by malicious peers to attack
  other peers computers.
• Dummy files created by RIAA and MPAA to track and
  sue illegal uploaders/downloaders!

8
Krawler A Kazaa Web Crawler
9
Whats a Crawler?

• A web crawler is a program or automated script
  which browses the World Wide Web in a methodical,
  automated manner1.

Give me data!
Data
Web Crawler (Spider)
World Wide Web
1 Wikipedia
10
Krawler A Kazaa Crawler

• Browses Kazaa in search of malicious programs.
• Two components
• Dispatcher
• Maintains list of Supernodes.
• Fetcher
• Communicates with dispatcher.
• Updates a set of supernodes to crawl.
• Sends query strings to individual supernodes.

11
Krawler A Kazaa Crawler(Basic Idea)

• Begin with a set of IP addresses of 200 known
  supernodes and a set of query strings associated
  with the seeking files.
• Try to connect to each supernode.
• If failed, then wait next round to get IP
  address.
• If connected, exchange handshake message with
  supernode.
• Retrieve a supernode refresh list consisting of
  200 supernode IP addresses. Save list in
  dispatcher.
• Send out a set of queries to each supernode and
  wait for responses. Download any matches and scan
  for viruses.

12
Experimentation and Results
13
Collecting Data

• Three machines used
• 2.1GHZ Dual Core CPU w/ 1GB RAM
• 2.1 GHZ CPU w/ 1.5GB RAM
• 1.42 GHZ CPU w/ 1 GB RAM
• Allowed Crawler to investigate 60K files/hour.
• Two Measurement Methods
• Query Strings
• Virus Signatures

14
Collecting Data(Query Strings)

• File information is only limited to file names
  that matched query string.
• Many viruses create multiple copies with
  different legit file names to increase chances of
  being downloaded.
• Only .exe files are investigated.

15
Collecting Data(Virus Signatures)

• In 2002, security vendor sites have found more
  than 200 viruses propagating from P2P.
• Krawler has 71 content hashes of these viruses.
• Kazaa content hash is 20 bytes in size.
• First 16 bytes for MD5 signature.
• Last 4 bytes for length of file.

16
Malware Distribution

• Krawler has found 45 viruses in Feb 06 and 52
  viruses in May 06.
• SdDrop infected the most number of clients!
• ICQ and Trillian had the highest chance of being
  infected (over 70)!

17
Malware Distribution(Top 10 Viruses Graph)
18
Malware Distribution(Most Infected Files Graph)
19
Virus Propagation

• Many viruses disguise themselves as legit
  filenames.
• Adobe Photoshop 10 full.exe
• WinZip 8.1.exe
• ICQ Lite (new).exe
• Many viruses use peers to propagate.
• They are placed on folders used for file sharing.
• Some viruses dont just use p2p for propagation.
• Emails, web sites, messengers, etc.

20
Virus Propagation(Breakdown Chart)
21
Characteristics of Infected Hosts

• Krawler found 1,618 infected hosts in Feb 06.
• Krawler found 2,576 infected hosts in May 06.
• 78 (about 5 percent) infected hosts were still
  infected since Feb!
• Many infected hosts were used as botnets, DoS
  attacks, and spam relaying.

22
Characteristics of Infected Hosts(Attack Methods
Chart)
23
My Comments
24
Strengths

• Identifies many types of viruses in the Kazaa
  network.
• Identifies the infected programs as well!
• Easy to understand and possibly implement.
• So easy, a caveman can understand it!

25
Weaknesses

• Only searched the Kazaa network.
• How about BitTorrent, LimeWire, Morpheus, etc?
• Only searched .exe files.
• Mp3 files can also be a problem (think RIAA).
• Experiments could have lasted a bit longer.
• Feb 06 to May 06 is a little short.
• How about conducting for 6 months or 1 year ?

26
Suggestions

• Scan viruses from other file extensions.
• Mp3, mov, dll, doc, etc.
• Scan virues from other P2P applications.
• Scan and filter out any dummy files from those
  RIAA and MPAA ltexplicit deletedgt!

27
Conclusion

• Piracy isnt the only problem in Kazaa and other
  P2P networks.
• We also have to worry about malware!
• Krawler does a very good job in finding malicious
  programs in Kazaa.
• Also easy to understand!
• Would love Krawler to search for other file
  extensions and conduct longer experiments.

28
Anti-Piracy PSA
29
Piracy Hurts! ?

• Piracy not only hurts well-paid artists!
• Hurts producers!
• Hurts directors!
• Hurts low paid workers!
• Also hurts consumers!!!
• Higher prices to counter lost sales.
• Piracy is not only wrong, its a CRIME!!!

PROPAGANDA WARNING!!!
30
Put an end to piracy
use open source materials instead!
Find out more at Free Software Foundation and
Creative Commons.