Malware Prevalence in the Kazaa File-Sharing Network
description
Transcript of Malware Prevalence in the Kazaa File-Sharing Network
![Page 1: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/1.jpg)
Malware Prevalence Malware Prevalence in the Kazaa File-in the Kazaa File-Sharing NetworkSharing Network
Authors:Authors: Seungwon Shin, Seungwon Shin,
Jaeyeon Jung,Jaeyeon Jung, and Hari Balakrishnan and Hari Balakrishnan
Internet Measurement Conference Internet Measurement Conference 2006 2006
Presented by:Presented by:Arun KrishnamurthyArun Krishnamurthy
![Page 2: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/2.jpg)
The OutlineThe Outline Intro and problems of KazaaIntro and problems of Kazaa
How Kazaa works? Problem isn’t just piracy?How Kazaa works? Problem isn’t just piracy?
Krawler: The Kazaa Web CrawlerKrawler: The Kazaa Web Crawler What does it do? How does it work?What does it do? How does it work?
Experimentation and ResultsExperimentation and Results What nasty stuff did Krawler find? How did they What nasty stuff did Krawler find? How did they
propagate? propagate?
My CommentsMy Comments What was good? What was bad? How to improve?What was good? What was bad? How to improve?
![Page 3: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/3.jpg)
Let’s talk Kazaa!Let’s talk Kazaa!
![Page 4: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/4.jpg)
Intro to KazaaIntro to Kazaa A file sharing software created in 2000 A file sharing software created in 2000
by Sherman Networks.by Sherman Networks.11
Main program contains Main program contains spyware/adware.spyware/adware. Variations of Kazaa do not contain malware.Variations of Kazaa do not contain malware.
Uses supernodes to search for a file.Uses supernodes to search for a file. Unlike Napster that uses a centralized Unlike Napster that uses a centralized
server for searching.server for searching.1 Wikipedia
![Page 5: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/5.jpg)
Centralized Server SearchingCentralized Server Searching(Like Napster)(Like Napster)
Peer 1
Peer 2
Peer 3
Pirate
Peer 4
Peer 5
Peer 6
Main Server
I want “A Pirates Life for me”!
Peer 6 has “A Pirates Life for me”
“A P
irate
s Life
for
me.mp3
”
![Page 6: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/6.jpg)
Supernodes SearchingSupernodes Searching(Like Kazaa)(Like Kazaa)
Hook
I want Peter P
an
movie
Hook wants Peter Pan movie
Hook wants Peter Pan
movie Alligator has Peter Pan movie!
LAWSUI’D!!!
404’D!
![Page 7: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/7.jpg)
Problems with KazaaProblems with Kazaa The problem isn’t just piracy!The problem isn’t just piracy!
We also have to worry about We also have to worry about malware!!!malware!!! Malware created by malicious peers to Malware created by malicious peers to
attack other peers’ computers.attack other peers’ computers. Dummy files created by RIAA and MPAA to Dummy files created by RIAA and MPAA to
track and sue illegal track and sue illegal uploaders/downloaders!uploaders/downloaders!
![Page 8: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/8.jpg)
Krawler: A Kazaa Web Krawler: A Kazaa Web CrawlerCrawler
![Page 9: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/9.jpg)
What’s a Crawler?What’s a Crawler? A web crawler is a program or A web crawler is a program or
automated script which browses the automated script which browses the World Wide Web in a methodical, World Wide Web in a methodical, automated mannerautomated manner11..
1 Wikipedia
Give me data!
Data
Web Crawler (Spider)
World Wide Web
![Page 10: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/10.jpg)
Krawler: A Kazaa CrawlerKrawler: A Kazaa Crawler Browses Kazaa in search of malicious Browses Kazaa in search of malicious
programs.programs.
Two components:Two components: DispatcherDispatcher
Maintains list of Supernodes.Maintains list of Supernodes. FetcherFetcher
Communicates with dispatcher.Communicates with dispatcher. Updates a set of supernodes to crawl.Updates a set of supernodes to crawl. Sends query strings to individual supernodes.Sends query strings to individual supernodes.
![Page 11: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/11.jpg)
Krawler: A Kazaa CrawlerKrawler: A Kazaa Crawler(Basic Idea)(Basic Idea)
Begin with a set of IP addresses of 200 known Begin with a set of IP addresses of 200 known supernodes and a set of query strings associated with supernodes and a set of query strings associated with the seeking files.the seeking files.
Try to connect to each supernode.Try to connect to each supernode. If failed, then wait next round to get IP address.If failed, then wait next round to get IP address. If connected, exchange handshake message with If connected, exchange handshake message with
supernode.supernode.
Retrieve a supernode refresh list consisting of 200 Retrieve a supernode refresh list consisting of 200 supernode IP addresses. Save list in dispatcher.supernode IP addresses. Save list in dispatcher.
Send out a set of queries to each supernode and wait Send out a set of queries to each supernode and wait for responses. Download any matches and scan for for responses. Download any matches and scan for viruses.viruses.
![Page 12: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/12.jpg)
Experimentation and Experimentation and ResultsResults
![Page 13: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/13.jpg)
Collecting DataCollecting Data Three machines used:Three machines used:
2.1GHZ Dual Core CPU w/ 1GB RAM2.1GHZ Dual Core CPU w/ 1GB RAM 2.1 GHZ CPU w/ 1.5GB RAM2.1 GHZ CPU w/ 1.5GB RAM 1.42 GHZ CPU w/ 1 GB RAM1.42 GHZ CPU w/ 1 GB RAM
Allowed Crawler to investigate 60K Allowed Crawler to investigate 60K files/hour.files/hour.
Two Measurement Methods:Two Measurement Methods: Query StringsQuery Strings Virus SignaturesVirus Signatures
![Page 14: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/14.jpg)
Collecting DataCollecting Data(Query Strings)(Query Strings)
File information is only limited to file names that File information is only limited to file names that matched query string.matched query string.
Many viruses create multiple copies with Many viruses create multiple copies with different legit file names to increase chances of different legit file names to increase chances of being downloaded.being downloaded.
Only .exe files are investigated.Only .exe files are investigated.
![Page 15: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/15.jpg)
Collecting DataCollecting Data(Virus Signatures)(Virus Signatures)
In 2002, security vendor sites have In 2002, security vendor sites have found more than 200 viruses found more than 200 viruses propagating from P2P.propagating from P2P. Krawler has 71 content hashes of these Krawler has 71 content hashes of these
viruses.viruses.
Kazaa content hash is 20 bytes in size.Kazaa content hash is 20 bytes in size. First 16 bytes for MD5 signature.First 16 bytes for MD5 signature. Last 4 bytes for length of file.Last 4 bytes for length of file.
![Page 16: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/16.jpg)
Malware DistributionMalware Distribution Krawler has found 45 viruses in Feb Krawler has found 45 viruses in Feb
06 and 52 viruses in May 06.06 and 52 viruses in May 06.
SdDrop infected the most number of SdDrop infected the most number of clients!clients!
ICQ and Trillian had the highest ICQ and Trillian had the highest chance of being infected (over 70%)!chance of being infected (over 70%)!
![Page 17: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/17.jpg)
Malware DistributionMalware Distribution(Top 10 Viruses Graph)(Top 10 Viruses Graph)
![Page 18: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/18.jpg)
Malware DistributionMalware Distribution(Most Infected Files Graph)(Most Infected Files Graph)
![Page 19: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/19.jpg)
Virus PropagationVirus Propagation Many viruses disguise themselves as Many viruses disguise themselves as
legit filenames.legit filenames. Adobe Photoshop 10 full.exeAdobe Photoshop 10 full.exe WinZip 8.1.exeWinZip 8.1.exe ICQ Lite (new).exeICQ Lite (new).exe
Many viruses use peers to propagate.Many viruses use peers to propagate. They are placed on folders used for file sharing.They are placed on folders used for file sharing.
Some viruses don’t just use p2p for Some viruses don’t just use p2p for propagation.propagation. Emails, web sites, messengers, etc.Emails, web sites, messengers, etc.
![Page 20: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/20.jpg)
Virus PropagationVirus Propagation(Breakdown Chart)(Breakdown Chart)
![Page 21: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/21.jpg)
Characteristics of Characteristics of Infected HostsInfected Hosts
Krawler found 1,618 infected hosts in Feb Krawler found 1,618 infected hosts in Feb 06.06.
Krawler found 2,576 infected hosts in May Krawler found 2,576 infected hosts in May 06.06. 78 (about 5 percent) infected hosts were still 78 (about 5 percent) infected hosts were still
infected since Feb!infected since Feb!
Many infected hosts were used as botnets, Many infected hosts were used as botnets, DoS attacks, and spam relaying.DoS attacks, and spam relaying.
![Page 22: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/22.jpg)
Characteristics of Infected Characteristics of Infected HostsHosts
(Attack Methods Chart)(Attack Methods Chart)
![Page 23: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/23.jpg)
My CommentsMy Comments
![Page 24: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/24.jpg)
StrengthsStrengths Identifies many types of viruses in the Identifies many types of viruses in the
Kazaa network.Kazaa network.
Identifies the infected programs as well!Identifies the infected programs as well!
Easy to understand and possibly Easy to understand and possibly implement.implement. So easy, a caveman can understand it!So easy, a caveman can understand it!
![Page 25: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/25.jpg)
WeaknessesWeaknesses Only searched the Kazaa network.Only searched the Kazaa network.
How about BitTorrent, LimeWire, Morpheus, How about BitTorrent, LimeWire, Morpheus, etc?etc?
Only searched .exe files.Only searched .exe files. Mp3 files can also be a problem (think RIAA).Mp3 files can also be a problem (think RIAA).
Experiments could have lasted a bit longer.Experiments could have lasted a bit longer. Feb 06 to May 06 is a little short.Feb 06 to May 06 is a little short. How about conducting for 6 months or 1 How about conducting for 6 months or 1
year ?year ?
![Page 26: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/26.jpg)
SuggestionsSuggestions Scan viruses from other file extensions.Scan viruses from other file extensions.
Mp3, mov, dll, doc, etc.Mp3, mov, dll, doc, etc.
Scan virues from other P2P applications.Scan virues from other P2P applications.
Scan and filter out any dummy files from Scan and filter out any dummy files from those RIAA and MPAA those RIAA and MPAA <explicit <explicit deleted>!deleted>!
![Page 27: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/27.jpg)
ConclusionConclusion Piracy isn’t the only problem in Kazaa and Piracy isn’t the only problem in Kazaa and
other P2P networks.other P2P networks. We also have to worry about malware!We also have to worry about malware!
Krawler does a very good job in finding Krawler does a very good job in finding malicious programs in Kazaa.malicious programs in Kazaa. Also easy to understand!Also easy to understand!
Would love Krawler to search for other file Would love Krawler to search for other file extensions and conduct longer extensions and conduct longer experiments.experiments.
![Page 28: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/28.jpg)
Anti-Piracy PSAAnti-Piracy PSA
![Page 29: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/29.jpg)
Piracy Hurts! Piracy Hurts! Piracy not only hurts well-paid artists!Piracy not only hurts well-paid artists!
Hurts producers!Hurts producers! Hurts directors!Hurts directors! Hurts low paid workers!Hurts low paid workers! Also hurts consumers!!!Also hurts consumers!!!
Higher prices to counter lost sales.Higher prices to counter lost sales.
Piracy is not only wrong, it’s a Piracy is not only wrong, it’s a CRIME!!!CRIME!!!
PROPAGANDA WARNING!!!
![Page 30: Malware Prevalence in the Kazaa File-Sharing Network](https://reader035.fdocuments.in/reader035/viewer/2022062315/5681610e550346895dd0649a/html5/thumbnails/30.jpg)
Put an end to piracy…
…use open source materials instead!
Find out more at Free Software Foundation and Creative Commons.