[ISN] Kazaa Delivers More Than Tunes

From: InfoSec News (isn@private)
Date: Mon Jan 12 2004 - 00:16:29 PST

  • Next message: InfoSec News: "[ISN] Wireless LAN worries"

    http://www.wired.com/news/business/0,1367,61852,00.html
    
    By Kim Zetter
    Jan. 09, 2004
    
    Forty-five percent of the executable files downloaded through Kazaa,
    the most popular file-sharing program, contain malicious code like
    viruses and Trojan horses, according to a new study.
    
    Out of 4,778 files downloaded in one month, Bruce Hughes, director of
    malicious code research at security firm TruSecure, found that nearly
    half of them contained various types of nefarious code.
    
    Some code was designed to infect every file in a computer user's Kazaa
    download directory with a virus. Other code would steal the user's AOL
    Instant Messenger password or install a program on their computer to
    allow the attacker to surreptitiously send spam through it or
    otherwise take over the machine remotely to steal personal data and
    files on the computer.
    
    Hughes said the code he found in shared files got there in one of
    three ways: The person hosting the shared file embedded the malicious
    code in a file on purpose; the code was a peer-to-peer worm designed
    to scour the network and drop itself into download directories; or, in
    the case of some viruses, once the user downloaded an infected file,
    the malicious code automatically infected other files in the user's
    file-share directory so that the user inadvertently infected the
    computers of other users who downloaded those files.
    
    Some 3 million users are logged onto Kazaa at any one time. Hughes
    said this has made the file-sharing network increasingly attractive as
    a channel for distributing malware.
    
    According to the Wild List, a list that tracks viruses and worms that
    are currently in circulation, the number of types of viruses
    circulating through Kazaa increased 133 percent in 2003. In January,
    the list recorded nine different viruses passing through Kazaa; at the
    end of the year the number was up to 21.
    
    Hughes used such keywords as "Britney Spears," "Microsoft XP," "nude"  
    and "porn" to choose the files he downloaded on Kazaa, focusing on
    some of the common files that users might share and the most popular
    keywords placed in search engines. He looked only at executable files
    -- program files that launch when a user double-clicks on them and
    that usually end with .exe extensions in the file name. These are the
    types of files that most often contain malicious code.
    
    He said a lot of the malicious code he found was embedded in program
    files that are designed to bypass or break copyright protections
    placed on software files like Microsoft Office to allow users to share
    pirated copies of the software.
    
    So far, however, music, picture and movie files have not been infected
    with malicious code, because they aren't executables, Hughes said. You
    can't run them simply by clicking on them. You need to open them
    through another program, such as a multi-media program like Real
    Player.
    
    Hughes said an attacker could trick a user into thinking a malicious
    file is a music or movie file by changing the name of the file
    extension to .wav (for music) or .jpg (for images). He also said that
    it is possible for someone to eventually find a way to infect movie
    and music files, but no one has discovered a vulnerability in these
    files yet.
    
    "It's one of the things that we worry about, though," said Hughes.
    
    Hughes said that this year there will likely be a significant surge in
    the amount of malware that is intentionally posted and unknowingly
    shared on peer-to-peer file sharing networks.
    
    Hughes said that 80 to 95 percent of the malicious code on Kazaa can
    be detected with anti-virus software, depending on the detection
    program. But he said that people often don't update their software
    with current virus definitions.
    
    They can also be infected if the malicious code is new and not yet
    detected. And some malicious code is designed to shut down anti-virus
    programs and firewalls if it does get past the detection programs.
    
    "Organizations need to warn their employees about file-sharing
    applications and the danger they pose to them at work and at home,"  
    Hughes advised. "Anti-virus is one way to stop the stuff from
    happening, but you also need policies in place to make sure employees
    aren't using dangerous software like Kazaa."
    
    He also said that parents should watch what their kids are downloading
    and make sure they have updated anti-virus programs on their computer.
    
    "You'll really need to be careful what you're doing," he said.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 12 2004 - 02:51:47 PST