First of all, sorry for posting this subject in this list. My english is pretty ugly, I didn't realize it was the worng place. I apologize. The special thing about the kazaa install file is this: "When kazaa detects a new version, probably quering the central server, it prompts you if you want to upgrade. Answer yes and automatically KaZaA starts downloading the new version from some other user. Once downloaded, the update is automatically executed. Kazaa has been upgraded." As others said, if you don't have an AV, you get what you deserve. But, big but, anyone can write virii stuff. Just a few days of this infected kazaa upgrade being shared and a great damage could be done. All this is solved if KaZaA updates are crypto-secured. This way, the origin of the update can be verified against a certificate authotiyy (like verisign), and the contents can be verified if they have been tampered with. I don't know if FastTrack.nu is using this kind of technology. Actually no one in the list knows, either. By the way, morpheous is the same as kazaa, both use the fasttrack.nu engine and network, just like bearshare and limewire use the same gnutella network and technology. I think. Maybe a fasttrack.nu insider could help us out here. Hope it helps, -andy -----Original Message----- From: Moorhouse, Walt P [mailto:WaltPMoorhouseat_private] Sent: Thursday, February 07, 2002 12:52 PM To: 'Andrew McClymont'; bugtraqat_private Cc: 'infoat_private' Subject: RE: Infecting the KaZaA network? Andrew, That is indeed a frightening thought, and although I am not affiliated with KaZaA in any way, I do have some input on the matter. If anyone from KaZaA or any other Bugtraqer can confirm or disprove this, please post, as this is mostly speculation on my part. :-) First, let's look at downloading normal (non KaZaA install) files from the network. Say I search for "Cheesy Love Song" by "The Too Young to Know Love Boyz". In the search window KaZaA will display 1 entry with a plus beside it that lists all users that have that song. I can have multiply songs with the same title, but different sizes (different rips, or bitrates, etc.) So my window might have: Song Size (kB) [+] Cheesy Love - The Boyz 5,423 [+] Cheesy Love - The Boyz 5,674 [+] Cheesy_Luv - Da_Boyz 5,423 So, what we hope is that this same logic will apply to your trojaned installer, and KaZaA will ignore it. Second, let's assume that you found a way to make it think your trojaned version is the real one. There are thousands of users (or hundreds of thousands as the case may be) online, so the chances of you being picked are slim, unless you have a broadband connection. (I assume this isn't totally random, but rather based on available bandwidth, etc.) The question that I have is this: How does the KaZaA client know when an update is out? I read somewhere that KaZaA had started connecting to a central server for some reason, and there was speculation this would be their downfall. I don't know if this was correct, or even if it was if they still do that. Anyway, if they DON'T connect to a central server to tell it what the latest download is, theoretically you could create a trojaned "update" by adding your trojan and changing the version number to one higher than the current release. If the network accepted this as a valid update, it should propagate through the entire system (assuming all user click the "Update" button when the dialog asks.) That's what I would be worried about. One way around this would be putting some kind of signature in the updates. Maybe some hash of the version number, file size, and a secret KaZaA key? Maybe they already have something like this in place. Thoughts? Walt Moorhouse -----Original Message----- From: Andrew McClymont [mailto:andrewmcclymont@d-link.net] Sent: Wednesday, February 06, 2002 3:11 PM What happens if I infect the files under "My shared folder" with a virii or some trojan, every user that gets their KaZaA client from my computer gets screwed, right? And then, the victim himself will be sharing the KaZaA client infected to new victims.
This archive was generated by hypermail 2b30 : Thu Feb 07 2002 - 12:39:34 PST