Malware prevalence in the kazaa file sharing network
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Malware Prevalence in the Kazaa File-Sharing Network PowerPoint PPT Presentation


  • 53 Views
  • Uploaded on
  • Presentation posted in: General

Malware Prevalence in the Kazaa File-Sharing Network. Authors: Seungwon Shin, Jaeyeon Jung, and Hari Balakrishnan Internet Measurement Conference 2006 Presented by: Arun Krishnamurthy. The Outline. Intro and problems of Kazaa How Kazaa works? Problem isn’t just piracy?

Download Presentation

Malware Prevalence in the Kazaa File-Sharing Network

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Malware prevalence in the kazaa file sharing network

Malware Prevalence in the Kazaa File-Sharing Network

Authors:

Seungwon Shin,

Jaeyeon Jung,

and Hari Balakrishnan

Internet Measurement Conference 2006

Presented by:

Arun Krishnamurthy


The outline

The Outline

  • Intro and problems of Kazaa

    • How Kazaa works? Problem isn’t just piracy?

  • Krawler: The Kazaa Web Crawler

    • What does it do? How does it work?

  • Experimentation and Results

    • What nasty stuff did Krawler find? How did they propagate?

  • My Comments

    • What was good? What was bad? How to improve?


Let s talk kazaa

Let’s talk Kazaa!


Intro to kazaa

Intro to Kazaa

  • A file sharing software created in 2000 by Sherman Networks.1

  • Main program contains spyware/adware.

    • Variations of Kazaa do not contain malware.

  • Uses supernodes to search for a file.

    • Unlike Napster that uses a centralized server for searching.

1 Wikipedia


Centralized server searching like napster

Centralized Server Searching(Like Napster)

Peer 6 has “A Pirates Life for me”

Peer 6

Peer 1

Main Server

“A Pirates Life for me.mp3”

I want “A Pirates Life for me”!

Peer 2

Peer 5

Peer 4

Peer 3

Pirate


Supernodes searching like kazaa

Supernodes Searching(Like Kazaa)

404’D!

Hook wants Peter Pan movie

I want Peter Pan movie

Hook wants Peter Pan movie

Hook

Alligator has Peter Pan movie!

LAWSUI’D!!!


Problems with kazaa

Problems with Kazaa

  • The problem isn’t just piracy!

  • We also have to worry about malware!!!

    • Malware created by malicious peers to attack other peers’ computers.

    • Dummy files created by RIAA and MPAA to track and sue illegal uploaders/downloaders!


Krawler a kazaa web crawler

Krawler: A Kazaa Web Crawler


What s a crawler

What’s a Crawler?

  • A web crawler is a program or automated script which browses the World Wide Web in a methodical, automated manner1.

Give me data!

Data

Web Crawler (Spider)

World Wide Web

1 Wikipedia


Krawler a kazaa crawler

Krawler: A Kazaa Crawler

  • Browses Kazaa in search of malicious programs.

  • Two components:

    • Dispatcher

      • Maintains list of Supernodes.

    • Fetcher

      • Communicates with dispatcher.

      • Updates a set of supernodes to crawl.

      • Sends query strings to individual supernodes.


Krawler a kazaa crawler basic idea

Krawler: A Kazaa Crawler(Basic Idea)

  • Begin with a set of IP addresses of 200 known supernodes and a set of query strings associated with the seeking files.

  • Try to connect to each supernode.

    • If failed, then wait next round to get IP address.

    • If connected, exchange handshake message with supernode.

  • Retrieve a supernode refresh list consisting of 200 supernode IP addresses. Save list in dispatcher.

  • Send out a set of queries to each supernode and wait for responses. Download any matches and scan for viruses.


Experimentation and results

Experimentation and Results


Collecting data

Collecting Data

  • Three machines used:

    • 2.1GHZ Dual Core CPU w/ 1GB RAM

    • 2.1 GHZ CPU w/ 1.5GB RAM

    • 1.42 GHZ CPU w/ 1 GB RAM

  • Allowed Crawler to investigate 60K files/hour.

  • Two Measurement Methods:

    • Query Strings

    • Virus Signatures


Collecting data query strings

Collecting Data(Query Strings)

  • File information is only limited to file names that matched query string.

  • Many viruses create multiple copies with different legit file names to increase chances of being downloaded.

  • Only .exe files are investigated.


Collecting data virus signatures

Collecting Data(Virus Signatures)

  • In 2002, security vendor sites have found more than 200 viruses propagating from P2P.

    • Krawler has 71 content hashes of these viruses.

  • Kazaa content hash is 20 bytes in size.

    • First 16 bytes for MD5 signature.

    • Last 4 bytes for length of file.


Malware distribution

Malware Distribution

  • Krawler has found 45 viruses in Feb 06 and 52 viruses in May 06.

  • SdDrop infected the most number of clients!

  • ICQ and Trillian had the highest chance of being infected (over 70%)!


Malware distribution top 10 viruses graph

Malware Distribution(Top 10 Viruses Graph)


Malware distribution most infected files graph

Malware Distribution(Most Infected Files Graph)


Virus propagation

Virus Propagation

  • Many viruses disguise themselves as legit filenames.

    • Adobe Photoshop 10 full.exe

    • WinZip 8.1.exe

    • ICQ Lite (new).exe

  • Many viruses use peers to propagate.

    • They are placed on folders used for file sharing.

  • Some viruses don’t just use p2p for propagation.

    • Emails, web sites, messengers, etc.


Virus propagation breakdown chart

Virus Propagation(Breakdown Chart)


Characteristics of infected hosts

Characteristics of Infected Hosts

  • Krawler found 1,618 infected hosts in Feb 06.

  • Krawler found 2,576 infected hosts in May 06.

    • 78 (about 5 percent) infected hosts were still infected since Feb!

  • Many infected hosts were used as botnets, DoS attacks, and spam relaying.


Characteristics of infected hosts attack methods chart

Characteristics of Infected Hosts(Attack Methods Chart)


My comments

My Comments


Strengths

Strengths

  • Identifies many types of viruses in the Kazaa network.

  • Identifies the infected programs as well!

  • Easy to understand and possibly implement.

    • So easy, a caveman can understand it!


Weaknesses

Weaknesses

  • Only searched the Kazaa network.

    • How about BitTorrent, LimeWire, Morpheus, etc?

  • Only searched .exe files.

    • Mp3 files can also be a problem (think RIAA).

  • Experiments could have lasted a bit longer.

    • Feb 06 to May 06 is a little short.

    • How about conducting for 6 months or 1 year ?


Suggestions

Suggestions

  • Scan viruses from other file extensions.

    • Mp3, mov, dll, doc, etc.

  • Scan virues from other P2P applications.

  • Scan and filter out any dummy files from those RIAA and MPAA <explicit deleted>!


Conclusion

Conclusion

  • Piracy isn’t the only problem in Kazaa and other P2P networks.

    • We also have to worry about malware!

  • Krawler does a very good job in finding malicious programs in Kazaa.

    • Also easy to understand!

  • Would love Krawler to search for other file extensions and conduct longer experiments.


Anti piracy psa

Anti-Piracy PSA


Piracy hurts

Piracy Hurts! 

  • Piracy not only hurts well-paid artists!

    • Hurts producers!

    • Hurts directors!

    • Hurts low paid workers!

    • Also hurts consumers!!!

      • Higher prices to counter lost sales.

  • Piracy is not only wrong, it’s a CRIME!!!

PROPAGANDA WARNING!!!


Malware prevalence in the kazaa file sharing network

Put an end to piracy…

…use open source materials instead!

Find out more at Free Software Foundation and Creative Commons.


  • Login