malware prevalence in the kazaa file sharing network
Skip this Video
Download Presentation
Malware Prevalence in the Kazaa File-Sharing Network

Loading in 2 Seconds...

play fullscreen
1 / 30

Malware Prevalence in the Kazaa File-Sharing Network - PowerPoint PPT Presentation

  • Uploaded on

Malware Prevalence in the Kazaa File-Sharing Network. Authors: Seungwon Shin, Jaeyeon Jung, and Hari Balakrishnan Internet Measurement Conference 2006 Presented by: Arun Krishnamurthy. The Outline. Intro and problems of Kazaa How Kazaa works? Problem isn’t just piracy?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Malware Prevalence in the Kazaa File-Sharing Network' - thalia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
malware prevalence in the kazaa file sharing network

Malware Prevalence in the Kazaa File-Sharing Network


Seungwon Shin,

Jaeyeon Jung,

and Hari Balakrishnan

Internet Measurement Conference 2006

Presented by:

Arun Krishnamurthy

the outline
The Outline
  • Intro and problems of Kazaa
    • How Kazaa works? Problem isn’t just piracy?
  • Krawler: The Kazaa Web Crawler
    • What does it do? How does it work?
  • Experimentation and Results
    • What nasty stuff did Krawler find? How did they propagate?
  • My Comments
    • What was good? What was bad? How to improve?
intro to kazaa
Intro to Kazaa
  • A file sharing software created in 2000 by Sherman Networks.1
  • Main program contains spyware/adware.
    • Variations of Kazaa do not contain malware.
  • Uses supernodes to search for a file.
    • Unlike Napster that uses a centralized server for searching.

1 Wikipedia

centralized server searching like napster
Centralized Server Searching(Like Napster)

Peer 6 has “A Pirates Life for me”

Peer 6

Peer 1

Main Server

“A Pirates Life for me.mp3”

I want “A Pirates Life for me”!

Peer 2

Peer 5

Peer 4

Peer 3


supernodes searching like kazaa
Supernodes Searching(Like Kazaa)


Hook wants Peter Pan movie

I want Peter Pan movie

Hook wants Peter Pan movie


Alligator has Peter Pan movie!


problems with kazaa
Problems with Kazaa
  • The problem isn’t just piracy!
  • We also have to worry about malware!!!
    • Malware created by malicious peers to attack other peers’ computers.
    • Dummy files created by RIAA and MPAA to track and sue illegal uploaders/downloaders!
what s a crawler
What’s a Crawler?
  • A web crawler is a program or automated script which browses the World Wide Web in a methodical, automated manner1.

Give me data!


Web Crawler (Spider)

World Wide Web

1 Wikipedia

krawler a kazaa crawler
Krawler: A Kazaa Crawler
  • Browses Kazaa in search of malicious programs.
  • Two components:
    • Dispatcher
      • Maintains list of Supernodes.
    • Fetcher
      • Communicates with dispatcher.
      • Updates a set of supernodes to crawl.
      • Sends query strings to individual supernodes.
krawler a kazaa crawler basic idea
Krawler: A Kazaa Crawler(Basic Idea)
  • Begin with a set of IP addresses of 200 known supernodes and a set of query strings associated with the seeking files.
  • Try to connect to each supernode.
    • If failed, then wait next round to get IP address.
    • If connected, exchange handshake message with supernode.
  • Retrieve a supernode refresh list consisting of 200 supernode IP addresses. Save list in dispatcher.
  • Send out a set of queries to each supernode and wait for responses. Download any matches and scan for viruses.
collecting data
Collecting Data
  • Three machines used:
    • 2.1GHZ Dual Core CPU w/ 1GB RAM
    • 2.1 GHZ CPU w/ 1.5GB RAM
    • 1.42 GHZ CPU w/ 1 GB RAM
  • Allowed Crawler to investigate 60K files/hour.
  • Two Measurement Methods:
    • Query Strings
    • Virus Signatures
collecting data query strings
Collecting Data(Query Strings)
  • File information is only limited to file names that matched query string.
  • Many viruses create multiple copies with different legit file names to increase chances of being downloaded.
  • Only .exe files are investigated.
collecting data virus signatures
Collecting Data(Virus Signatures)
  • In 2002, security vendor sites have found more than 200 viruses propagating from P2P.
    • Krawler has 71 content hashes of these viruses.
  • Kazaa content hash is 20 bytes in size.
    • First 16 bytes for MD5 signature.
    • Last 4 bytes for length of file.
malware distribution
Malware Distribution
  • Krawler has found 45 viruses in Feb 06 and 52 viruses in May 06.
  • SdDrop infected the most number of clients!
  • ICQ and Trillian had the highest chance of being infected (over 70%)!
virus propagation
Virus Propagation
  • Many viruses disguise themselves as legit filenames.
    • Adobe Photoshop 10 full.exe
    • WinZip 8.1.exe
    • ICQ Lite (new).exe
  • Many viruses use peers to propagate.
    • They are placed on folders used for file sharing.
  • Some viruses don’t just use p2p for propagation.
    • Emails, web sites, messengers, etc.
characteristics of infected hosts
Characteristics of Infected Hosts
  • Krawler found 1,618 infected hosts in Feb 06.
  • Krawler found 2,576 infected hosts in May 06.
    • 78 (about 5 percent) infected hosts were still infected since Feb!
  • Many infected hosts were used as botnets, DoS attacks, and spam relaying.
  • Identifies many types of viruses in the Kazaa network.
  • Identifies the infected programs as well!
  • Easy to understand and possibly implement.
    • So easy, a caveman can understand it!
  • Only searched the Kazaa network.
    • How about BitTorrent, LimeWire, Morpheus, etc?
  • Only searched .exe files.
    • Mp3 files can also be a problem (think RIAA).
  • Experiments could have lasted a bit longer.
    • Feb 06 to May 06 is a little short.
    • How about conducting for 6 months or 1 year ?
  • Scan viruses from other file extensions.
    • Mp3, mov, dll, doc, etc.
  • Scan virues from other P2P applications.
  • Scan and filter out any dummy files from those RIAA and MPAA <explicit deleted>!
  • Piracy isn’t the only problem in Kazaa and other P2P networks.
    • We also have to worry about malware!
  • Krawler does a very good job in finding malicious programs in Kazaa.
    • Also easy to understand!
  • Would love Krawler to search for other file extensions and conduct longer experiments.
piracy hurts
Piracy Hurts! 
  • Piracy not only hurts well-paid artists!
    • Hurts producers!
    • Hurts directors!
    • Hurts low paid workers!
    • Also hurts consumers!!!
      • Higher prices to counter lost sales.
  • Piracy is not only wrong, it’s a CRIME!!!



Put an end to piracy…

…use open source materials instead!

Find out more at Free Software Foundation and Creative Commons.