The Dangers of File Sharing Programs (P2P - Peer-To-Peer)

The following discussion appears in http://www.sans.org/top20/  

“Peer to Peer File Sharing Programs (P2P) are used by a rapidly growing user base. These applications are used to download, and distribute many types of data (e.g. music, video, graphics, text, source code, and proprietary information to name a few). P2P applications have a number of legitimate uses, including the distribution of OpenSource/GPL binaries, ISO images of bootable Linux distributions, independent artists' creations, and even commercial media such as film trailers and game previews. Other times, the data is either of a questionable nature or is copyrighted. With the legal troubles experienced by Napster, the majority of these P2P programs now operate through a distributed network of clients, sharing directories of files or entire hard drives of data. Users can enter search parameters through the client software, and then one or more channels of communication are opened between participants as the client software contacts other network participants to locate the desired file. Clients participate by downloading files from other users, making their data available to others, and in some models by functioning as super-nodes which can coordinate searches for multiple users.  

Peer-to-Peer communication consists of get requests, replies, and file transfers. A participant can concurrently perform multiple downloads while also serving multiple uploads. Searches for content can use almost any text string the user can conceive. Most of these programs currently use default ports, but can automatically or manually be set to use different ports if necessary to circumvent detection, firewalls, or egress filters. The trend seems to be moving towards the use of http wrappers to more easily bypass corporate restrictions. The multithreaded nature of searches and transfers can generate significant traffic on densely populated LANS and can completely saturate WAN links.

A number of vulnerabilities exist when using P2P software. They can be categorized into three types:

Ø      Technical vulnerabilities are those that can be exploited remotely.

Ø      Social vulnerabilities are those that are exploited by altering or masquerading binary content that others request.

Ø      Legal vulnerabilities are those that can result from copyright infringement or objectionable material.

Technical vulnerabilities are those that can be exploited remotely and may result simply from a user downloading, installing, and running a program. These range from Denial of Service to arbitrary file access, and should be taken very seriously. Of serious concern are the privacy and confidentiality issues that P2P applications can cause. Many of these applications include "spyware" or "adware" components that can consume even more bandwidth as they report web-surfing habits back to their makers. A poorly configured P2P client can provide unauthenticated access to your entire network by sharing mapped drives through the P2P application. There is little to no restriction on the type of data files that can be shared. Compromise of confidential information, intellectual property, and other data can result.

Social vulnerabilities exist when a malicious or previously infected user creates or alters a file to resemble something desired by another user. Virii, Trojan horse programs, worms, and other malware can result. The victim of such attacks is usually the less technical user, who will "double-click" a file without noticing that the extension or icon is not what is normally associated with the data type, or that can be duped into launching an executable. Regardless of the nature of the content downloaded, users must use current anti-virus software to scan the downloads. Whenever possible, checksums should be validated to ensure that what is downloaded is what the user wanted and what the creator intended. P2P mechanisms can also used to propagate malicious code, with a number of viruses spreading by masquerading as desirable P2P content and storing themselves in the shared content folder of infected clients. P2P traffic can also tunnel command and control traffic to compromised machines (zombies.)

Legal vulnerabilities must be taken seriously by both the corporate user and the home user. Content available through P2P applications includes copyrighted music, movies, and program files. Organizations including the MPAA, RIAA, and BSA are all actively seeking to put an end to the copyright infringement occurring through P2P networks. Subpoenas for user id's, injunctions, and civil suits have all been brought in courts across the country. The success of these efforts, or lack thereof, and the morality or immorality of downloading such material must all be secondary to the costs for a company to respond to and defend against allegations of wrongdoing. Pornographic content is also widely available through the P2P networks. Whether such material is legal in your jurisdiction or not is irrelevant if a sexual harassment lawsuit is brought against your company because an employee downloaded material using a company computer that another employee found offensive.

Spyware and P2P Programs

A June 2004 FTC press release highlighted the risk that P2P programs bundle "unwanted software ... including spyware." An internal document from Kazaa's chief technology officer revealed Kazaa's awareness of these risks, including many Kazaa employees apparently unwilling to install Kazaa's own software. Kazaa’s license agreement you are to read and OK is 182 pages long! All told, when you install Kazaa, you also get these programs and icons: Cydoor, GAIN, Instafinder, My Search Toolbar, Skype, Your Free Casino Chips and Play Poker Now.

There is a recent study of the top current P2P programs and which ones actually contain Spyware within the program installation at http://www.benedelman.org…  Programs compared are LimeWire, iMesh, Morpheus, eDonkey and Kazaa. Of the five programs, only LimeWire was found to have no bundled Spyware software. LimeWire 4.0 includes a guarantee that users will get no bundled software when they download this new version, continuing its tradition of not utilizing spyware. Lime Wire LLC was founded in June 2000 and currently has 2.5 million unique users monthly. For more information, visit the company’s website at www.limewire.com or www.limewire.org.

BitTorrent, the beloved file-sharing client and protocol that provides a way around bandwidth bottlenecks, has become the newest distribution vehicle for adware/spyware bundles. Public peer-to-peer networks have always been associated with adware program distributions, but BitTorrent, the program created by Bram Cohen to offer a new approach to sharing digital files, has managed to avoid the stigma. Not any more, anti-spyware advocates warn. Because BitTorrent strips digital files into tiny shreds and reassembles them locally once a user completes a download, it has emerged as the perfect place to bundle adware programs among the bits, without the end user ever knowing. A BitTorrent user downloading a movie clip only becomes aware of the associated adware after the files are reassembled. At that stage, when the user attempts to load the reassembled file, he or she is greeted by an installation notice for an adware bundle distributed by MMG, a Canadian company that specializes in P2P network marketing .BitTorrent is currently "overwhelmed" with multimedia files rigged with adware bundles, adding that the file sizes vary from 3MB to 175MB. 6/15/05 - http://www.eweek.com…

Spyware Trail Leads to Kazaa, Big Advertisers

March 21, 2006   By Ryan Naraine

http://www.eweek.com/print_article2/0,1217,a=174020,00.asp

The StopBadware.org coalition, funded by Google, has listed the Kazaa file-sharing application at the top of a list of noxious software programs that present a threat to business and consumer users. The coalition, which counts Sun Microsystems and Lenovo among its sponsors, will recommend in its inaugural Badware Report that users stay away from Kazaa and three other programs that can be combined with Trojans and bots for use in data theft attacks.

Adware and spyware programs that come bundled with peer-to-peer applications present a huge security risk to corporate networks, and StopBadware.org says Kazaa's claim to be spyware-free cannot be trusted.

"[Kazaa] does not completely remove all components during the uninstall process, interferes with computer use, and makes undisclosed modifications to other software," the group said in the report, which is scheduled for release on March 22.

In addition to Kazaa, StopBadware.org said computer users should stay away SpyAxe, a rogue anti-spyware program; MediaPipe, a download manager that offers access to media content; and Waterfalls 3, a screensaver utility.

In Kazaa's case, the report said the P2P agent comes bundled with several annoying and potentially dangerous adware and spyware programs, including TopSearch, AltNet Peer Points manager, BullGuard P2P, Cydoor, The Best Offers, InstaFinder and RX Toolbar.

Some of these third-party software applications cannot be closed by the average user and, in some cases, the uninstallation process does not eliminate all components related to Kazaa and its bundled programs, the report said.

After the uninstaller was run, the coalition's testers found that executables and system components still remained, including the Kazaa Plus Installer. Additionally, the group found that Kazaa and its bundled applications added new links to the Windows Desktop without disclosure during the installation process.

InstaFinder, one of the applications bundled with Kazaa, even changed the default 404 page and DNS (Domain Name System) error pages in Internet Explorer without disclosing the modification to the user, the group said.

The report also recommends that Sharman Networks, the company that distributes Kazaa, stop claiming that the software is spyware-free and ensure that Kazaa is not bundled with programs that cannot be closed by the user.

Sharman is also urged to remove all executables, system components and registry keys during the uninstall process and to notify the user about changes to the desktop and other software modifications.

Big advertisers fund adware

MediaPipe, which is distributed by London-based Net Publican, also found a place on the badware list because it does not fully disclose what it is installing, does not completely remove all components and "obligations" during the uninstall process, and modifies other software without disclosure, the coalition said.

SpyAxe, which is regularly flagged by anti-virus researchers as a dangerous malware threat, also made the list because it fails to uninstall completely, is difficult to exit without purchasing the full version of the product, interferes with computer use and modifies other software without disclosure.

The group also warned that Waterfalls 3 from Screensaver.com is a potential spyware threat that is bundled with a Trojan-like program and modifies other software without disclosure.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

The release of the StopBadware.org report comes on the heels of a report from the Washington-based CDT (Center for Democracy and Technology) that identified several large, well-respected companies that are helping to fund the virulent spread of unwanted and potentially harmful adware by paying for advertisements generated by those programs.

The CDT report, here in PDF format, titled "Following the Money: How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can Be Done to Reverse the Trend," shows how major advertisers take advantage of a complicated network of middlemen to advertise products and services though pop-ups and other ads generated by adware.

According to CDT deputy director Ari Schwartz, the Center contacted 18 advertisers that had advertisements served by 180Solutions, a company that is being sued for unfair and deceptive practices, to ask if those businesses had any policies that address nuisance or harmful adware.

Ziff Davis Media eSeminars invite: Learn to proactively shield your organizations against threats at all tiers of the network, Symantec will show you how, live on March 21 at 4 p.m. ET. Sponsored by Symantec.

Schwartz said 11 of the 18 companies did not respond, and identified them as NetZero, People PC, Altrec, Waterfront Media, LetsTalk.com, uBid, GreetingCards.com, True.com, PerfectMatch, Club Med Americas and ProFlowers.

The CDT report also reported on discussions with some companies that did respond to the questions, including Netflix and eHarmony.

Anti-spyware critic and security researcher Ben Edelman has also published findings on advertisers that use 180Solutions, including several screenshots that show pop-up advertising from the list of advertisers mentioned in the CDT report.

P2P and Pornographic movie downloads

P2P is not just about free Music - Today, 35% of all peer-to-peer downloads are related to pornographic material.  This equates to approximately 1.5 billion pornographic file downloads every month.  When children access a pornographic website, usually what they end up viewing is a number of still photographs of objectionable material.  The really bad stuff, the most graphic material, is usually not available unless it is purchased with a credit card.  With peer-to-peer file sharing, children can download a free triple-x rated movie full of hard-core pornography.  What's more, even if you have an Internet filter installed, most likely the filter will let this material right on through. Once a purchased hard-core movie is made available on someone's PC, it can spread very quickly.  Even though Napster is in bankruptcy, the Private Media Group (sex mogul from Spain ) offered $2.4 million to purchase Napster and it's original 70 million users to turn Napster into a pornographic peer-to-peer network. Below is a snapshot of the Limewire program showing the free pornographic movies anyone can download for free:

More young people are sharing music files with everyone else over the Internet resulting in a growing danger. Can all types of file (extensions) be corrupted with virus or malicious code?

Some people think they can avoid problems by only downloading files with “safe” extensions. The problem is the issue of double extensions. To make your viewing easier, Windows offers the option of turning off the viewing of file extensions. If you do that, files with double extensions can easily fool you. Most everyone has been conditioned, for example, that the extension .TXT is safe as it indicates a pure text file. But, with extensions turned off - if someone sends you a file named BAD.TXT.VBS you will only see BAD.TXT. If you've forgotten that extensions are actually turned off you might think this is a text file and open it. Instead, this is really an executable Visual Basic Script file and could do serious damage. For now you should always have viewing extensions turned on. Right-click on START and select EXPLORE and then select TOOLS – FOLDER OPTIONS. Select the "View" tab and then scroll down and UNCHECK the "Hide file extensions for known file types." Click OK. With this move you will now see extensions in file directory windows and other Microsoft programs like Outlook will pick up the option.

For a list of file extensions and whether they can be infected with mischief,

see: http://www.cknow.com/vtutor/vtextensions.htm

Last I heard though, music files cannot be infected, right?

Well, yes and no: the actual music file cannot be infected, it seems that .mp3 extensions can contain macrocode that WMP and Realplayer will interpret and run - not directly but indirectly. This is why I never download anything in Windows Media format, not .WMA, not .ASF, not .WMV. Microsoft, in their "infinite" wisdom, designed their DRM (Digital Rights Management) so that media files could request a license and direct you to a specific web site. All a hacker has to do is setup a bogus web site, then create WMV's etc which point to it. Regarding MP3s, in theory you can get infected by them but it's more theoretical than anything. What I heard was that someone found a way to cause an MP3 to hack Winamp; all the people using Windows Media Player etc are immune. And, even with Winamp, all you have to do is make sure you're running the latest version and this hack won't work. Because it's so easy to avoid, I don't think anyone's really tried to spread viruses via MP3s.

DRM Background: The new Media Player 10 software incorporates Microsoft's new Windows Digital Rights Management, also known as Janus. Previously, if you belonged to a subscription-based music service, you could access your music collection only while at your PC, says Erin Cullen, lead product manager with Microsoft's DMD division. With Janus, you'll be able to transfer that content to your Portable Media Center or to another handheld device such as your MP3 player. When your subscription expires, the DRM technology will automatically make the content unavailable. Napster will be the first music service to use Janus, which will roll out first in Portable Media Center devices. But expect to see the DRM scheme extended to existing handhelds as well as to upcoming devices.

Cyber-criminals Use P2P Tools for Identity Theft, Security Analyst Warns 

By Chris Preimesberger  June 23, 2006

http://www.eweek.com/article2/0,1895,1980963,00.asp

EAST PALO ALTO, Calif.—Cyber-criminals are multiplying quickly and becoming more sophisticated in the ways in which they take advantage of unwitting Internet individual users and companies, a nationally recognized cyber-security specialist told an SD Forum seminar audience June 22.

And peer-to-peer networks such as Limewire, Kazaa, Grokster and others aren't helping to quell the increase in crimes committed via the Internet, he said.

"It used to be only burglaries from people's homes and businesses," said Howard Schmidt, a former cyber-security adviser to the Bush administration, former chief information security officer at Microsoft and eBay, and now a principal in R&H Security Consulting in Issaquah , Wash.

"Those still happen, of course, but now, it's so much more lucrative to break into people's online information and steal someone's identity, that a lot of bad people around the world are spending an awful lot of time learning to do it."

Schmidt, a co-architect of the national cyber-security policy presented to the president's Critical Infrastructure Protection Board in 2003 by himself and then-Homeland Security Secretary Tom Ridge , prefers to call the Internet the "Evernet" and points to careless or ignorant use of P2P applications as a major part of the current identity theft problem.

The term Evernet has been used to describe the convergence of wireless, broadband and Internet telephony technologies that will result in people's ability to be continuously connected to the Web anywhere using virtually any information device.

"We are connected today like we've never been connected before," Schmidt said.

"We depend on the Evernet like nothing we have before. And nobody—I repeat—nobody has privacy. Ever opened one of those offers to see your free credit report? If you haven't, do it. You may be surprised to find what's in there, whether it's right or wrong. And you're not the only one who can get to it, either. It's amazing how much information is available to anybody who really wants to look for it."

People who use P2P applications to download music, software, photos and other items may leave themselves wide open to identity theft by simply being unaware of their computer settings. It's like leaving the front door wide open for a burglar, Schmidt said.

"For example, one woman's credit-card information was found in such disparate places as Troy , Mich. , Tobago , Slovenia , and a dozen other places. Why? We found that the 'shared' folder in her music-downloading application was in fact making readily available her entire 'My Documents' folder to that app's entire P2P audience, 24 hours per day," Schmidt said.

Cyber-criminals are becoming more sophisticated about how to use search—especially within these P2P apps, Schmidt said.

"We're not just searching for music," Schmidt said with a laugh.

Simply by typing in common search terms such as "bank May statement," "stop payment," and others in Limewire's search function, for example, valuable personal information is often getting into the wrong hands, enabling cyber-looting.

Another problem area involves online health records, Schmidt said.

"In one case of this sort, a criminal searched for and found 117,000 medical-record passwords—just by knowing how to search in a P2P app on the Web," Schmidt said.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.

Medical records by their very nature contain a great deal of information besides a person's health and medicine history; they include addresses, phone numbers, Social Security numbers, payment information, insurance information and much more, he said.

What can be done about closing these online security gaps?

Schmidt said there is a five-point national program in place for securing cyberspace:

·        a national cyberspace task force to track virus creators around the world;

·        a Threat and Vulnerability Reduction Program aimed at developers, "so that they will become more aware of writing tighter code and self-healing applications that will eventually be able to take care of these problems by themselves," Schmidt said;

·        a national awareness and training program, to teach people how to be more cognizant of their own security issues;

·        a Secure Government Systems program that works with U.S. government value-added resellers to raise awareness of these issues; and

·        an international cooperation program for all of the above.

"There are now an estimated 840 million regular users of the Evernet," Schmidt said.

"It'll be up to 1 billion by next year. All those users can't do their security all by themselves—they need all the help they can get."