Targeted Worm Hits Kazaa's Network

sh0rtie writes: "Kaspersky Labs and the BBC are reporting that the Fasttrack network that Kazaa uses has been hit by its first targeted worm virus dubbed 'Benjamin.' Is this a clever RIAA creation or that of a mischievous virus writer? I guess we will never know, but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic bringing more headaches for ISPs and sysadmins worldwide."

of all days....

[jeffy124]

the day the secret Kazaa/Brilliant network came to life [com.com] is the day that this worm gets let loose.

Next Time A Warhol Worm?

[cybrpnk2]

Some very scary research has been aimed at discovering just how fast a worm could infect the entire Internet. This is the so-called Warhol worm [berkeley.edu], so named because instead of getting 15 minutes of fame, it would only take 15 minutes to infect the entire internet. If some nut combines a Warhol worm with a Kazza worm, we are in deep trouble.

BBC -- RIAA responsible

[hether]

The BBC reported this earlier today:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1 998000/1998686.stm [bbc.co.uk]

I agree with the idea that the RIAA would definitely have motive when it came to a worm like this, or some random RIAA suporter. Good thing most intelligent people quit using Kazaa a long time ago, or for sure when they found out about the spyware.

Easy to catch the creators?

[tekBuddha]

From the article:

"In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays."

Wouldn't it make sense then that you could track the creators of the worm to whomever is collecting the payout of these banner ads or am I misunderstanding how its working?

Using P2P

[tswinzig]

Big whoop. P2P becomes the latest transport mechanism for viruses. It's not exploiting a hole in Kazaa, it's just sharing a folder with virus-infected executables labeled with intriguing names that are likely to be downloaded by Kazaa users.

If these users are then dumb enough to run an executable file they download from an unknown source, they will be infected.

Wow.

Infected?

[rkent]

Okay, so... who's infected? any slashdotters get the

"Error:
Access error #03A:94574: Invalid pointer operation
File possibly corrupted."

message yet? If so, what did you do to clean up? Neither of the 2 articles gives a very good indication of that; I guess I'd start by deleting \windows\system32\explorer.scr and \windows\temp\Sys32, and removing these registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rr entVersion\Run]
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER. SC R"

[HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"

Seems like that should keep it from spreading, but that won't prevent a reinfection. Oh well; at least there's a popup notice when you get infected. that's nice.

Looks like fasttrack users (kazaa, morpheus, AND grokster) are catching on... about 1/5 as many users on as usual for this time of day. And before you flame me as a pirate, I only trade Simpsons episodes which aren't available for sale yet :)

Re:Clever RIAA Creation

[Aexia]

Yes, quite irresponsible. After all, when has the RIAA ever done anything malicious [slashdot.org] to innocent computer users' systems?

Cons-piracy theory

[Kirby-meister]

A lot of people will probably put this on the RIAA/other copyright crusaders, but I see P2P networks as a huge market for propogating virii and sending people trojans.

Large file-sharing networks like Kazaa have birthmarks in the shapes of bulls-eye's.

For fear of stating the obvious...

[Restil]

But if banner ads which will profit the creator of the virus are posted on every single infected computer... how hard would it be really to follow the money to find the author of the worm?

Or was I the first one to read the article? :)

-Restil

...hyperlink??

[skinfitz]

...I dont know what happened to the hyperlink there - here is the link in text form:

http://online.securityfocus.com/archive/1/254627 /2 002-05-17/2002-05-23/1

And another try at a hyperlink [securityfocus.com].

Virus companies need the virus makers

[bigmouth_strikes]

"This event once again demonstrates the necessity to filter all incoming files for viruses, regardless of how well protected this or any other network is. Before use all data should be run through a mandatory check for virus code using the latest virus database update," commented Denis Zenkin, Kaspersky Labs Head of Corporate Communications.

Gee, I'm so grateful for Kaspersky Labs that they provide this valuable information. They only forgot to add

"If you refer to this article, we'll give you $5 rebate off your next virus update purchase." added Zenkin with a smile.

As much as we need the anti-virus software, the anti-virus companies need the virus makers. Without a worm or a virus that makes CNN headlines every 6 months, people will forget to buy updates, patches etc etc. The public forgets quickly, and will not buy new products from the AV companies if they don't feel a threat.

Sure, the problem is real, but part of me can't shake the feeling that somewhere there is a anti-virus company executive ordering a new plasma HDTV when he sees this news. Or maybe it's just becase X-Files ended yesterday that I'm seeing conspiracies everywhere.

Re:riaa

[Man of E]

"let's make a virus that will expose ourselves to billions of dollars of liability, but will only shut down some minor piracy for a day or two, until anti-virus software makers have protection for it"

Seems like a pretty good idea to me, actually, especially when you consider how many idiots are on Kazaa. Since the program has no built-in calls to antivirus software, they'll become infected and lose confidence. A smaller percentage of geeks with huge bandwidth, hard drives and the brains to use antivirus software will stay on, but Kazaa will leave a sour taste in Joe Sixpack's mouth and lead him back to the golden path of CD-buying.

Now suppose the advertising "paper trail" that everyone is talking about leads to some random hacker they picked as a scapegoat, and it's unlikely that anyone will suspect they're behind it all. Liability, schmiability.

Okay, time to take the tinfoil hat back off :-)

Re:riaa

[I Want GNU!]

Actually, this is EXACTLY the kind of tactics they like to use. Have you seen this article [wired.com]? They tried to get a law passed to hack someone's PC.

Cigarette companies kill millions of their own customers, Enron executives steal everyone's requirement accounts, and mostly these type of companies get off scot free. Not to mention all the investment advice companies with conflicts of interest, telling people to buy then selling after the price goes up, or vice versa.

Of course, with all the lobbyists and lawyers and paper shredders, it's not like anything would come of this.

adserver domain closed

[Alan]

Hehehe, if you hit the page that the virus opens to get the author more page impressions (http://benjamin.xww.de/), you get:

"
Domain aufgrund von massiven Beschwerden gesperrt.
Domain closed due to massive abuse.
"

Now I wonder if it was closed because someone wrote a virus, or because the virus worked so well he went over his bandwidth allocation! :)

Re:moral/legal high ground?

[Wakko Warner]

I have never gone above the speed limit in my life -- go suck three cocks.

How is stealing one product different from stealing any other, simply because that product comes on a CD-Rom?

It is deluded thieving slashdroids (with shitty high UIDs) like you that are ruining the Internet. Please eat a bullet [eatabullet.com].

- A.P.

Re:Infected?

[Evangelion]

Haven't you ever heard of Anime fansubs?

People would copy japanese LD's, subtitle them themselves, and sell them (not for much, but still), and no one found anything wrong with this -- because the episodes/movies/oavs were not available in any english language format. The copyright owners usually never said a word. The fansubbers would respectfully, not distribute something that was available in english in north america.

Your whining is reactionary and unessecary.

That's what I get for coming back to slashdot, I guess...

Re:I said this would happen, and it did.

[Animats]

Well, after finding a description of how this attack works [viruslist.com], it looks like it's dumber than I thought. Apparently, it just floods the Kazaa system with copies of itself under different names, hoping somebody will run them. If run, it puts itself in the registry to run at every startup.

So it requires manual intervention to propagate, and is thus more like a classic virus.

We may yet see a Brilliant Projector based worm, but this apparently isn't it.