Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security

Targeted Worm Hits Kazaa's Network 300

Posted by timothy
from the worms-churn-the-earth dept.
sh0rtie writes: "Kaspersky Labs and the BBC are reporting that the Fasttrack network that Kazaa uses has been hit by its first targeted worm virus dubbed 'Benjamin.' Is this a clever RIAA creation or that of a mischievous virus writer? I guess we will never know, but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic bringing more headaches for ISPs and sysadmins worldwide."
This discussion has been archived. No new comments can be posted.

Targeted Worm Hits Kazaa's Network

Comments Filter:
  • by Wakko Warner (324) on Monday May 20, 2002 @03:43PM (#3553433) Homepage Journal
    Look at the kind of music these fellows put out. Now tell me anything they create is "clever".

    - A.P.
  • of all days.... (Score:5, Interesting)

    by jeffy124 (453342) on Monday May 20, 2002 @03:45PM (#3553453) Homepage Journal
    the day the secret Kazaa/Brilliant network came to life [com.com] is the day that this worm gets let loose.
  • seeing as how everyone and their grandmother's dog-sitter read the post about Kazaa's involuntary spyware and then promptly deleted Kazaa from their system, I really don't see how this story should effect anyone..right? hmmm..on second thought..is it the kazaa NETWORK?
  • Warez Connection (Score:2, Insightful)

    by _bobs.pizza_ (452394)
    how big of a surprise is this? The whole idea behind kazaa is that you can get music that you don't own. This reminds me a lot of the warez sites out there. How many of us trust them?

    You get what you pay for.
    • I remember hearing about a leaked study from a long time ago done by a virus detection company.

      The results seemed to (at the time) finger purchased software and hardware as the prime infection point for many machines.

      Why?

      At the time, BBSes autochecked files for viruses, and most people ran their disks through CPAV/F-Prot before giving them to others (since people "smart" enough to copy a disk were, at the time, able to run simple virus detection software). However, at the same time, major brand name companies didn't bother as much.

      I can even remember a friend buying formatted floppies that came with a virus dropper on the disks...

      If 100 people download infected software from one illegitimate site before the infection is pointed out and cleaned, that's just 100 people. Imagine the destruction that happens when you go gold and don't find out until a few weeks later that your CDs (or computers, or floppies, whatever) include a virus.

      If anyone can find a link to that study, I'd really appreciate it. :-)

      Sometimes you get more than you pay for.

      Your PC is now stoned !!!
  • by Saeculorum (547931) on Monday May 20, 2002 @03:46PM (#3553466)
    From the article...

    In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays.

    I might be wrong, but I'd think it'd be quite easy to find where the money from the advertising banners is going to. Quite simple to find the virus writer.

    Of course, the recipient of the advertising revenue may not be the virus writer, but it's a good place to start.

    Stupid people amuse me.
  • but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic

    What? Doesn't that happen every time a new cammed version of Spider-Man or AOTC's is released?
  • by Limburgher (523006) on Monday May 20, 2002 @03:48PM (#3553489) Homepage Journal
    The worm is coming! It can smell the spice on your hard drive! Delete it, or it'll smash through it and destroy you!
    • +1 DUNE!

      Mod the parent up...this is a clever Dune reference. You know, the novel...or the movie, for those who didn't see the novel.

      No kudos to the people who were stupid and thought the dude was talking about the Spice girls.

      • Some of us just enjoyed the video games...

        The Dune game that was like warcraft (erect buildings, build army, kill foes) was the first pc game I ever bought, I think...
  • by cybrpnk2 (579066) on Monday May 20, 2002 @03:51PM (#3553513) Homepage
    Some very scary research has been aimed at discovering just how fast a worm could infect the entire Internet. This is the so-called Warhol worm [berkeley.edu], so named because instead of getting 15 minutes of fame, it would only take 15 minutes to infect the entire internet. If some nut combines a Warhol worm with a Kazza worm, we are in deep trouble.
  • by Shagg (99693) on Monday May 20, 2002 @03:51PM (#3553521)
    The way I understand the article, it replicates itself in someone's share directory and waits for other Kaaza users to download it. How is it executed on the remote user's computer then? Do they have to specifically run the virus program, or is there a security hole in the Kaaza client somewhere that automatically executes the virus?

    I'm assuming users that download this file must specifically execute it. If this is true, then IMHO any person who downloads an unknown .exe from a P2P network and runs it without at least scanning it, deservers what they get.
    • I don't see how it can deserve the designation worm if it takes user intervention to spread, both a) to download it and then b) to execute it, which is the impression I got from the Kaspersky bulletin.

      Wouldn't simply trojan be a better fit?

      Indeed, the bulletin calls it a "worm". Let's continue doing that so as to not confuse matters even more than they already are regarding the designation of all these malware.

    • Agreed until the last phrase. If you use a P2P network to copy an exe you cannot know what are you gonna get.

      But scanning a NEW worm is next to useless if you don't have the latest antivirus, which is updated after this worm has been released and infected several machines.
    • The Kazzzasaazaz installer connects to the FastTrack network to download the actual filesharing program (the functionality in the installer + search + spyware and ads and robot monkeys that confuse your clock cycles for bananas and eat them while throwing monkey poop all over your hard drive). Since the client itself also has built in functionality to display stuff, it would be entirely possible to exploit a buffer overflow bug or something like that that slipped through the probably non-existend QC or some such.

      But Kaszzzasdfddsafaszzza is for frat boys, sorostitutes, and pre-teen girls. Real men use FTP or DC++ [sourceforge.net].

  • by BlueFall (141123)
    Is this a clever RIAA creation?

    What an incredibly irresponsible statement. Don't go pointing fingers until you have some evidence.
  • by hether (101201) on Monday May 20, 2002 @03:51PM (#3553524)
    The BBC reported this earlier today:
    http://news.bbc.co.uk/hi/english/sci/tech/newsid_1 998000/1998686.stm [bbc.co.uk]

    I agree with the idea that the RIAA would definitely have motive when it came to a worm like this, or some random RIAA suporter. Good thing most intelligent people quit using Kazaa a long time ago, or for sure when they found out about the spyware.
  • by Mhrmnhrm (263196) on Monday May 20, 2002 @03:52PM (#3553526)
    Doesn't necessarily point to the culprit. Just because the webserver is hitting/serving up whatever the ad of the hour is, doesn't mean the person getting the checks is the virus writer. How difficult would it be for instance, for a blackhat to write a virus, have it hit/serve a bazillion ads, but send the money to a certain John Ashcroft, who just happens to live in DC, with a job at the DOJ? Especially given the talents of a true blackhat, this wouldn't be difficult at all. Unfortunately, that's what these posts of "Follow the money trail" are doing... it's entirely possible the writer borked up bigtime, but more likely that someone's being made a stooge, and that the money is just a red herring.
    • Given the average intelligence of an American citizen (fairly low seeing as how the NY Times is supposedly written at an 8th grade reading level) and the average intelligence of many people, I would be willing to bet that the money trail does at some point lead to the virus creator. And even if it doesn't, I would still be willing to be there is a trail back to the virus writer.
  • From the article:

    "In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays."

    Wouldn't it make sense then that you could track the creators of the worm to whomever is collecting the payout of these banner ads or am I misunderstanding how its working?

  • Perhaps I am paranoid, perhaps I am an old fart, but I cannot see trusting any file I got from any of the P2P systems for precisely this reason.
  • Using P2P (Score:3, Interesting)

    by tswinzig (210999) on Monday May 20, 2002 @03:52PM (#3553534) Journal
    Big whoop. P2P becomes the latest transport mechanism for viruses. It's not exploiting a hole in Kazaa, it's just sharing a folder with virus-infected executables labeled with intriguing names that are likely to be downloaded by Kazaa users.

    If these users are then dumb enough to run an executable file they download from an unknown source, they will be infected.

    Wow.
  • awww this requiers that the user download and run it in order for it to infect the computer.

    One of these days there is going to be a serious flash worm on that fasttrack network. All one would have to do is find a buffer overflow in the server portion of it. Each computer knows about several others as a function of the program so finding exploitable hosts should be as trivial as doing a netstat -a.
  • Infected? (Score:5, Interesting)

    by rkent (73434) <rkent&post,harvard,edu> on Monday May 20, 2002 @03:54PM (#3553556)
    Okay, so... who's infected? any slashdotters get the

    "Error:
    Access error #03A:94574: Invalid pointer operation
    File possibly corrupted."

    message yet? If so, what did you do to clean up? Neither of the 2 articles gives a very good indication of that; I guess I'd start by deleting \windows\system32\explorer.scr and \windows\temp\Sys32, and removing these registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rr entVersion\Run]
    "System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER. SC R"

    [HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"

    Seems like that should keep it from spreading, but that won't prevent a reinfection. Oh well; at least there's a popup notice when you get infected. that's nice.

    Looks like fasttrack users (kazaa, morpheus, AND grokster) are catching on... about 1/5 as many users on as usual for this time of day. And before you flame me as a pirate, I only trade Simpsons episodes which aren't available for sale yet :)
  • so this worm jumps onto your computer and puts ad software on it so you will have to wade through a million adds to read /. is this any different from kazaa already? o wait, you agreed to let kazaa do that when you clicked i agree after the eula.

    meh
  • by Henry V .009 (518000) on Monday May 20, 2002 @03:54PM (#3553562) Journal
    Whenever I think of what could be achieved by a virus using a P2P system, I am all the more astounded by the limited imaginations of these puny 13-year-old hackers.

    How about using a million computers working in parallel to break an weak encryption and read some third world govenment's military email?

    What about creating a secondary virus that uses known windows vulnerabilities and has a mathematically reasonable replication scheme to install itself on hundreds of millions more computers, and then use that to bring down the entire internet on a given day?

    What about turning these people's P2P servers into a humungous free proxy network, defeating internet censorship attempts of evil totalitarian regimes (like China)?
    • I agree completely!

      It's always the same dumb worm/virus. Replication is the only real goal - no distributed computing, no political vendeta, not even maliciousness (which I'm thankful for, even though I needn't worry of infection).

      This one has the popup ad thing, but my guess is the money is going to a randomly selected target.

      This reminds me a lot of that viri/worm on the gnutella network a year+ back.
    • by gad_zuki! (70830) on Monday May 20, 2002 @07:14PM (#3555060)
      Those are coded so well that they don't get noticed. Your PC is probably rendering 3D storyboards for Pixar and helping Japan simulate a-bomb explosions. Thankfully, everyone blames the lag on Microsoft products.

      Occasionally the cabal writes 'press viruses' like these to keep Kaspersky busy.
      • You bastard! We said we'd let you leave the cabal if you promised not to give away our secrets!

        You'll pay for this, oh will you pay. We'll see who's laughing when you get arrested and strip-searched by the CIA for stealing secret government documents and hiding them in your anal cavity!
  • Ever since the whole deal with Kazaa and spyware and using your computer for distibuted computing, I've uninstalled and left them for good. Come on...think about it. If a company does not have the "consumer's" best interests in mind, it will not be able to succeed. What are they going to do when there is a major security issue that opens up your private data to the world? "Ooops..who cares..not my fault..they aren't paying us"

    Kazaa has turned into bad news waiting to happen.
  • Anyone know how this thing is spread and if Kazaa Lite can get it even with the Brilliant Digital stuff disabled?
  • Advertising? (Score:3, Informative)

    by jfengel (409917) on Monday May 20, 2002 @03:56PM (#3553579) Homepage Journal
    According to the article, the worm sets up a web site for doing advertising, presumably porn. I'd think that that the sites being advertised would be a good place to start figuring out who's responsible.

    It's an amusing idea to use a worm to carry a proft-generating payload, but it sounds like it'll leave a really big paper trail. The more advertisers you get, the bigger the trail.
  • riaa (Score:4, Funny)

    by mosch (204) on Monday May 20, 2002 @03:56PM (#3553582) Homepage
    Is this a clever RIAA creation...
    I mean you no disrespect, but you're a fucking retard.

    "hey guys, I've got a great idea. let's make a virus that will expose ourselves to billions of dollars of liability, but will only shut down some minor piracy for a day or two, until anti-virus software makers have protection for it".

    • Re:riaa (Score:3, Interesting)

      by Man of E (531031)
      "let's make a virus that will expose ourselves to billions of dollars of liability, but will only shut down some minor piracy for a day or two, until anti-virus software makers have protection for it"

      Seems like a pretty good idea to me, actually, especially when you consider how many idiots are on Kazaa. Since the program has no built-in calls to antivirus software, they'll become infected and lose confidence. A smaller percentage of geeks with huge bandwidth, hard drives and the brains to use antivirus software will stay on, but Kazaa will leave a sour taste in Joe Sixpack's mouth and lead him back to the golden path of CD-buying.

      Now suppose the advertising "paper trail" that everyone is talking about leads to some random hacker they picked as a scapegoat, and it's unlikely that anyone will suspect they're behind it all. Liability, schmiability.

      Okay, time to take the tinfoil hat back off :-)

    • Re:riaa (Score:3, Informative)

      by VivianC (206472)
      You must be right. The RIAA has no history of messing up [apple.com] peoples computers.

      And how do you think all the kazza "pirates" are going to recoup money for not getting the files they were intending to steal?
    • Re:riaa (Score:3, Interesting)

      by I Want GNU! (556631)
      Actually, this is EXACTLY the kind of tactics they like to use. Have you seen this article [wired.com]? They tried to get a law passed to hack someone's PC.

      Cigarette companies kill millions of their own customers, Enron executives steal everyone's requirement accounts, and mostly these type of companies get off scot free. Not to mention all the investment advice companies with conflicts of interest, telling people to buy then selling after the price goes up, or vice versa.

      Of course, with all the lobbyists and lawyers and paper shredders, it's not like anything would come of this.
      • Really? I could've sworn that the tobacco industry was forced to pay out billions in damages and Enron is in financial ruin. I believe one of their execs commited suicide as well. Not exactly scot free.

        The point is that they tried to PASS A LAW to hack someone's PC. It didn't go through and they didn't hack anyone. They're not going to create a malicious virus that has reprecussions based on legal precedent and risk having to pay out billions in damages just so a few losers get their hard drives filled up.

        Take off your tinfoil hat and think.

    • You forget the RIAA lobbying to be released from liability for damage caused (by them deliberately) to people's computer systems when the terrorism bill was passing through congress. Even though their amendment was defeated they said they already had the legal right to do this from other statutes passed by congress.
  • Seems pretty clear to me.. Its either the RIAA fighting back the only way they can, or a sympathizer..

    Either way same result, people with nothing better to do, then mess with others.

    And no i dont want to get into legality discussions.. its just a statment that people should mind their own damned business.

  • Cons-piracy theory (Score:4, Interesting)

    by Kirby-meister (574952) on Monday May 20, 2002 @04:02PM (#3553626)
    A lot of people will probably put this on the RIAA/other copyright crusaders, but I see P2P networks as a huge market for propogating virii and sending people trojans.

    Large file-sharing networks like Kazaa have birthmarks in the shapes of bulls-eye's.

  • by Restil (31903) on Monday May 20, 2002 @04:02PM (#3553631) Homepage
    But if banner ads which will profit the creator of the virus are posted on every single infected computer... how hard would it be really to follow the money to find the author of the worm?

    Or was I the first one to read the article? :)

    -Restil
  • virus? (Score:5, Funny)

    by bilbobuggins (535860) <bilbobugginsNO@SPAMjuntjunt.com> on Monday May 20, 2002 @04:04PM (#3553650)
    it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic

    i had this virus once, only i named it 'roommate'.

    • I had that problem, too, so I had to give my roommate's account on my computer a disk quota. . .

      What I really don't get was the way he would download piles of shit that he didn't even like, like boy bands.
  • by skinfitz (564041)
    I remember the topic of Kazaa infection being brought up on Bugtraq Bugtraq months ago.

    • ...hyperlink?? (Score:2, Interesting)

      by skinfitz (564041)
      ...I dont know what happened to the hyperlink there - here is the link in text form:

      http://online.securityfocus.com/archive/1/254627 /2 002-05-17/2002-05-23/1

      And another try at a hyperlink [securityfocus.com].
  • by sailor420 (515914) on Monday May 20, 2002 @04:06PM (#3553669) Homepage
    Hit me the other day. Just noticed it last night, and I (think) I have it under control.

    First, look out for small downloads, specifically anything with names such as "installer" or "downloader." I dont know how I got mine, but my brother's machine got hit after he tried to d/l the newest version of Britannica. Serves him right. When I went to see what he downloaded, I saw that it was a file around 700k.

    Yes, it does spread over Kazaa lite.

    Once it is installed, it proceeds to fill up your machine with approximately 700k files, usually in windows or winnt/temp/sys32. Thats where all mine were (Im running W2K).

    However, dont go crazy yet. I downloaded the newest virus update for NAV (dated 5/17) and ran it. It picked all the downloads right up. Since they were all junk files that it had downloaded, I had it delete them all.

    So far, so good. Havent had any recurrence since then (although this was last night, so I dont consider it enough time to truly test). Hopefully it really is this easy to clean up, but Im sure I will quickly find out.

    Hope this helps.
  • by bigmouth_strikes (224629) on Monday May 20, 2002 @04:08PM (#3553690) Journal
    "This event once again demonstrates the necessity to filter all incoming files for viruses, regardless of how well protected this or any other network is. Before use all data should be run through a mandatory check for virus code using the latest virus database update," commented Denis Zenkin, Kaspersky Labs Head of Corporate Communications.
    Gee, I'm so grateful for Kaspersky Labs that they provide this valuable information. They only forgot to add

    "If you refer to this article, we'll give you $5 rebate off your next virus update purchase." added Zenkin with a smile.

    As much as we need the anti-virus software, the anti-virus companies need the virus makers. Without a worm or a virus that makes CNN headlines every 6 months, people will forget to buy updates, patches etc etc. The public forgets quickly, and will not buy new products from the AV companies if they don't feel a threat.

    Sure, the problem is real, but part of me can't shake the feeling that somewhere there is a anti-virus company executive ordering a new plasma HDTV when he sees this news. Or maybe it's just becase X-Files ended yesterday that I'm seeing conspiracies everywhere.

  • by BCoates (512464) on Monday May 20, 2002 @04:17PM (#3553754)
    Hmm, uses your drive space and bandwidth, pops up ads, modifies your system configuration without your permission...

    Looks to me like the only difference between this trojan and the programs it comes in is that one has a EULA.

    Time for virus writers to wise up and disclaim liability with an incomprehensible clickthrough like all the other writers of malicious code...

    --
    Benjamin Coates
  • by sluggie (85265) on Monday May 20, 2002 @04:29PM (#3553846)
    Just filter out all files under 1 meg... it worked for me since I guess it only shows up when searching for software...
  • by Alan (347) <(gro.seifu) (ta) (xeretcra)> on Monday May 20, 2002 @04:44PM (#3553963) Homepage
    Hehehe, if you hit the page that the virus opens to get the author more page impressions (http://benjamin.xww.de/), you get:

    "
    Domain aufgrund von massiven Beschwerden gesperrt.
    Domain closed due to massive abuse.
    "

    Now I wonder if it was closed because someone wrote a virus, or because the virus worked so well he went over his bandwidth allocation! :)
  • Today was the first time in weeks I hadn't left my work computer on overnight downloading the latest and greatest 80's MP3s and Star Trek Enterprise AVIs. Tonight it is powered down. Such timing!
  • Benjamin is written in Borland Delphi and is approximately 216 Kb in size.

    Bah, virus writers these days.... in my day that virus would have been written in carefully hand-tooled assembly, it would have been polymorphic and it would have been no larger than 5KB. Uphill both ways, etc. etc..... [mutter grumble grumble]

  • Given the dodgy tactics KaZaA used to grab market share from Morpheus (by shutting them out of the network) and how pissed off Morpheus was at them for doing that, I'm surprised no one has fingered them as a possible source of the worm. It's not a destructive worm: it just discourages people from using KaZaA. Now, who would *that* kind of worm benefit?
  • The next big thing (Score:3, Informative)

    by Erik Fish (106896) on Tuesday May 21, 2002 @12:15AM (#3556325) Journal
    WinMX 3.1 was just released a few days ago and it definitely seems to be everything it was hyped as being and more. It's got the many of the features of eDonkey without the bugs and shitty interface. It's also missing the spyware, ad banners and other crap that seems to plague every other p2p network.

    Reading this story was the nail in the coffin for Fastrack, AFAIC. I was going to stick around a while until the new WinMX got it's legs, but forget about that now.
  • It's an executable that the user must RUN to get infected. It then spreads itself via Kazaa and tricking other users into downloading it.

    Don't download executables over P2P and you won't get infected. Seems a damn_smart thing to do anyway doesn't it? These people getting hit with it are likely also the same guys who spread e-mail viruses by running attachments. :P

An inclined plane is a slope up. -- Willard Espy, "An Almanac of Words at Play"

Working...