Slashdot Mirror
Targeted Worm Hits Kazaa's Network
sh0rtie writes: "Kaspersky Labs and the BBC are reporting that the Fasttrack network that Kazaa uses has been hit by its first targeted worm virus dubbed 'Benjamin.' Is this a clever RIAA creation or that of a mischievous virus writer? I guess we will never know, but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic bringing more headaches for ISPs and sysadmins worldwide."
Look at the kind of music these fellows put out. Now tell me anything they create is "clever".
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
the day the secret Kazaa/Brilliant network came to life is the day that this worm gets let loose.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
how big of a surprise is this? The whole idea behind kazaa is that you can get music that you don't own. This reminds me a lot of the warez sites out there. How many of us trust them?
You get what you pay for.
From the article...
In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays.
I might be wrong, but I'd think it'd be quite easy to find where the money from the advertising banners is going to. Quite simple to find the virus writer.
Of course, the recipient of the advertising revenue may not be the virus writer, but it's a good place to start.
Stupid people amuse me.
but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic
What? Doesn't that happen every time a new cammed version of Spider-Man or AOTC's is released?
The worm is coming! It can smell the spice on your hard drive! Delete it, or it'll smash through it and destroy you!
You are not the customer.
Some very scary research has been aimed at discovering just how fast a worm could infect the entire Internet. This is the so-called Warhol worm, so named because instead of getting 15 minutes of fame, it would only take 15 minutes to infect the entire internet. If some nut combines a Warhol worm with a Kazza worm, we are in deep trouble.
The way I understand the article, it replicates itself in someone's share directory and waits for other Kaaza users to download it. How is it executed on the remote user's computer then? Do they have to specifically run the virus program, or is there a security hole in the Kaaza client somewhere that automatically executes the virus?
.exe from a P2P network and runs it without at least scanning it, deservers what they get.
I'm assuming users that download this file must specifically execute it. If this is true, then IMHO any person who downloads an unknown
Unix is user friendly, it's just selective about who its friends are.
Is this a clever RIAA creation?
What an incredibly irresponsible statement. Don't go pointing fingers until you have some evidence.
The BBC reported this earlier today:1 998000/1998686.stm
http://news.bbc.co.uk/hi/english/sci/tech/newsid_
I agree with the idea that the RIAA would definitely have motive when it came to a worm like this, or some random RIAA suporter. Good thing most intelligent people quit using Kazaa a long time ago, or for sure when they found out about the spyware.
Most people would die sooner than think; in fact, they do.
Doesn't necessarily point to the culprit. Just because the webserver is hitting/serving up whatever the ad of the hour is, doesn't mean the person getting the checks is the virus writer. How difficult would it be for instance, for a blackhat to write a virus, have it hit/serve a bazillion ads, but send the money to a certain John Ashcroft, who just happens to live in DC, with a job at the DOJ? Especially given the talents of a true blackhat, this wouldn't be difficult at all. Unfortunately, that's what these posts of "Follow the money trail" are doing... it's entirely possible the writer borked up bigtime, but more likely that someone's being made a stooge, and that the money is just a red herring.
I suspect that one of these choices is incorrect. Correct.
"In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays."
Wouldn't it make sense then that you could track the creators of the worm to whomever is collecting the payout of these banner ads or am I misunderstanding how its working?
Perhaps I am paranoid, perhaps I am an old fart, but I cannot see trusting any file I got from any of the P2P systems for precisely this reason.
www.eFax.com are spammers
Big whoop. P2P becomes the latest transport mechanism for viruses. It's not exploiting a hole in Kazaa, it's just sharing a folder with virus-infected executables labeled with intriguing names that are likely to be downloaded by Kazaa users.
If these users are then dumb enough to run an executable file they download from an unknown source, they will be infected.
Wow.
"And like that
Okay, so... who's infected? any slashdotters get the
u rr entVersion\Run] . SC R"
:)
"Error:
Access error #03A:94574: Invalid pointer operation
File possibly corrupted."
message yet? If so, what did you do to clean up? Neither of the 2 articles gives a very good indication of that; I guess I'd start by deleting \windows\system32\explorer.scr and \windows\temp\Sys32, and removing these registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\C
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER
[HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"
Seems like that should keep it from spreading, but that won't prevent a reinfection. Oh well; at least there's a popup notice when you get infected. that's nice.
Looks like fasttrack users (kazaa, morpheus, AND grokster) are catching on... about 1/5 as many users on as usual for this time of day. And before you flame me as a pirate, I only trade Simpsons episodes which aren't available for sale yet
Whenever I think of what could be achieved by a virus using a P2P system, I am all the more astounded by the limited imaginations of these puny 13-year-old hackers.
How about using a million computers working in parallel to break an weak encryption and read some third world govenment's military email?
What about creating a secondary virus that uses known windows vulnerabilities and has a mathematically reasonable replication scheme to install itself on hundreds of millions more computers, and then use that to bring down the entire internet on a given day?
What about turning these people's P2P servers into a humungous free proxy network, defeating internet censorship attempts of evil totalitarian regimes (like China)?
Ever since the whole deal with Kazaa and spyware and using your computer for distibuted computing, I've uninstalled and left them for good. Come on...think about it. If a company does not have the "consumer's" best interests in mind, it will not be able to succeed. What are they going to do when there is a major security issue that opens up your private data to the world? "Ooops..who cares..not my fault..they aren't paying us"
Kazaa has turned into bad news waiting to happen.
_______________________________
"I'm not Conceited...I'm just a realist..."
According to the article, the worm sets up a web site for doing advertising, presumably porn. I'd think that that the sites being advertised would be a good place to start figuring out who's responsible.
It's an amusing idea to use a worm to carry a proft-generating payload, but it sounds like it'll leave a really big paper trail. The more advertisers you get, the bigger the trail.
"hey guys, I've got a great idea. let's make a virus that will expose ourselves to billions of dollars of liability, but will only shut down some minor piracy for a day or two, until anti-virus software makers have protection for it".
I don't see the RIAA mentioned at all in that article. Perhaps your link is incorrect?
Large file-sharing networks like Kazaa have birthmarks in the shapes of bulls-eye's.
But if banner ads which will profit the creator of the virus are posted on every single infected computer... how hard would it be really to follow the money to find the author of the worm?
:)
Or was I the first one to read the article?
-Restil
Play with my webcams and lights here
i had this virus once, only i named it 'roommate'.
Hit me the other day. Just noticed it last night, and I (think) I have it under control.
First, look out for small downloads, specifically anything with names such as "installer" or "downloader." I dont know how I got mine, but my brother's machine got hit after he tried to d/l the newest version of Britannica. Serves him right. When I went to see what he downloaded, I saw that it was a file around 700k.
Yes, it does spread over Kazaa lite.
Once it is installed, it proceeds to fill up your machine with approximately 700k files, usually in windows or winnt/temp/sys32. Thats where all mine were (Im running W2K).
However, dont go crazy yet. I downloaded the newest virus update for NAV (dated 5/17) and ran it. It picked all the downloads right up. Since they were all junk files that it had downloaded, I had it delete them all.
So far, so good. Havent had any recurrence since then (although this was last night, so I dont consider it enough time to truly test). Hopefully it really is this easy to clean up, but Im sure I will quickly find out.
Hope this helps.
...I dont know what happened to the hyperlink there - here is the link in text form:
7 /2 002-05-17/2002-05-23/1
http://online.securityfocus.com/archive/1/25462
And another try at a hyperlink.
"If you refer to this article, we'll give you $5 rebate off your next virus update purchase." added Zenkin with a smile.
As much as we need the anti-virus software, the anti-virus companies need the virus makers. Without a worm or a virus that makes CNN headlines every 6 months, people will forget to buy updates, patches etc etc. The public forgets quickly, and will not buy new products from the AV companies if they don't feel a threat.
Sure, the problem is real, but part of me can't shake the feeling that somewhere there is a anti-virus company executive ordering a new plasma HDTV when he sees this news. Or maybe it's just becase X-Files ended yesterday that I'm seeing conspiracies everywhere.
Oh, I can't help quoting you because everything that you said rings true
Yeah, I'm grinnin' ear to ear as well. While I don't think it was RIAA that created this, I found this part f*cking brilliant:
Congratulations on your free copy of photoshop (which is alright because you wouldn't have bought it), Windows XP (which is alright, because Microsoft is evil), the new Dave Matthews Band CD (which is alright, because the RIAA is evil), and that DivX of episode 2 (which is alright, because the MPAA is evil).
Couldn't have said it better. *applause*
The Free desktop that Just Works
Boo hoo for you, did you consider that maybe 13 other people submitted it before you, it's maybe 200 submissions down on the queue, and it might get posted later? Sorry your story got rejected and you don't get any karma, but please. Enough with the ragging on people because they talk about other stuff besides your pet topic.
I doubt the original poster cares about karma; he's complaining about the fact that the editors just have no apparent ability to pick stories anymore. Gould was a brilliant scientist whose passing should be major news. Instead we get an endless succession of stories about file sharing and wireless networks. Interspersed, ironically, with self-congratulatory stories about how brilliant, well-rounded, and scientifically literate geeks in general are.
I know the RIAA didn't write it, it was proabably some self-rightous bastard alot like yourself. How can you possibly defend a company that acts the way RIAA members do? Do you think they care about you? You think all these "thives" go away that their gonna lower prices, or create good content? HA! They are using file sharing as an exuse to pass legislation that gives them a future stranglehold on content creation. "oh, you want to distrubute a song you wrote and performed? Not without the RIAA watermark seal of approval!" Stop defending companys whose soul goal is to make your computer into a nutered VCR, incapable of doing anything without the xxAA's express writen consent.
Hmm, uses your drive space and bandwidth, pops up ads, modifies your system configuration without your permission...
Looks to me like the only difference between this trojan and the programs it comes in is that one has a EULA.
Time for virus writers to wise up and disclaim liability with an incomprehensible clickthrough like all the other writers of malicious code...
--
Benjamin Coates
If the original poster actualy cared about his Karma, do you honestly think he would have posted under his account instead of anonymously?
T Money
World Domination with a plastic spoon since 1984
Yes, it is major news. That's why it's on the front page of CNN, Boston.com, etc. I do not need Slashdot to cover stories that I'll hear about anyway. I come to Slashdot to get more interesting, off-the-beaten-path stories, or sometimes interesting commentary on hugely important news (not just the passing of someone famous).
Making the Slashdot front page does not mean that the Kazaa worm is more important that SJG. It's called perspective.
And then go here to read the story with out signing up:
http://www.majcher.com/nytview.html
T Money
World Domination with a plastic spoon since 1984
Evolution is just more Yankee bullshit. Ever since reconstruction, the Yankees have been destroying the truth.
Yet another reason to hate Steinbrenner....um, uh, oh nevermind...
Rule #1 -- Politics always trumps technology.
Just filter out all files under 1 meg... it worked for me since I guess it only shows up when searching for software...
And what will you do when the code for the virus is recompiled to run in *NIX? No OS is perfectly secure, the fact that *NIX based OSes and Mac OS was not hit is just an indication of the limited programing skills and/or time of the creator.
T Money
World Domination with a plastic spoon since 1984
Don't you mean Stephen King?
Yes this is true but ALOT of end users dont know any better or arent smart enough not to or just dont care.
If you mean "A LOT," you are correct. (I don't know what "ALOT" is, though... is it anything like "ALITTLE?")
I know they always say all the time not to do it but I still have end users trying to open virus e-mails
Then if you maintain that network you need to setup a filter to delete executable attachments from incoming/outgoing email!
"And like that
I'm afraid it's not that easy, CmdrTaco. Firstly, you are assuming that the money is going to someone associated with the virus writer. However, from what I understand, there are three types of people who write viruses:
But let us assume that the money is going to the author of Benjamin for a moment. There is also unfortunately the issue of money laundering, offshore accounts, vapor operations, and rerouting of transfers that can make finding out where the money goes all but impossible if someone is clever enough to do it.
Assuming that someone is keeping the money for themselves, there are a variety of ways that it could be done. As referenced by Carl Sifakis...
Method 1 Typical Drug Dealer Method
Method 2 The Loanback Method
Method 3 The Money Broker Shuffle Problem
Mr A is Columbian drug lord. He has a million dollars sitting in New York badly in need of deodorization. Mr B is a legitimate Columbian businessman who wants to buy a million dollars worth of U.S. computers but his government wants 21 cents for every dollar he buys with his pesos.
Solution: They hire a money broker who for a nominal fee will solve the problem.
Method 4 The Omnibus Account Method
Swiss banks (and others I'm sure) maintain what is known as "omnibus accounts" at American brokerage houses. This make it easy for mafiosi to purchase American blue chip stock anonymously. Naturally, if they make a profit they pay no capital gains taxes on it because there are no records in the U.S. tying them to the stock purchases and the Swiss banks are bound by their laws not to reveal the names of their investors. This enables them not only to make money but to manipulate the market by buying large blocks of stock through the banks and then exercising their proxies, enabling them to determine who will be on the board of directors and who will be C.E.O.
In Short, if this person has half a brain, then just "seeing where the checks are going" will not reveal the culprit.
The Libra Eagles may soar, but a weasel never gets sucked into a jet engine.
Hehehe, if you hit the page that the virus opens to get the author more page impressions (http://benjamin.xww.de/), you get:
:)
"
Domain aufgrund von massiven Beschwerden gesperrt.
Domain closed due to massive abuse.
"
Now I wonder if it was closed because someone wrote a virus, or because the virus worked so well he went over his bandwidth allocation!
I never used Kazaa... but I (used to) highly recommend KazaaLite. All of the functionality, none of the spyware. Oh well, back to my from-source LimeWire v1.6b.
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
I'm afraid it's not that easy, CmdrTaco.
FWIW, the person you responded too wasn't CmdrTaco.
Give him points for being clever though.
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
I have a Kazaa clone that uses the Kazaa network w/o using the crappy Kazaa Software.Unfortunately, it's for windows only :(
Go to http://cguru.cjb.net. It's called MyKazaa
If you're not a Liberal in your 20's, then you have no heart.If you're still a Liberal in your 30's you have no brain.
1) Only political statements make the front page of any major mainstream publication. News, Ads, and everything else takes a back seat.
2) Do you think when the Pope dies that it will make the front page on Slashdot? There are a whole heap more catholics than evolutionists in the world. Probably even on Slashdot.
3) The Kazaa worm affects alot of people, and actually is relevant to the FUTURE. To top it all off, it's even "tech" or "computer" news, which is what slashdot is mostly about.
4) Obituaries don't belong on the front page. See #1.
Today was the first time in weeks I hadn't left my work computer on overnight downloading the latest and greatest 80's MP3s and Star Trek Enterprise AVIs. Tonight it is powered down. Such timing!
"Live Free or Die." Don't like it? Then keep out of the USA
Yes, it's illegal to download Photoshop, but NO, I wouldn't have paid hundreds for it, and I don't require it, I just want to have it.
I don't require a Viper RT/10, but I just want to have one, so I stole mine.
So, unless you don't EVER speed EVEN A LITTLE bit over the limit, don't preach to us about NEVER downloading ANY copyrighted material.
I never do. So, kindly eat a dick.
People who attempt to justify their theft in any way are fucktards.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Pay to the order of : Hilary Rosen.
Benjamin is written in Borland Delphi and is approximately 216 Kb in size.
Bah, virus writers these days.... in my day that virus would have been written in carefully hand-tooled assembly, it would have been polymorphic and it would have been no larger than 5KB. Uphill both ways, etc. etc..... [mutter grumble grumble]
deus does not exist but if he does
"Some wery scawy weseawch has been aimed at discobewing just how fast a worm could infect the entiwe Intewnet"
I had that problem, too, so I had to give my roommate's account on my computer a disk quota. . .
What I really don't get was the way he would download piles of shit that he didn't even like, like boy bands.
Given the dodgy tactics KaZaA used to grab market share from Morpheus (by shutting them out of the network) and how pissed off Morpheus was at them for doing that, I'm surprised no one has fingered them as a possible source of the worm. It's not a destructive worm: it just discourages people from using KaZaA. Now, who would *that* kind of worm benefit?
I have never gone above the speed limit in my life -- go suck three cocks.
How is stealing one product different from stealing any other, simply because that product comes on a CD-Rom?
It is deluded thieving slashdroids (with shitty high UIDs) like you that are ruining the Internet. Please eat a bullet.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Theoreticaly the same could done in a closed source system. While I see your point that there are more blockages to be avoided if you were to create a sucessful *NIX virus, that does not mean that it is any less threatening to a system. Even if it could only fill up /data2, it's still using HD resources, leading to fragmentation, longer seek times and reduced system performance. All in all a nusence rather than a serious problem, but a problem no less.
T Money
World Domination with a plastic spoon since 1984
So it requires manual intervention to propagate, and is thus more like a classic virus.
We may yet see a Brilliant Projector based worm, but this apparently isn't it.
>I don't require a Viper RT/10, but I just want to have one, so I stole mine.
Interesting how you confuse piracy with larceny.
When you pirate a movie, or music you deprive no one of that movie or music; whereas when you commit GTA you deprive someone of their vehicle.
Since a replicator is to matter as a CD-Burner is to data, would you still consider it theft if you replicated a Viper RT/10 using your own equipment and materials?
If so I would humbly suggest you are a tiny minority of people, and that's the reason why both the dictionary and the law disagree with you.
My search turns up nothing for "theft", "steal", or "larceny" in the Berne Convention. Methinks you are just plain confused on the issue. Hope this clears it up for you!
>So, kindly eat a dick.
Not that I'd want to; But its pretty hard when its shoved so far up your ass.
>People who attempt to justify their theft in any way are fucktards.
Agreed, to a certain degree (Les Miserables come to mind as a particular exemption). That's why Copyright Violation is a violation of copyright law, not (AFAIK) theft.
Or at least that wasn't the intention of the people who created our modern day copyright system.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Dry-cleaners are a good money laundering method (no pun intended!!!). Some years ago, around here, someone started a chain of $1 dry-cleaners. Within weeks he was firebombed into oblivion.
So long as they allow files that can contain executable content (benjamin uses a .scr file, for instance) then, yes.
There's nothing really special here. All they did was take Melissa, modify it a bit, then start sharing files named "naked gurlz.jpg.scr" Someone downloads it, clicks on it, and the rest is history.
WinMX 3.1 was just released a few days ago and it definitely seems to be everything it was hyped as being and more. It's got the many of the features of eDonkey without the bugs and shitty interface. It's also missing the spyware, ad banners and other crap that seems to plague every other p2p network.
Reading this story was the nail in the coffin for Fastrack, AFAIC. I was going to stick around a while until the new WinMX got it's legs, but forget about that now.
> The lesson: never, ever download something executable off of a public P2P network like Kazaa, Gnutella, etc.
Don't forget, gnutella runs on non-braindead platforms too.
Hi Jonathan, I made this post using lynx.
-- Look to the Rose that blows about us--"Lo, Laughing," she says, "into the World I blow..."
It's an executable that the user must RUN to get infected. It then spreads itself via Kazaa and tricking other users into downloading it.
:P
Don't download executables over P2P and you won't get infected. Seems a damn_smart thing to do anyway doesn't it? These people getting hit with it are likely also the same guys who spread e-mail viruses by running attachments.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Or, are you Mother Theresa?
Yes. I am without sin, and I am casting stones.
Duck, motherfucker.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"