Targeted Worm Hits Kazaa's Network

sh0rtie writes: "Kaspersky Labs and the BBC are reporting that the Fasttrack network that Kazaa uses has been hit by its first targeted worm virus dubbed 'Benjamin.' Is this a clever RIAA creation or that of a mischievous virus writer? I guess we will never know, but the result is that it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic bringing more headaches for ISPs and sysadmins worldwide."

of all days....

[jeffy124]

the day the secret Kazaa/Brilliant network came to life is the day that this worm gets let loose.

Stupid Virus Writer?

[Saeculorum]

From the article...

In addition to eating up free disk space Benjamin takes additional actions: under the name of the infected computer's owner it opens an anonymous web site from which it displays advertising banners. This way Benjamin's creator profits by the resulting increase in advertising displays.

I might be wrong, but I'd think it'd be quite easy to find where the money from the advertising banners is going to. Quite simple to find the virus writer.

Of course, the recipient of the advertising revenue may not be the virus writer, but it's a good place to start.

Stupid people amuse me.

Next Time A Warhol Worm?

[cybrpnk2]

Some very scary research has been aimed at discovering just how fast a worm could infect the entire Internet. This is the so-called Warhol worm, so named because instead of getting 15 minutes of fame, it would only take 15 minutes to infect the entire internet. If some nut combines a Warhol worm with a Kazza worm, we are in deep trouble.

How is it activated?

[Shagg]

The way I understand the article, it replicates itself in someone's share directory and waits for other Kaaza users to download it. How is it executed on the remote user's computer then? Do they have to specifically run the virus program, or is there a security hole in the Kaaza client somewhere that automatically executes the virus?

I'm assuming users that download this file must specifically execute it. If this is true, then IMHO any person who downloads an unknown .exe from a P2P network and runs it without at least scanning it, deservers what they get.

Infected?

[rkent]

Okay, so... who's infected? any slashdotters get the

"Error:
Access error #03A:94574: Invalid pointer operation
File possibly corrupted."

message yet? If so, what did you do to clean up? Neither of the 2 articles gives a very good indication of that; I guess I'd start by deleting \windows\system32\explorer.scr and \windows\temp\Sys32, and removing these registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rr entVersion\Run]
"System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER. SC R"

[HKEY_LOCAL_MACHINE\Software\Microsoft] "syscod"="0065D7DB20008306B6A1"

Seems like that should keep it from spreading, but that won't prevent a reinfection. Oh well; at least there's a popup notice when you get infected. that's nice.

Looks like fasttrack users (kazaa, morpheus, AND grokster) are catching on... about 1/5 as many users on as usual for this time of day. And before you flame me as a pirate, I only trade Simpsons episodes which aren't available for sale yet :)

These poor script kiddies

[Henry+V+.009]

Whenever I think of what could be achieved by a virus using a P2P system, I am all the more astounded by the limited imaginations of these puny 13-year-old hackers.

How about using a million computers working in parallel to break an weak encryption and read some third world govenment's military email?

What about creating a secondary virus that uses known windows vulnerabilities and has a mathematically reasonable replication scheme to install itself on hundreds of millions more computers, and then use that to bring down the entire internet on a given day?

What about turning these people's P2P servers into a humungous free proxy network, defeating internet censorship attempts of evil totalitarian regimes (like China)?

Re:These poor script kiddies

[gad_zuki!]

Those are coded so well that they don't get noticed. Your PC is probably rendering 3D storyboards for Pixar and helping Japan simulate a-bomb explosions. Thankfully, everyone blames the lag on Microsoft products.

Occasionally the cabal writes 'press viruses' like these to keep Kaspersky busy.

riaa

[mosch]

Is this a clever RIAA creation...

I mean you no disrespect, but you're a fucking retard.

"hey guys, I've got a great idea. let's make a virus that will expose ourselves to billions of dollars of liability, but will only shut down some minor piracy for a day or two, until anti-virus software makers have protection for it".

Re:Clever RIAA Creation

[Aexia]

Yes, quite irresponsible. After all, when has the RIAA ever done anything malicious to innocent computer users' systems?

Cons-piracy theory

[Kirby-meister]

A lot of people will probably put this on the RIAA/other copyright crusaders, but I see P2P networks as a huge market for propogating virii and sending people trojans.

Large file-sharing networks like Kazaa have birthmarks in the shapes of bulls-eye's.

For fear of stating the obvious...

[Restil]

But if banner ads which will profit the creator of the virus are posted on every single infected computer... how hard would it be really to follow the money to find the author of the worm?

Or was I the first one to read the article? :)

-Restil

virus?

[bilbobuggins]

it seems to be bringing unsuspecting users machines to a crawl with full hard drives and clogging up the Fasttrack network with massive amounts of traffic

i had this virus once, only i named it 'roommate'.

Yep, Hit me. Here's what I did.

[sailor420]

Hit me the other day. Just noticed it last night, and I (think) I have it under control.

First, look out for small downloads, specifically anything with names such as "installer" or "downloader." I dont know how I got mine, but my brother's machine got hit after he tried to d/l the newest version of Britannica. Serves him right. When I went to see what he downloaded, I saw that it was a file around 700k.

Yes, it does spread over Kazaa lite.

Once it is installed, it proceeds to fill up your machine with approximately 700k files, usually in windows or winnt/temp/sys32. Thats where all mine were (Im running W2K).

However, dont go crazy yet. I downloaded the newest virus update for NAV (dated 5/17) and ran it. It picked all the downloads right up. Since they were all junk files that it had downloaded, I had it delete them all.

So far, so good. Havent had any recurrence since then (although this was last night, so I dont consider it enough time to truly test). Hopefully it really is this easy to clean up, but Im sure I will quickly find out.

Hope this helps.

Virus companies need the virus makers

[bigmouth_strikes]

"This event once again demonstrates the necessity to filter all incoming files for viruses, regardless of how well protected this or any other network is. Before use all data should be run through a mandatory check for virus code using the latest virus database update," commented Denis Zenkin, Kaspersky Labs Head of Corporate Communications.

Gee, I'm so grateful for Kaspersky Labs that they provide this valuable information. They only forgot to add

"If you refer to this article, we'll give you $5 rebate off your next virus update purchase." added Zenkin with a smile.

As much as we need the anti-virus software, the anti-virus companies need the virus makers. Without a worm or a virus that makes CNN headlines every 6 months, people will forget to buy updates, patches etc etc. The public forgets quickly, and will not buy new products from the AV companies if they don't feel a threat.

Sure, the problem is real, but part of me can't shake the feeling that somewhere there is a anti-virus company executive ordering a new plasma HDTV when he sees this news. Or maybe it's just becase X-Files ended yesterday that I'm seeing conspiracies everywhere.

Hard to tell the worm from the software

[BCoates]

Hmm, uses your drive space and bandwidth, pops up ads, modifies your system configuration without your permission...

Looks to me like the only difference between this trojan and the programs it comes in is that one has a EULA.

Time for virus writers to wise up and disclaim liability with an incomprehensible clickthrough like all the other writers of malicious code...

--
Benjamin Coates

protection is easy...

[sluggie]

Just filter out all files under 1 meg... it worked for me since I guess it only shows up when searching for software...

Re:Overhyped?

[TheLibra]

Just find out where the checks are going and arrest him!

I'm afraid it's not that easy, CmdrTaco. Firstly, you are assuming that the money is going to someone associated with the virus writer. However, from what I understand, there are three types of people who write viruses:

1. The Attention Getter: This person wants the hype, the name, and the infamy to achieve some sort of status in the cracker or skr1pt k1dd13 community. They don't do it for the money, they just want to be 1337.
2. The Student: They do it for the study of viruses. They do it to learn. Sometimes it is legit, such as the programmers of anti-virus software, and sometimes it is a hacker (note the distinction I use here) who wishes to understand the why and how of a particular exploit. But we can rule out this type of writer because while they are sometimes in it for the money, they never want to actually cause harm, they want to learn, and their creations are rarely unleashed.
3. The Causehead: These people write the virus because they feel it will advance their cause. Be it governmental, corporate, or Greenpeace, they have their reasons. They also do not do it for the money.
4. But take a virus that makes money, such as Benjamin. Well, who says it has to go to the virus-writer. It could very well be a script that sets up the funds to go to any account, anywhere. If the writer was a cause-head, the money could very well be going to Save The Wales or some such to benefit that cause. Or even to a totally unsuspecting list of random accounts, to take away money from the corporations that have to pay for the advertising.
5. 
   
   But let us assume that the money is going to the author of Benjamin for a moment. There is also unfortunately the issue of money laundering, offshore accounts, vapor operations, and rerouting of transfers that can make finding out where the money goes all but impossible if someone is clever enough to do it.
   
   Assuming that someone is keeping the money for themselves, there are a variety of ways that it could be done. As referenced by Carl Sifakis...
   

   Method 1 Typical Drug Dealer Method

   • 1) Get a million dollars ( how you do this is you own business.)
   • 2) Fly to the Grand Cayman Islands and take your million with you.
   • 3) Some banks in that area sell legitimate off-the-shelf corporations. (These are shell corporations or holding companies. Some even come complete with a board of directors. Buy one of these corporations from the bank.
   • 4) Open an account in one of those banks under the corporation's name and deposit the remainder of your money.
   • 5) Enjoy the islands, get some sun and then go home.
   • 6) When you arrive at home, "borrow" $100,000 from the corporation in the islands by wire transfer. (As sneaky as this sounds, it is totally legal.)
   • 7) Open a restaurant with a bar.
   • 8) At the end of each month, take proceeds from whatever criminal thing you've got going on the side and deposit it in the bank as the take from the bar. It is a good idea to to over report how well you restaurant/bar is doing but not to get to greedy. The Internal Revenue Service takes a dim view of a pizza parlor that purports to do several hundred thousand dollars a month in revenue. If you don't get greedy you won't get investigated. They just don't have the manpower. It is also a good idea to plow some of the proceeds into the legitimate corporation too. If the company does well on its own it can expand and offer more laundering potential.
   • 9) Your criminal money is now clean as a whistle. Pay taxes on it.

   Method 2 The Loanback Method

   • 1) A New Jersey gambler has half a million dollars in profits salted away in a numbered Swiss bank account. He buys a string of car washes( another great way to over report potential sales) for $1 million financing it with 50,000 grand down and $450,000 with a legitimate first mortgage.
   • 2) He "borrows" the other half million from his Swiss bank.
   • 3) Since he is borrowing his own money and repaying it as if it too is a legitimate loan that means he has interest charges. This charade allows him to pay himself the interest and deduct that same interest from his taxes, thus bringing the money back into the country.
   • 4) Once he has paid of his loan to himself he may relend it to himself.

   Method 3 The Money Broker Shuffle Problem

   Mr A is Columbian drug lord. He has a million dollars sitting in New York badly in need of deodorization. Mr B is a legitimate Columbian businessman who wants to buy a million dollars worth of U.S. computers but his government wants 21 cents for every dollar he buys with his pesos.

   Solution: They hire a money broker who for a nominal fee will solve the problem.

   • 1) The million dollars is smurfed or smuggled overland to an account in a Mexican bank. ("smurfing" is process of wire transfer of money in tiny chunks less than 10,000 dollars. This is effort intensive but necessary. Billions of dollars are wire tranfered everyday but only transactions larger than 10 grand are documented by banking institutions. Transactions smaller than this are fully covered under banking insurance. Thus larger transactions are carefully tracked in case something goes wrong. Law enforment also does not possess the manpower to check all these transactions and never will. This is an every damn minute,24 hour a day phenomenon.)
   • 2) The broker writes a check for U.S. 1 million at a correspondent bank in New York City and gives it to XYZ computers.
   • 3) XYZ computers ships Mr B. his machines from its Panamanian free zone warehouse
   • 4) Mr B gives the money broker a million dollars worth of pesos.
   • 5) Pesos become sqeaky clean pocket change of Mr A. Annual loss of revenue to Columbian government: 6-8 billion dollars.

   Method 4 The Omnibus Account Method

   Swiss banks (and others I'm sure) maintain what is known as "omnibus accounts" at American brokerage houses. This make it easy for mafiosi to purchase American blue chip stock anonymously. Naturally, if they make a profit they pay no capital gains taxes on it because there are no records in the U.S. tying them to the stock purchases and the Swiss banks are bound by their laws not to reveal the names of their investors. This enables them not only to make money but to manipulate the market by buying large blocks of stock through the banks and then exercising their proxies, enabling them to determine who will be on the board of directors and who will be C.E.O.

   
   In Short, if this person has half a brain, then just "seeing where the checks are going" will not reveal the culprit.
   
   The Libra Eagles may soar, but a weasel never gets sucked into a jet engine.

adserver domain closed

[Alan]

Hehehe, if you hit the page that the virus opens to get the author more page impressions (http://benjamin.xww.de/), you get:

"
Domain aufgrund von massiven Beschwerden gesperrt.
Domain closed due to massive abuse.
"

Now I wonder if it was closed because someone wrote a virus, or because the virus worked so well he went over his bandwidth allocation! :)