Kazaa Delivers More Than Tunes 

By Kim Zetter

Story location: Wired

Some code was designed to infect every file in a computer user's Kazaa download directory with a virus. Other code would steal the user's AOL Instant Messenger password or install a program on their computer to allow the attacker to surreptitiously send spam through it or otherwise take over the machine remotely to steal personal data and files on the computer.

Hughes said the code he found in shared files got there in one of three ways: The person hosting the shared file embedded the malicious code in a file on purpose; the code was a peer-to-peer worm designed to scour the network and drop itself into download directories; or, in the case of some viruses, once the user downloaded an infected file, the malicious code automatically infected other files in the user's file-share directory so that the user inadvertently infected the computers of other users who downloaded those files.

Some 3 million users are logged onto Kazaa at any one time. Hughes said this has made the file-sharing network increasingly attractive as a channel for distributing malware.

According to the Wild List, a list that tracks viruses and worms that are currently in circulation, the number of types of viruses circulating through Kazaa increased 133 percent in 2003. In January, the list recorded nine different viruses passing through Kazaa; at the end of the year the number was up to 21.

Hughes used such keywords as "Britney Spears," "Microsoft XP," "nude" and "porn" to choose the files he downloaded on Kazaa, focusing on some of the common files that users might share and the most popular keywords placed in search engines. He looked only at executable files -- program files that launch when a user double-clicks on them and that usually end with .exe extensions in the file name. These are the types of files that most often contain malicious code.

He said a lot of the malicious code he found was embedded in program files that are designed to bypass or break copyright protections placed on software files like Microsoft Office to allow users to share pirated copies of the software.

So far, however, music, picture and movie files have not been infected with malicious code, because they aren't executables, Hughes said. You can't run them simply by clicking on them. You need to open them through another program, such as a multi-media program like Real Player.

Hughes said an attacker could trick a user into thinking a malicious file is a music or movie file by changing the name of the file extension to .wav (for music) or .jpg (for images). He also said that it is possible for someone to eventually find a way to infect movie and music files, but no one has discovered a vulnerability in these files yet.

"It's one of the things that we worry about, though," said Hughes.

Hughes said that this year there will likely be a significant surge in the amount of malware that is intentionally posted and unknowingly shared on peer-to-peer file sharing networks.

Hughes said that 80 to 95 percent of the malicious code on Kazaa can be detected with anti-virus software, depending on the detection program. But he said that people often don't update their software with current virus definitions.

They can also be infected if the malicious code is new and not yet detected. And some malicious code is designed to shut down anti-virus programs and firewalls if it does get past the detection programs.

"Organizations need to warn their employees about file-sharing applications and the danger they pose to them at work and at home," Hughes advised. "Anti-virus is one way to stop the stuff from happening, but you also need policies in place to make sure employees aren't using dangerous software like Kazaa."

He also said that parents should watch what their kids are downloading and make sure they have updated anti-virus programs on their computer.

"You'll really need to be careful what you're doing," he said.