According to researchers and analysts from Kaspersky, 2010 is going to be a bad year for filesharing. They believe that the P2P networks used by filesharers will begin to take over from websites as the key medium for spreading malware. And P2P technologies will be at the heart of new mass malware epidemics, like the TDSS and Virut breakouts we witnessed in 2009.

These developments were at the top of Kaspersky's predictions for this year.¹ And while making predictions is notoriously fraught with dangers, these researchers are probably on a pretty safe bet.

Alongside their portents of malware mayhem, you can add other P2P-based threats which can only gain in significance this year. Chief among these is the potential for the bad guys to lift files right off your hard disk - files you didn't really mean to share.

Pirate software

Alongside unlawful music sharing, P2P networks have long been used for distributing so-called ‘warez' - illegal copies of software, often with license cracks so that software which would normally require authentication or registration before it works can be run without it.

Anyone of a justifiably paranoid disposition would run a mile from such code. Aside from the legal implications, it seems blindingly obvious that some of this software is going to be supplied complete with malware. And so it has proved. For instance, in early 2009, a pirate version of Apple's iWork ‘09 package, being freely distributed via BitTorrent, was found to contain the OSX.Trojan.iServices.A malware. On many Mac OS X systems, this was able to run automatically with root privileges. It was quickly countered with AV software updates, but if the relatively malware-resistant OS X platform can be compromised this way, imagine what mayhem is being wrought every day by Windows-using filesharers. Some estimates - probably over-pessimistic but indicative - say that as much as half of shared proprietary software is infected. Open source software, by its very nature, is rarely compromised this way.

Accidental sharing

There's also the problem of sharing files when you don't mean to. Filesharing clients are designed to allow other people to access files directly from your computer. It's important, then, that you control which files can be reached in this way. In the US, an as-yet unnamed defence worker learned this the hard way in 2009. US Navy investigators were alarmed to find confidential documents about the new Marine 1 presidential helicopter programme available via Limewire. At some point, these documents made their way to Iran.²

Poor configuration of a filesharing client can make available more of your files than you intend, and that seems to have been the case here. Typically, the result is not high-profile espionage but simple identity theft, as criminals scour P2P networks for people who are inadvertently sharing documents containing personal information. It's possible that identity harvesting could represent an even more significant use of P2P networks than music downloads.

In one case, reported by the Washington Post in 2008, an investment firm employee was using Limewire to share music, and also shared the names, dates of birth and Social Security numbers of around 2,000 of the company's clients, including one Supreme Court judge. The leak was not discovered for six months and was eventually found not by the company but by a security researcher.³ On 26 February 2009, the Today show broadcast a piece about the dangers of filesharing. As part of its research it unearthed more than 150,000 tax returns, 25,800 student loan applications and over 620,000 credit reports, as well as countless Social Security numbers, all on just one P2P network and all found in a short space of time.

Command and control

Around 2005, security researchers began debating the potential of P2P technologies for botnet control and malware distribution. But it wasn't until 2007, with the arrival of the Storm worm, that this approach grabbed everyone's attention.

Until then, botnet control was largely a centralised effort, typically using IRC channels or HTTP-based mechanisms. The Nugache botnet, which emerged in early 2006, used P2P methods. However, in the early days it was easily countered by closing TCP port 8. Nugache evolved to use random high-numbered ports, yet it still wasn't getting much attention - probably because of low volumes of activity - and in spite of some assertions that it grew to be larger than Storm, researchers David Dittrich and Sven Dietrich insist that it pretty much fell out of use.⁴

Storm adapted the Overnet P2P protocol (based on the Kademlia distributed hash table algorithm as also used by eDonkey) as a way of concealing its command and control servers, which resulted in improved stealth, anonymity and resilience. It also made it much harder for researchers to estimate the size of the botnet. One analysis concluded that these benefits were bought at the price of only a marginal drop in efficiency.⁵

The malicious code didn't actually share any files. Storm's P2P capabilities were used by each infected machine to find others similarly compromised. Some of these would be seeded with the information the trojan was seeking - a URL from which it would download second-stage executables. The URL itself, of course, regularly changed and the small amount of information exchanged by Storm's P2P mechanism was encrypted. This is much harder to combat than if Storm used a hard-wired URL.⁶

In 2008, we saw the emergence of the Peacomm botnet, which researchers Matthew Steggink and Igor Idziejcak claim was the first to have a fully decentralised P2P structure.⁷ The use of P2P protocols for both malware distribution and command and control is hard to detect using text-based or DNS-based signatures. And the decentralised nature makes it more difficult to take down a botnet built this way.

Fighting back

Filesharing itself is under attack. France has already enacted the so-called Hadopi ‘three strikes' law intended to deter copyright thieves. Other countries are looking to follow France's lead, though some have gone to the brink and pulled back in the face of criticism over what are seen as heavy-handed tactics. In any case, even with the threat of criminal proceedings and the risk of malware infection, millions will continue to share files. Attempts to stop them may just drive the problem underground.

"One thing filesharers might do is simply to start using SSL," says Neil O'Neil, principal digital forensics investigator and ethical hacker at the Logic Group. "Current BitTorrent downloads use their own ports and unencrypted protocols, so at the firewall and proxies you can monitor traffic content and prove or stop illegal download of materials. SSL ports are generally open on all routers and firewalls and because the communication and payload is encrypted, you can't see what's in there."

In addition, we are seeing the emergence of anonymised Internet services that disguise the content of traffic and both source and destination of data. For example, ItsHidden employs VPN technology to encrypt all traffic between users and its own servers.

In attempting to crush illegal filesharing, threats of legal action may simply make it much harder to detect - and to guard against. For example, many organisations found that protecting themselves against the Storm worm was made easier by the ability to detect its P2P traffic. By emulating Overnet protocols, it used ports that security practitioners could eliminate with suitably configured firewall rules or by watching for the classic signs of P2P traffic. When Storm re-emerged in 2009, it no longer used these somewhat ‘noisy' P2P mechanisms, having reverted to an HTTP-based approach, and malware fighters were forced to adopt different methods of combating the menace.

For the time being, the banning of filesharing clients within the corporate network, and the use of firewall rules to bar P2P traffic will go a long way to eliminating the collateral damage of P2P applications. However, this won't address the vulnerability of files held on laptops or homeworkers' PCs used beyond the organisation's boundaries. For the time being, your best defence in these circumstances is education about the dangers. But we all know how effective that is.

References

1. http://www.kaspersky.com/news?id=207575980

2. Story broken by TV station WPXI, Pittsburgh http://www.wpxi.com/news/18818589/detail.html

3. Washington Post http://www.washingtonpost.com/wp-dyn/content/article/2008/07/08/AR2008070802997.html

4. David Dittrich and Sven Dietrich. ‘P2P as botnet command and control: a deeper insight'. In Proceedings of the 3rd International Conference On Malicious and Unwanted Software (Malware 2008). IEEE Computer Society, October 2008. http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdf

5. Davis, Neville, Fernandez, Robert and McHugh, ‘Structured Peer-to-Peer Overlay Networks: Ideal botnets command and control infrastructures?' 2008, http://www.professeurs.polymtl.ca/jose.fernandez/BotnetC2-ESORICS-article-final.pdf

6. SecureWorks has useful information about the technical workings of Storm: http://www.secureworks.com/research/threats/view.html?threat=storm-worm

7. Matthew Steggink and Igor Idziejcak, ‘Detection of peer-to-peer botnets', University of Amsterdam, February 2008, http://staff.science.uva.nl/~delaat/sne-2007-2008/p22/report.pdf