Vulnerability Development mailing list archives
Re: Infecting the KaZaA network? (moving here thread from 'traq)
From: "Raistlin" <raistlin () gioco net>
Date: Fri, 8 Feb 2002 23:13:11 +0100
On advice of bugtraq moderator I'm moving my reply here. The thread is basically dealing with the possibility of infecting with a virus the distribution of kazaa client since it's shared. I will quote the whole original message since some of you may not receive 'traq: From: "GertJan de Leeuw" <dataholic () punkass com>
I had the same thought about this subject a long time ago, but I discovered there are 2 major problems why a attacker cannot successfully infect the distribution of a new kazaa client: 1.The installation MUST have the same size as the orginal distribution package, since kazaa will look on its network for the filename with the exact filesize (for multiple downloads at one time from different clients) Because you need to 'inject' your evil code the filesize will be bigger. Ofcourse you could pack it with a pe packer like upx and add bytes till the exact filesize is there , but then we have problem 2: 2.As we all know, KazaA downloads from multiple users, so IF you have success with step 1, you will fail at this point, because you will have an invalid exe (a evil version merged with the orginal distro).
There's a third major problem: 3) Kazaa uses MD5 to check that files are identical when starting a multiple download and/or looking for "alternate sources" for a given file (this is explained on their site). In fact if you just change a letter in the ID3 of an MP3 file, it will not be listed as a "copy", even if otherwise identical. You can, instead, alter the filename without risk. Stefano "Raistlin" Zanero System Administrator Gioco.Net public PGP key block at http://gioco.net/pgpkeys
Current thread:
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Raistlin (Feb 08)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) John Hall (Feb 10)
- <Possible follow-ups>
- Re: Infecting the KaZaA network? (moving here thread from 'traq) nestler (Feb 12)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Shoten (Feb 12)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Valdis . Kletnieks (Feb 13)
- RE: Infecting the KaZaA network? (moving here thread from 'traq) Benjamin P. Grubin (Feb 13)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Valdis . Kletnieks (Feb 14)
- Re: Infecting the KaZaA network? (moving here thread from 'traq) Shoten (Feb 12)
- RE: Infecting the KaZaA network? (moving here thread from 'traq) Benjamin P. Grubin (Feb 16)