Re: Infecting the KaZaA network? (moving here thread from 'traq)

["Raistlin" <raistlin () gioco net>]

On advice of bugtraq moderator I'm moving my reply here. The thread is
basically dealing with the possibility of infecting with a virus the
distribution of kazaa client since it's shared. I will quote the whole
original message since some of you may not receive 'traq:

From: "GertJan de Leeuw" <dataholic () punkass com>

> I had the same thought about this subject a long time
> ago, but I discovered there are 2 major problems why
> a attacker cannot successfully infect the distribution
> of a new kazaa client:
>
> 1.The installation MUST have the same size as the
> orginal distribution package, since kazaa will look on
> its network for the filename with the exact filesize (for
> multiple downloads at one time from different clients)
> Because you need to 'inject' your evil code the
> filesize will be bigger. Ofcourse you could pack it with
> a pe packer like upx and add bytes till the exact
> filesize is there , but then we have problem 2:
>
> 2.As we all know, KazaA downloads from multiple
> users, so IF you have success with step 1, you will
> fail at this point, because you will have an invalid exe
> (a evil version merged with the orginal distro).

There's a third major problem:

3) Kazaa uses MD5 to check that files are identical when starting a multiple
download and/or looking for "alternate sources" for a given file (this is
explained on their site). In fact if you just change a letter in the ID3 of
an MP3 file, it will not be listed as a "copy", even if otherwise identical.
You can, instead, alter the filename without risk.


Stefano "Raistlin" Zanero
System Administrator Gioco.Net
public PGP key block at http://gioco.net/pgpkeys