ABSTRACT
Peer-to-peer (P2P) networks continue to be popular means of trading content. However, very little protection is in place to make sure that the files exchanged in these networks are not malicious, making them an ideal medium for spreading malware. We instrument two different open source P2P networks, Limewire and OpenFT, to examine the prevalence of malware in P2P networks. Our results from over a month of data show that 68% of all downloadable responses in Limewire containing archives and executables contain malware. The corresponding number for OpenFT is 3%. Also, most infections are from a very small number of distinct malware. In particular, in Limewire, the top three most prevalent malware account for 99% of all the malicious responses. The corresponding number for OpenFT is 75%. We also investigate the sources of malicious responses. To our surprise, 28% of all malicious responses in Limewire come from private address ranges. In OpenFT, the top virus, which accounts of 67% of all the malicious responses, is served by a single host. Further, our study provides a useful insight into filtering malware: filtering downloads based on the most commonly seen sizes of the most popular malware could block a large portion of malicious files with a very low rate of false positives. While current Limewire mechanisms detect only about 6% of malware containing responses, our size based filtering would detect over 99% of them.
- Computer associates virus information center. http://www3.ca.com/securityadvisor/virusinfo.Google Scholar
- The giFT project homepage. http://gift.sourceforge.net.Google Scholar
- Gnutella protocol specification. http://www.the-gdf.org/wiki/index.php?title=Gnutella_Protocol_Development.Google Scholar
- K. Gummadi, R. Dunn, S. Saroiu, S. Gribble, H. Levy, and J. Zahorjan. Measurement, modeling, and analysis of peer-to-peer file-sharing workload. In ACM SOSP, 2003. Google ScholarDigital Library
- L. Guo, S. Chen, Z. Xiao, E. Tan, X. Ding, and X. Zhang. Measurement, analysis, and modeling of bittorrent-like systems. In ACM SIGCOMM Internet Measurement Conference (IMC), 2005. Google ScholarDigital Library
- T. Holgers, D. Watson, and S. Gribble. Cutting through the confusion: A measurement study of homograph attacks. In USENIX Annual Technical Conference (USENIX), 2006. Google ScholarDigital Library
- J. Liang, R. Kumar, and K. W. Ross. The fasttrack overlay: A measurement study. Computer Networks, 50(6):842--858, 2006. Google ScholarDigital Library
- LimeWire homepage. http://www.limewire.org.Google Scholar
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. In IEEE Security and Privacy, 2003. Google ScholarDigital Library
- D. Moore, C. Shannon, and J. Brown. Code red: A case study on the spread and victims of an internet worm. In ACMUSENIX IMW, 2002. Google ScholarDigital Library
- A. Moshchuk, T. Bragin, S. Gribble, and H. Levy. A crawler-based study of spyware on the web. In Internet Society Network and Distributed System Security Symposium (NDSS), Feb. 2006.Google Scholar
- S. Saroiu, S. Gribble, and H. Levy. Measurement and analysis of spyware in a university environment. In USENIX Networked Sytems Design and Implementation (NSDI), 30 Mar. 2004. Google ScholarDigital Library
- S. Shin, J. Jung, and H. Balakrishnan. Malware prevalence in the kazaa file-sharing network. In ACM SIGCOMM Internet Measurement Conference (IMC), 2006. Google ScholarDigital Library
- Sophos virus analyses. http://www.sophos.com/virusinfo/analyses.Google Scholar
- Symantec security response. http://www.symantec.com/avcenter.Google Scholar
- Tomasz Kojm. ClamAV homepage. http://www.clamav.net.Google Scholar
- Kapersky lab virus encyclopedia. http://www.viruslist.com/en/viruses/encycolpedia.Google Scholar
- V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In ACM SIGMETRICS, 2003. Google ScholarDigital Library
- W. Yu. Analyze the worm-based attack in large scale p2p networks 8th IEEE International Symposium on High-Assurace Systems Engineering, pages 308--309, Mar. 2004. Google ScholarDigital Library
- L. Zhou, L. Zhang, F. McSherry, N. Immorlica, M. Costa, and S. Chien. A first look at peer-to-peer worms: Threats and devenses. In Proceedings of the IPTPS, Feb. 2005. Google ScholarDigital Library
Index Terms
- A study of malware in peer-to-peer networks
Recommendations
An Advanced Hybrid Peer-to-Peer Botnet
A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and ...
Passive Worm and Malware Detection in Peer-to-Peer Networks
EUC '10: Proceedings of the 2010 IEEE/IFIP International Conference on Embedded and Ubiquitous ComputingToday P2P networks are responsible for a large amount of traffic on the Internet, as many Internet users employ such networks for content distribution. At the same time, P2P networks are vulnerable to security threats such as Internet worms and ...
Simulating non-scanning worms on peer-to-peer networks
InfoScale '06: Proceedings of the 1st international conference on Scalable information systemsMillions of Internet users are using large-scale peer-to-peer (P2P) networks to share content files today. Many other mission-critical applications, such as Internet telephony and Domain Name System (DNS), have also found P2P networks appealing due to ...
Comments