Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Infecting the KaZaA network? (unlikely)
From: Adam Lydick <awlydick () bulldog unca edu>
Date: 06 Feb 2002 20:12:18 -0500

The simple solution to that, and what they probably do: is provide the
MD5 sum of the latest binary from a central location. This is
conciderably less costly to distribute then the entire binary, and
unless someone comes up with a trojan'ed version with the same hash
(rather unlikely) it is perfectly safe to download it from anywhere.

Another solution that they might employ is a digital signature. The
first version that you download comes from a trusted source and contains
KaZaA's public key. They could then sign any binaries that they release
with their private key. When you download the updates from an untrusted
source, it is simply a matter of verifying the signature is from KaZaA.

It seems rather unlikely that you could infect the network in this way,
or it would have already happened through normal vectors (people with
virii on their machines. But you could probably verify this behavior, by
modifying a few bits in an upgrade and seeing if it will still work...
Depending on where they place the authentication code, if any.

Many projects face a similar problem with their mirror sites and many of
them provide md5 sums for their files so that you can verify it is

Adam Lydick

On Wed, 2002-02-06 at 15:10, Andrew McClymont wrote:
I just found out a folder named "My shared folder" under the KaZaA
installation folder.

Inside "My shared folder" there were various KaZaA installshield
packages (exe files).

Now, the people at FastTrack promotes their engine as a distributed way
to send files to end users. This is seen whe you download KaZaA, you get
a little exe (500 k) that downloads the full KaZaA client from one of
its users, I would guess, from the "My shared folder".

What happens if I infect the files under "My shared folder" with a virii
or some trojan, every user that gets their KaZaA client from my computer
gets screwed, right?  And then, the victim himself will be sharing the
KaZaA client infected to new victims.

Just wondering... Have a nice day!!
-Andrew McClymont

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]