KaZaA users brace for hijack (more than a million PCs could be hijacked)

Sydney Morning Herald ^ | April 30 2002 | Nathan Cochrane

[dead]

Secreted in KaZaA software is Altnet — and it’s about to be activated, warns Nathan Cochrane.

The 20 million users of KaZaA Media Desktop, the world's most popular file-swapping software, have little more than a month to decide if they want their computers hijacked.

That's the time-frame laid down last Wednesday by Sharman Networks chief executive Nikki Hemming for the activation of Altnet, an alternative network to the Internet used to create a giant virtual supercomputer.

KaZaA Media Desktop is software bought by Sharman in January that lets computer owners swap music and other digital content. Technology boffins call it filesharing or peer-to-peer (P2P) because users communicate directly with each other.

Hidden inside KaZaA, however, is Altnet - Trojan software that aims to harness the spare processing, storage and communications power of the millions of computers connected to KaZaA's FastTrack network, a concept known as "distributed computing".

The Altnet software was created by Brilliant Digital Entertainment (BDE), a California-based multimedia company founded by former Australian entertainment software entrepreneur Kevin Bermeister.

Since March at least, Altnet has been downloaded, often without users' knowledge, secreted in the KaZaA software.

It is scheduled to be activated by a signal Sharman will send to users' PCs, in the next four to five weeks.

"The world is full of unused computing power," BDE said in a disclosure to the US Securities and Exchange Commission at the beginning of the month.

"You pay for this capacity whether you use it or not. Businesses, meanwhile, buy expensive facilities at massive . . . supercomputer centres.

"Altnet seeks to bring these two groups together."

Distributed computing has searched for extraterrestrial intelligence (SETI@Home) and an understanding of living cells (Folding@Home), although with the user's explicit consent and not clandestinely downloaded through a third-party software program.

But the prospect that more than a million PCs could be hijacked en masse chills information security specialists.

"Any attacker who can control 100,000 machines is a major force on the Internet, while someone with a million or more is currently unstoppable," Berkeley University computer science academic Nicholas Weaver wrote this month.

"As for Brilliant Digital, their horribly flawed business plan shows a grave misunderstanding of security. Since their proposed business can't possibly work, they should both protect themselves from legal liability . . . by producing a program on their update server which removes all traces of their trojan."

Australian distributed-computing researcher Rajkumar Buyya is optimistic that a successful deployment of Altnet will spur further development.

"It is wonderful to know that the industry is moving towards invisible distributed computing," Buyya says.

"(But) I have concern about their security protocols for activating the client and running programs that utilise idle resources . . . If someone finds out that, anybody can request your machine to do what they want, which is scary."

KaZaA, like the infamous file-swapping software before it, Napster, has been vilified by the recording industry for allegedly aiding and abetting theft.

Last September the chief of the Recording Industry Association of America (RIAA), Hilary Rosen, called for crisis talks with the heads of a dozen media groups to head off the "overwhelming volume" of piracy on the P2P networks.

Sharman's Nikki Hemming says she will schedule talks with Rosen soon. In the meantime, Hemming is eroding Rosen's support base by talking directly to artists' groups instead of publishers.

KaZaA, more wily than its file-swapping brethren, hired a Washington lobbyist, lawyer Phil Corwin, who previously represented the American Bankers' Association.

He is hawking the Intellectual Property Use Fee, an Internet tax, to be levied by ISPs on their customers.

"A similar levy . . . applied to a much broader base of parties, could provide a significant new revenue stream to copyright owners to compensate them for the inevitable 'leakage' (theft) resulting from Internet distribution," Corwin said in an April 8 submission to a US House judiciary committee on digital copyright.

That revenue would amount to $US2 billion a year in the US if a $US1 tax was charged on top of access fees, Corwin said.

"Every party from hardware manufacturers to ISPs to publishers of ripping software would pay a royalty . . . and provide a royalty stream to compensate (music artists)," Hemming said last week.

"At the end of the day we totally believe that artists, creators and those who represent them should be rightfully rewarded for creation of content."

Hemming said she was pursuing the authors, users and sponsors of KaZaA Lite, software that removes Altnet and other hidden software in the branded KaZaA software.

"There's a lot of concern in the market around these scam sites because they release ripped-off unstable code and it puts users at risk," she said.

[Poohbah]

Ah, the joys of trojanware!

[Huck]

I use Grokster. It's decent. About 500,000 users at any given time.

[dead]

I use Morpheus, but I think that might be the same thing as Kazaa. I also have Kazaa on my desktop, but not for long.

[Johnny Gage]

I stopped using Morpheus because their new "preview edition" sucks crap, and I could never get anything to download.

I found another one called "Bear Share" that is easier to use and appears more user friendly than Morpheus/Kazaa.

I think I'll look at Grokster too.. I've heard from others that use that one.

[Krafty123]

I used to use Morpheus too... For music, I find winmx works best... Also check out KazaaLite - KMD with all the spyware stuff stripped out.

Ari

[proxy_user]

NAT is the answer. Broadband users, learn how to configure your router. Just because you have an app listening on a port on a PC on your intranet doesn't mean you have to let outsiders connect. Get a hardware firewall and use it!

[JenB]

Did you guys get all traces of this system off your PCs? Even the hidden files?

[AdA$tra]

When all the traffic generated by this "Distributed computing" hits my part of the Internet world, my cable connection is going to look like a dial-up connection. I have Kazaa on an old p133 in the basement. A few months ago I needed some old file off of it. I shared my C: drive for about 15 minutes. In that time 5 different intruders traveling via Kazaa planted various trojan files on my old PC. The trick is to not share the C:\Windows directory, of which I was aware at the time, but underestimated the amount of damage that could be inflicted in 15 minutes.

[Penny1]

I couldn't find the hidden files that Cnet said I should look for...which makes me very nervous.

[IoCaster]

Ad Aware <---latest version

This will remove all the trojan/spyware.

[AdA$tra]

I brought home an extra SonicWall firewall appliance from work. I recomend the Linksys router to my friends/clients as it is less than $100.00 on the web and has a built in 10/100 auto-sensing 4 port switch included. Both of these allow for easy setup of NAT between your perimeter and secure or un-routable side of your home network.

[MarkL]

NAT is the answer. Broadband users, learn how to configure your router. Just because you have an app listening on a port on a PC on your intranet doesn't mean you have to let outsiders connect. Get a hardware firewall and use it!

Sorry, but you're wrong... A trojan works like the "Trojan Horse." Once it's inside your NAT router, it connects to the outside from within your network. The only way to block it is by knowing what port the trojan will use, and then blocking that port at the router. Most people who will buy a HW firewall (i.e. not businesses) will use the plug and play features, never really configuring the device.

Mark

[Benson_Carter]

check out Kazaa Lite but be sure to download LavaSoft's AdWare first, which will remove all trojans/adware/spyware on your computer.

Also, who wants to talk about this new "tax" they talk about? This is brought to you by our friends at the RIAA, those evil bastard... more backdoor legislation, just like the inflated price of blank video/audio cassettes due to the hidden tax that goes to combat the MPAA/RIAA 'a "losses" from piracy.

Speaking of all this horsecrap, check out this LONG but WORTHWHILE read, FRANK'S NIGHTMARE, which is transcript of the infamous U.S. Senate, Committee on Commerce, Science and Transportation hearing from THURSDAY, SEPTEMBER 19, 1985. Yes, the same hearing brought forward by our friends Al and Tipper Gore!

this makes me so mad I can hardly type.

TAR AND FEATHER ALL CONGRESSIONAL LOBBYISTS NOW!!!

[Principled]

Thanks for the link, IoCaster.

Good bye Morpheus.

[HairOfTheDog]

They are there Penny - I found them and uninstalled them...

Here are the instructions from C/Net for removing them: Link: How to uninstall Brilliant Digital's software

By John Borland
Staff Writer, CNET News.com
April 3, 2002, 4:10 PM PT

Brilliant Digital Entertainment quietly installs its own software with every copy of the Kazaa file-swapping software. The Brilliant Digital software, which is being progressively distributed over the next few weeks, can later be remotely "turned on" to become part of a new network.

Executives from Brilliant Digital and Kazaa's parent company say people can uninstall the Brilliant Digital or Altnet software from their computers without interfering with the Kazaa program itself. This is true, but it's not an easy process.

These three steps will remove most traces of the Brilliant Digital software from most machines. CNET News.com did it using a computer running Windows 2000, but the same process should work for other Windows operating systems. Please be aware, however, that these instructions represent just one uninstall method and may not be suitable for all machines and software configurations.

CNET Networks assumes no liability in publishing these instructions, which people may choose to follow at their own risk. As always, it's a good idea to make a backup of any critical files before proceeding.

1. In the Windows Control Panel, select an option called "Add/Remove Programs." One of the options will be "b3d Projector." Highlight this and click the "Change/Remove" button.

You may get a message that the uninstall has been successful. Search your computer for a "BDE" folder, which most likely will be found in the "WinNT" or "Windows" directory. In this folder will be a file called "bdeclean.exe". Run this to finish the first part of the process. Delete the BDE folder.

Caution: An unrelated piece of software called Borland Database Engine also creates a BDE directory. If you think you may have this software installed, or if there is any confusion whatsoever, do not delete this directory.

2. In the "Temp" directory (this will normally be found inside the "Windows" or "WinNT" directory) is a folder called "Brilliant." This contains many files. Delete the entire folder.

3. After performing steps 1 and 2, you will need to locate and remove some additional Brilliant Digital files that have been placed in critical system-level computer directories. CAUTION: Deleting the wrong files could interfere with the normal functioning of your computer. These files will most likely be in the "WindowsSystem" or "WinNTSystem32" folder:

bdedownloader.dll
bdedata2.dll
bdefdi.dll
bdeinsta2.dll
bdeinstall.exe
bdesecureinstall.cab
bdesecureinstall.exe
bdeverify.exe
bdeverify.dll

Delete these files.

[JenB]

Thank you!!!

I just installed and ran that program, thinking there wouldn't be anything.... guess what? There were 35 gator files sitting on my computer. I have NO idea how they get there as I NEVER download shareware or click pop up ads or anything. This program is getting run twice a week from now on!

[Dick Vomer]

If I have Kazaa and have removed the files that were mentioned do I have a problem? Also how will I know if my computer is "hijacked"?

[MarkL]

I couldn't find the hidden files that Cnet said I should look for...which makes me very nervous.

Are you using Windows2000? There's an undocumented registry setting known as "super hidden," which will hide files from Explorer, even if you tell the system to show them. The only way to see them is by opening a command prompt and using DIR FILENAME /S /A /P . This was an exploit used by a number of the Nimda variants to really screw with me!

Here are a few links:

1

2

Mark

[HairOfTheDog]

Another thing to consider Penny, if you still don't find them after following the steps again. - hadn't you had Kazaa on your machine for awhile before our recent escapade? - I think these BDE files are a fairly recent addition that you may have lucked out on, - just a theory.