Network News

X My Profile
View More Activity

Extreme File Sharing

Spent a few hours over the weekend poking around Limewire, an online peer-to-peer file-sharing network where an estimated 2 million users share and swap MP3 files, movies, software titles and just about anything and everything else made up of ones and zeroes (including quite a few virus-infected files).

I was sifting the lists not for music or movie files, but for the stuff Limewire users may not know they're sharing with the rest of the network. I quickly found what I was looking for, and then some: dozens of entries for tax and payroll records, medical records, bank statements, and what appeared to be company books.

A search for "cookies" or "paypal," for example, turned up cookie files for a number of financial institutions. Having cookie files exposed might be a little less dangerous if you couldn't also click your way through every shared file on a user's machine. For the most part I found that users who shared sensitive information were also sharing the contents of their entire hard drives.

Some users were sharing many megabytes' worth of e-mails and addresses from their Microsoft Outlook inboxes and archives. But perhaps most revealing was a search for "keylog.txt," which turned up several huge text files no doubt generated by a keystroke logger -- a nasty bit of malware that records everything a victim types and relays the data back to the attacker.

At first, I felt a little weird looking at records of one apparent victim's private (and frequently explicit) online chat conversations from just a few months back. But I wanted to find some contact information in there so I could at least notify this person that their system had been compromised. I found an AIM instant message ID -- but alas, that screen name wasn't signed on. I even found what appeared to be the victim's cell phone number, but got a fast-busy signal upon dialing it.

As I read on, however, it became clear that the victim at some point realized his machine was infected with some sort of virus, as evidenced by his IM complaints to a friend that his antivirus software had alerted him to something evil on his machine.

Over the course of several days (the first 10 or so pages of the keylog record) it appears that the victim tried to repel whatever had invaded his computer. Apparently he failed, because not long after he seems to have stopped searching (or at least stopped complaining about it) -- even though the keylogger was clearly still doing its job.

My guess is that this guy ran an antivirus or anti-spyware scan which found and deleted something, so he figured everything was back to normal.

This reminds me of a concept that security professionals understand all too well: When a computer system is compromised by a virus or worm, the only way to truly clean it is to back up the data and resinstall the operating system, including any software patches issued since the computer was purchased. This can be a bitter pill to swallow for home users, many of whom have trouble understanding why someone would go through the trouble of trying to hack their system in the first place.

None of this to say that antivirus tools and other security applications can't remove these intrusive programs on their own; often they do the job quite nicely. But many of today's more aggressive threats are designed to open the door for other intruders, which might not be so easily detected by security software. 

Obviously, the lessons here are: If you're going to use file-sharing networks, be extremely careful about what you download; and, pay close attention to the files and folders you are letting the rest of the world see.

By Brian Krebs  |  October 17, 2005; 3:40 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Weekend Worm Worries
Next: Attack of the Splogs

Comments

My friends and I have been using a software program called PiXPO by How2Share. It is very secure and safe. I only share with people I know and you get to preview the files.

Posted by: Alexander Denman | October 18, 2005 11:08 AM | Report abuse

Alexander: Look into WASTE sometimes, its also a good program for private sharing of files.

Posted by: Ravi | October 18, 2005 11:43 AM | Report abuse

Could you please suggest a few reasons why these P2P users have unknowingly allowed the contents of their machines to be available to other users on the network?

Typically, file-sharing applications share only one designated folder by default. Is it a malware application or a hack that allows one to search through the contents of another users hard-drive, or is it a setting in the program that one should never enable: namely, "share the entire contents of my hard drive"?

I'm curious to know, because I use LimeWire and find it a fun program to test new media, but would be willing to take all possible precautions to ensure that I'm not putting my saved AIM chats, emails, documents, and cookies out for the world to see.

Posted by: Dan | October 18, 2005 12:23 PM | Report abuse

An obvious solution would be to use VMWare to host such sessions.

Posted by: JB Fields | October 18, 2005 2:41 PM | Report abuse

I could not run Limewire if I tried, because I am signed on as a "Power User" and not an Administrator. I sign on as Administrator ONLY when changing system settings, such as disabling ALL file sharing, and the parts of Windows XP which make file sharing possible.

I suspect that when a user decides to run Limewire or other file sharing software they also implicitly decide to leave numerous insecure Windows services running to support that function. And that it is the weaknesses inherent in those Windows services that result in the leakage of what should be secure private information onto the internet.

Enough services have been set to manual start or disabled that right now the machine is running 11 Windows processes (including Taskmanager, 2 copies of svchost, and the system idle process).
Of course, both NetBios support and all fire sharing are disabled. Many services normally started automatically are set to Manual start. etc...

(Four security related processes, and 6 application processes including the web browser, mail client and IP telephony are also running. Total processes = 21)

Posted by: Jim Pivonka | October 18, 2005 5:51 PM | Report abuse

I run and regularly update McAfee Virus Scan, SpywareBlaster, Spybot - search & destroy, and Microsoft's AntiSpyware Beta 1. Also I keep a firewall active and download and install all microsoft patches when they become available. My system keeps pretty clean from malware most of the time. It just takes a little effort and time to run scans from time to time.

Posted by: James S. Jr | October 18, 2005 9:58 PM | Report abuse

An article that has really helped me was The Complete Guide To Spotting Computer Spies & Recording Devices by Elizabeth Ward. I found it on www.goarticles.com

Posted by: Sandra Collins | October 19, 2005 7:23 AM | Report abuse

The best software I've found for detecting keyloggers is a product called spycop www.spycop.com

Posted by: Jim Reyboth | October 19, 2005 7:25 AM | Report abuse

I'm intrigued by Jim's comment below about only having 11 Windows services running. Is there a good source for determining what services can be turned off or set to manual start and which ones would affect normal system operation? I've gone through and disabled a couple of services I know are safe but there's an awful lot of stuff running on my PC I don't know what it does despite my best efforts to learn.

Posted by: Rob | October 19, 2005 12:47 PM | Report abuse

if your not fimiliar with file sharing or if you donot read the install directions of p2pfile sharing i would advise you not to share know files, i`ve been using bearshare for awhile and occassionally my virus software will detect a file that has a virus so i wont open it i just get rid og it, you have to have updated virus protection available if you want to file share

Posted by: uglime2 | October 20, 2005 3:52 PM | Report abuse

UGLIME2:
You, Mr Kevin Watson of Phalidalphia owe my money on that FAKE check you passed!

I have the check and will be coming to Philly if needed.

Mr. Watson writes checks from bank accounts which do not exist.

Mr. Fetter

Posted by: George Fetter | November 14, 2005 6:55 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company