Tricky worm triggers new P2P alarms

A dangerous worm called Fizzer that last week was discovered sneaking its way into U.S. corporate networks via the Kazaa peer-to-peer program has raised anew concerns that such file-sharing networks are risky business.

A dangerous worm called Fizzer that last week was discovered sneaking its way into U.S. corporate networks via the Kazaa peer-to-peer program has raised anew concerns that such file-sharing networks are risky business.

Many organizations have banned peer-to-peer applications, concerned that the programs will hog bandwidth or put companies at risk of copyright violations. But peer-to-peer programs were designed to evade detection through port-hopping and other methods, which means millions of employees still are using them on the sly – much to the delight of worm and virus writers.

“If you’re writing computer viruses, this is where you want to be these days, in [peer-to-peer],” says Bruce Hughes, content security manager at ICSA Labs, which keeps track of thousands of computer viruses and worms and tests to see if antivirus software can eradicate them.

The Windows-based Fizzer worm – which travels by way of Microsoft Outlook, AOL Instant Messenger and IRC, as well as Kazaa – was first seen early this month in Asia and Europe. It’s too early to assess damage, though experts say Fizzle is the most dangerous peer-to-peer enabled worm to date in that it can delete certain antivirus programs and contains a backdoor to let an attacker compromise a machine and record keystrokes.

As of last Thursday, Symantec said more than 150 companies had reported being hit by Fizzer, though not necessarily via a peer-to-peer program. Fizzer appeared to be fizzling by week’s end.

“This is one of the more complicated worms we’ve seen,” says Mikko Hypponen, manager of antivirus research at antivirus firm F-Secure, which gave the worm its highest alert status. “The worm is 200K bytes of code spaghetti, containing backdoors, code droppers, attack agents, keyloggers and even a small Web server.”

That Fizzer can exploit Kazaa, which is considered the most widespread peer-to-peer freeware program with an estimated 4.5 million users, has worm watchers concerned. Peer-to-peer programs are hard to detect, so even companies that try to rid their networks of such programs and have policies against them, are at risk.

Peer-to-peer “was designed by the underground community to get through the protections put out by the corporate community,” says Doug Jacobson, an Iowa State University professor and founder of Palisade Systems, maker of the PacketHound gateway for blocking peer-to-peer. He says hackers even have created peer-to-peer freeware to take over a victim’s machine.

For instance, Kazaa might use TCP Port 1714, and another peer-to-peer program, FastTrack, might use TCP Port 1214 to try to make it through the firewall. But if those ports are blocked, the peer-to-peer applications can switch to Web-based Port 80 or other open ports, a technique known as port-hopping. to traverse the Internet and the corporate network.

In addition, peer-to-peer applications constantly are being modified, making it hard to detect them, security experts say. Companies such as Check Point, Internet Security Systems (ISS), St. Bernard Software, Symantec and Websense are taking on the peer-to-peer challenge through products designed to delete viruses, perform intrusion detection, monitor at the gateway or lock-out use of peer to peer at the desktop level.

Encryption is being added to some peer-to-peer programs, making them even harder to detect.

“Recently all FastTrack communication has become encrypted and has not yet been reverse-engineered,” says Jeff Horne, a researcher at ISS.

Monitoring for peer-to-peer at the gateway level is possible – Websense has a gateway appliance to do this (it also does URL and content filtering). And Check Point says the optional SmartDefense component in FireWall-1 can detect and block peer-to-peer.

But both vendors say the better way to stop peer-to-peer is to block its use on the desktop through the client software that both vendors offer for policy enforcement. These are designed to prevent unauthorized applications from running and monitor for any attempt at violation.

“That’s how we caught someone here this week trying to install Kazaa, even though it’s not allowed,” says Mark Kraynak, Check Point’s marketing manager.

“It’s easier to block at the desktop level because many of the [peer-to-peer] programs will change the ports they go out on,” says James Rhodes, network administrator at Belz Enterprises a real estate firm in Memphis, Tenn. Rhodes uses Websense desktop software, which he says is good, but doesn’t catch every variation on peer-to-peer.

The Billings, Mont., office of the Indian Health Service of the federal Department of Health and Human Services has installed Websense software on a few hundred employees’ desktops to prevent peer-to-peer use, says Ryan Macdonald, software developer there.

“We decided to ban [peer-to-peer] applications after we found [peer-to-peer] use was at 4G bit/sec of traffic per hour for six hours on our network,” he says.

At The Weather Channel, which provides both television and Web-based weather news, peer-to-peer is considered enough of a potential problem that the organization uses a gateway, based on L7 software from Akonix, to detect and block its use.

“We’re worried more about [peer-to-peer] copyright violation than computer viruses, but we do want to prevent [peer-to-peer] until someone claims there’s a legitimate use,” says John Penrod, the news channel’s network architect. “And that hasn’t happened yet.”

Bill Wall, chief security engineer at Harris Corp., which makes policy enforcement software for desktops that it says can block peer-to-peer, sums up the issue this way: “People think [peer-to-peer] file sharing is nice and fun. But if you don’t set it up exactly right, you can expose the entire hard drive.”