Malware prevalence in the KaZaA file-sharing network.

ABSTRACTIn recent years, more than 200 viruses have been reported to use a peer-to-peer (P2P) file-sharing network as a propagation vector. Disguised as files that are frequently exchanged over P2P networks, these malicious programs infect the user's host if downloaded and opened, leaving their copies in the user's sharing folder for further propagation. Using a light-weight crawler built for the KaZaA file-sharing network, we study the prevalence of malware in this popular P2P network, the malware's propagation behavior in the P2P network environment and the characteristics of infected hosts. We gathered information about more than 500,000 files returned by the KaZaA network in response to 24 common query strings. With 364 signatures of known malicious programs, we found that over 15% of the crawled files were infected by 52 different viruses. Many of the malicious programs that we find active in the KaZaA P2P network open a backdoor through which an attacker can remotely control the compromised machine, send spam, or steal a user's confidential information. The assertion that these hosts were used to send spam was supported by the fact that over 70% of infected hosts were listed on DNS-based spam black-lists. Our measurement method is efficient: it enables us to investigate more than 30,000 files in an hour, identifying infected hosts without directly accessing their file system.