Securing IM and P2P Applications for the Enterprise pdf pdf
Register for Free Membership to s o l u t i o n s @ s y n g r e s s . c o m
Over the last few years, Syngress has published many best-selling and
critically acclaimed books, including Tom Shinder’s Configuring ISA
Server 2004, Brian Caswell and Jay Beale’s Snort 2.1 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books hasbeen our unique solutions@syngress.com program. Through this
site, we’ve been able to provide readers a real time extension to the
printed book.As a registered owner of this book, you will qualify for free access to
our members-only solutions@syngress.com program. Once you have
registered, you will enjoy several benefits, including:■ Four downloadable e-booklets on topics related to the book.
Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book.
■
A comprehensive FAQ page that consolidates all of the key points of this book into an easy-to-search web page, pro- viding you with the concise, easy-to-access data you need to perform your job.
■
A “From the Author” Forum that allows the authors of this book to post timely updates and links to related sites, or additional topic coverage that may have been requested by readers.
Just visit us at www.syngress.com/solutions and follow the simple
registration process. You will need to have this book with you when you register.
Thank you for giving us the opportunity to serve your needs. And be
sure to let us know if there is anything else we can do to make your job easier. S E C U R I N G and
IM P2P
Applications
f o r t h e E n t e r p r i s ePaul L. Piccard Brian Baskin Craig Edwards George Spillman Technical Editor Marcus H. Sachs
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:TheDefinition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to
Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this
book are trademarks or service marks of their respective companies.KEY SERIAL NUMBER
001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 HJ563LLM8C 005 CVPLQ6WQ23 006
VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010
IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Securing IM and P2P Applications for the Enterprise Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Printed in Canada. Except as permitted
under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form
or by any means, or stored in a database or retrieval system, without the prior written permission of thepublisher, with the exception that the program listings may be entered, stored, and executed in a computer
system, but they may not be reproduced for publication. Printed in Canada 1 2 3 4 5 6 7 8 9 0ISBN: 1-59749-017-2 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Jaime Quigley Copy Editor: Amy Thomson Technical Editor: Marcus H. Sachs Indexer: Richard Carlson Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights, translations, and bulk purchases, contact Matt Pedersen, Director of Worldwide Sales and Licensing, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585.
Acknowledgments
Syngress would like to acknowledge the following people for their kindness and sup- port in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, Karen Montgomery, John Chodacki, and Rob Bullington. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Chris Hossack, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, and Siti Zuraidah Ahmad of STP Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands.
v
Lead Author Paul L. Piccard serves as Director of Threat Research for Webroot, where he focuses on research and develop- ment, and providing early identification, warning, and response services to Webroot customers. Prior to joining Webroot, Piccard was manager of Internet Security Systems’ Global Threat Operations Center.This state of the art detection and analysis facility maintains a constant global view of Internet threats and is responsible for tracking and analyzing hackers, malicious Internet activity, and global Internet security threats on four continents.
His career includes management positions at VistaScape Security Systems, Lehman Brothers, and Coopers & Lybrand. Piccard was
researcher and author of the quarterly Internet Risk Impact
Summary (IRIS) report. He holds a Bachelor of Arts from Fordham University in New York.Technical Editor Marcus H. Sachs, P.E., is SRI International’s Deputy Director of the Department of Homeland Security’s Cyber Security Research and Development Center, a portfolio of several dozen cyber security R&D projects managed by DHS and supported by SRI. Marc also volunteers as the director of the SANS Internet Storm Center and is a cyberspace security researcher, writer, and instructor for the SANS Institute. After retiring from the
US Army in 2001 following a 20-year career as a Corps of
Engineers officer, Marc was appointed by President George W. Bush to serve on the staff of the National Security Council as part of the White House Office of Cyberspace Security from 2002 to 2003. vii
Brian has been instructing courses for six years, including pre-
sentations at the annual DoD Cyber Crime Conference. He is an avid amateur programmer in many languages, beginning when his father purchased QuickC for him when he was 11, and has gearedmuch of his life around the implementations of technology. He has
also been an avid Linux user since 1994, and enjoys a relaxing ter-minal screen whenever he can. He has worked in networking envi-
ronment for over 10 years from small Novell networks to large, mission-critical, Windows-based networksBrian lives in the Baltimore, MD area with his lovely wife and
son. He is also the founder, and president, of the Lightning Owners
of Maryland car club. Brian is a motor sports enthusiast and spends
much of his time building and racing his vehicles. He attributes a great deal of his success to his parents, who relinquished their household 80286 PC to him at a young age, and allowed him the freedom to explore technology.
George Spillman is a Director for Acadine Informatics, president of the computer consulting group PixelBlip Digital Services, and one of the principals behind ToorCon, the highly respected computer security conference that draws in and educates some of the best hackers and security experts from around the globe. As such, he travels well in hacker circles and takes great pleasure in poking and prodding the deep dark under- belly of the Internet. George is a frequent guest on television news programs for his expertise and his ability to communicate complex computer security and identity theft issues to non-technical audi- ences. His consulting clients include representatives from both the Fortune 100 and the Fortune 100,000,000. In the past he has been lured away from consulting by large wheelbarrows of stock options
to serve as Director of IT for an international pharmaceutical R&D company, and would most likely do that again if the wheelbarrow was included to sweeten the deal. George was a reviewer for the Syngress book, Phishing Exposed, (ISBN: 159749030X). ix Marc has contributed to Syngress titles IT Ethics Handbook, Cyber Adversary Characterization, and Zero-Day Exploits.
Marc holds a Master of Science in Computer Science with a con- centration in Information Security from James Madison University, a Master of Science in Science and Technology Commercialization from the University of Texas, and a Bachelor of Civil Engineering from the Georgia Institute of Technology. He is a graduate of the Army’s Command and General Staff College, the Army Engineer School, the Army Signal School, and the Army’s Airborne and Air Assault schools. Marc holds an advanced class amateur radio license, is a registered Professional Engineer in the Commonwealth of Virginia, and is a life member of the Signal Corps Regimental Association and the Armed Forces Communications and Electronics Association. A native of Tallahassee, Florida, he currently lives in Virginia with his wife and children.
Contributing Authors Brian Baskin (MCP, CTT+) is a researcher and devel- oper for Computer Sciences Corporation, on contract to the Defense Cyber Crime Center’s (DC3) Computer Investigations Training Program (DCITP). Here, he researches, develops, and instructs computer forensic courses for members of the military and law enforce- ment. Brian currently specializes in Linux/Solaris intru- sion investigations, as well as investigations of various network applications. He has designed and implemented networks to be used in scenarios, and has also exercised penetration testing procedures. viii
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Part I Instant Messaging Applications . . . . . . . . . . . . . . . 1
Chapter 1 Introduction to Instant Messaging. . . . . . . . . 3 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Major Instant Messaging Services . . . . . . . . . . . . . . . . . . . . .6 Instant Messaging Popularity . . . . . . . . . . . . . . . . . . . . . . . . .7 Common Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Third-Party Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Common Security Issues . . . . . . . . . . . . . . . . . . . . . . . . . . .11 Social Engineering and Identity Theft . . . . . . . . . . . . . .12 File Transfers and Messages Spread Malicious Software . .12 Worms and File TransferCircumvent Gateway Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13 IP Address of Workstation Revealed During Usage . . . . .14 Messages and Files are not Encrypted . . . . . . . . . . . . . . .15 Message Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 SPIM and Offensive Material . . . . . . . . . . . . . . . . . . . . .15 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .22Chapter 2 AOL Instant Messenger (AIM) . . . . . . . . . . . . 25
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 AIM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 AIM Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 AIM Features and Security Information . . . . . . . . . . . . . . . .31 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 xixii Contents Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Group Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Audio Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35 File Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Malicious Code and Client Security . . . . . . . . . . . . . . . . . .37
AIMDES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Oscarbot/Opanki . . . . . . . . . . . . . . . . . . . . . . . . . . .42 Velkbot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44 Description: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Platforms Affected: . . . . . . . . . . . . . . . . . . . . . . . . . .45 Remedy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Consequences: . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 References: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .49
Chapter 3 Yahoo! Messenger . . . . . . . . . . . . . . . . . . . . 51 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Yahoo! Messenger Architecture . . . . . . . . . . . . . . . . . . . . . .52 Yahoo! Messenger Protocol . . . . . . . . . . . . . . . . . . . . . . . . .57 Features and Security Information . . . . . . . . . . . . . . . . . . . .59 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Message Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Conferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Voice Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Yahoo! Chat Rooms . . . . . . . . . . . . . . . . . . . . . . . . . . .64 File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 File Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 Web Camera Settings . . . . . . . . . . . . . . . . . . . . . . . . . .66 Yahoo! Messenger Malicious Code and Client Security . . . .68 Worm Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69 W32.Chod.B@mm . . . . . . . . . . . . . . . . . . . . . . . . .69 W32.Picrate.C@mm . . . . . . . . . . . . . . . . . . . . . . . .81 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Contents xiii
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .92
Chapter 4 MSN Messenger . . . . . . . . . . . . . . . . . . . . . . 95 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
MSN Messenger Architecture and Protocol . . . . . . . . . . . . .96
Features and Security Information . . . . . . . . . . . . . . . . . . .104
Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Message Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Whiteboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Application Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Voice Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Web Camera Settings . . . . . . . . . . . . . . . . . . . . . . . . .114
Malicious Code and Client Security . . . . . . . . . . . . . . . . .114
Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
W32.Kelvir.R . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120 W32.Picrate.C@mm . . . . . . . . . . . . . . . . . . . . . . .122Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Vulnerability Description . . . . . . . . . . . . . . . . . . . .126 Vulnerability Solution . . . . . . . . . . . . . . . . . . . . . .127Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .131
Chapter 5 ICQ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Introduction and History of ICQ . . . . . . . . . . . . . . . . . . .134ICQ Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135
Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Group Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Message Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Voice Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
xiv Contents File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Web Camera Settings . . . . . . . . . . . . . . . . . . . . . . . . .141
Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Worm Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 WORM_VAMPIRE.A . . . . . . . . . . . . . . . . . . . . . .143 Identification and Termination . . . . . . . . . . . . . . . . .144 WORM_CHOD.B . . . . . . . . . . . . . . . . . . . . . . . .147 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Multiple Vulnerabilities in Mirabilis ICQ Client . . . . . .149 Vulnerability Description . . . . . . . . . . . . . . . . . . . .150 Vulnerable Packages . . . . . . . . . . . . . . . . . . . . . . . .151 Credits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Technical Description . . . . . . . . . . . . . . . . . . . . . . .152 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .157
Chapter 6 Trillian, Google Talk, and Web-based Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Trillian Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Trillian Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Trillian Malicious Code and Client Security . . . . . . . . .166 Google Talk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168 Google Talk Features . . . . . . . . . . . . . . . . . . . . . . . . . .170 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . .170 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Voice Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Web-based Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172 Web-based Client Features . . . . . . . . . . . . . . . . . . . . . .172 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . .172 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173 Circumventing Workstation Controls . . . . . . . . . . . .173 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .176
Contents xv
Chapter 7 Skype. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Skype Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Features and Security Information . . . . . . . . . . . . . . . . . . .183 Instant Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Chat History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Skype Calls(Voice Chat) . . . . . . . . . . . . . . . . . . . . . . .185 Group Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 File Transfer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Client Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 A Word about Network Address Translation and Firewalls . .192 Home Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Small to Medium-Sized Businesses . . . . . . . . . . . . . . . .195 Large Corporations . . . . . . . . . . . . . . . . . . . . . . . . . . .195 What You Need to Know About Configuring Your Network Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197 Home Users or Businesses Using a DSL/Cable Router And No Firewall . . . . . . . . . . . . . . . . . . . . . . .197 Small to Large Company Firewall Users . . . . . . . . . . . .198 TCP and UDP Primer . . . . . . . . . . . . . . . . . . . . . . . .198 NAT vs. a Firewall . . . . . . . . . . . . . . . . . . . . . . . . .199 Ports Required for Skype . . . . . . . . . . . . . . . . . . . . . . . . .200 Home Users or Businesses Using a DSL/Cable Router and No Firewall . . . . . . . . . . . . . . . . . . . . . . .200 Small to Large Company Firewall Users . . . . . . . . . . . .200 Skype’s Shared.xml file . . . . . . . . . . . . . . . . . . . . . . . .201 Microsoft Windows Active Directory . . . . . . . . . . . . . .202 Using Proxy Servers and Skype . . . . . . . . . . . . . . . . . . . . .205 Display Technical Call Information . . . . . . . . . . . . .207 Small to Large Companies . . . . . . . . . . . . . . . . . . .211 How to Block Skype in the Enterprise . . . . . . . . . . . . . . .211 Endnote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .215
xvi Contents
Part II Peer-to-Peer Networks. . . . . . . . . . . . . . . . . . . . 217 Chapter 8 Introduction to P2P . . . . . . . . . . . . . . . . . . 219 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Welcome to Peer-to-Peer Networking . . . . . . . . . . . . . . . .221 Enter Napster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223 Gnutella and a Purer P2P Network . . . . . . . . . . . . . . .225 The Rise of the Ultrapeer . . . . . . . . . . . . . . . . . . . . . .226 The Next Step: Swarming . . . . . . . . . . . . . . . . . . . . . . . .227 eDonkey (Kademlia/OverNet) . . . . . . . . . . . . . . . . . . .227 BitTorrent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Other Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Concerns with Using P2P Networks . . . . . . . . . . . . . . . . .231 General Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . .231 Infected or Malicious Files . . . . . . . . . . . . . . . . . . . . .231 Legal Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Sony Corp v. Universal City Studios . . . . . . . . . . . .233
A&M Records Inc. v. Napster Inc. . . . . . . . . . . . . . .234 MGM Studios Inc. v. Grokster Ltd. . . . . . . . . . . . . .234 RIAA vs.The People . . . . . . . . . . . . . . . . . . . . . . .235 The Future of P2P Networks . . . . . . . . . . . . . . . . . . . . . .236
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .237
Chapter 9 Gnutella Architecture . . . . . . . . . . . . . . . . . 239 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Gnutella Clients and Network . . . . . . . . . . . . . . . . . . . . . .240 Gnutella . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 LimeWire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 BearShare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242 Gnucleus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Morpheus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Gnutella Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 UltraPeers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245 Gnutella Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Peer Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . .246 Descriptor Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Ping/Pong Descriptor Packets . . . . . . . . . . . . . . . . .248
Contents xix
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .316
Chapter 12 FastTrack . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 History of Clients and Networks . . . . . . . . . . . . . . . . . . . .320 The FastTrack Network . . . . . . . . . . . . . . . . . . . . . . . .320 Kazaa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 History of Kazaa . . . . . . . . . . . . . . . . . . . . . . . . . . .323 Morpheus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Grokster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
iMesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327
Spyware Bundling and Alternative Clients . . . . . . . . . . . . .328
AltNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Kazaa Lite Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Kazaa Loaders . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 External Utilities . . . . . . . . . . . . . . . . . . . . . . . . . .331
Kazaa Lite Resurrection Client . . . . . . . . . . . . . . . . . .331
K-Lite Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Supernodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Connecting Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Performing a Search . . . . . . . . . . . . . . . . . . . . . . . . . .339
Transferring Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
The X-KazaaTag . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341
Features and Related Security Risks . . . . . . . . . . . . . . . . .343
Downloading and Copyright Violations . . . . . . . . . . . .343
Malicious Software . . . . . . . . . . . . . . . . . . . . . . . . .343Fake Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .344
Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346
Legal Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
Bandwidth Issues and Mitigation Steps . . . . . . . . . . . . . . . .347
Supernode Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Contents xvii Query Descriptor Packets . . . . . . . . . . . . . . . . . . . .249 QueryHits Descriptor Packets . . . . . . . . . . . . . . . . .250
File Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Features and Related Security Risks . . . . . . . . . . . . . . . . .254
Problems Created by P2P in the Enterprise . . . . . . . . .254
Infected Files:Trojans and Viruses . . . . . . . . . . . . . .255Misconfigured File Sharing . . . . . . . . . . . . . . . . . . .256 Copyright Infringement . . . . . . . . . . . . . . . . . . . . .257 File Transfers Reveal IP Address . . . . . . . . . . . . . . . .257
Technical Countermeasures for Gnutella . . . . . . . . . . . . . .257
Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
IPTables String Match Module . . . . . . . . . . . . . . . .260
Snort IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .265
Chapter 10 eDonkey and eMule . . . . . . . . . . . . . . . . . 267 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 History of the eDonkey and eMule Clients and Networks 268 The eDonkey and eMule Networks . . . . . . . . . . . . . . .271 Features and Related Security Risks . . . . . . . . . . . . . . . . .275 Copyright Infringement . . . . . . . . . . . . . . . . . . . . . . .275 Malicious Software . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Poisoned Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Misconfigured Sharing . . . . . . . . . . . . . . . . . . . . . . . . .277 Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Vulnerability Description . . . . . . . . . . . . . . . . . . . .278 Vulnerability Solution . . . . . . . . . . . . . . . . . . . . . . .278 Vulnerability Provided and/or Discovered by PivX Bug Researcher . . . . . . . . . . . . . . . . . . . . . .278 Vulnerability Description . . . . . . . . . . . . . . . . . . . .279 Vulnerability Solution . . . . . . . . . . . . . . . . . . . . . . .279 Vulnerability Provided and/or Discovered By . . . . . .279 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .282
xviii Contents
Chapter 11 BitTorrent . . . . . . . . . . . . . . . . . . . . . . . . . 285 History of the Network . . . . . . . . . . . . . . . . . . . . . . . . . .286 BitTorrent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 BitTornado . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Azureus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 BitComet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289 Other Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 ABC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
µTorrent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 G3 Torrent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 Shareaza . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 Network Architecture and Data Flow . . . . . . . . . . . . . . . .291
Torrent Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Trackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Of Leechers and Seeders . . . . . . . . . . . . . . . . . . . . . . .294 Trackerless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Protocol Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Bencoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296 Torrent Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 Tracker Connections . . . . . . . . . . . . . . . . . . . . . . . . . .299 Peer Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . .302 Peer States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Peer Wire Protocol Messages . . . . . . . . . . . . . . . . . .305 Peer Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Peer Data Transmission . . . . . . . . . . . . . . . . . . . . . .307 DHT Connections . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Features and Related Security Risks . . . . . . . . . . . . . . . . .308 Copyright Infringement . . . . . . . . . . . . . . . . . . . . . . .308 Poison Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Automatic Sharing of Data . . . . . . . . . . . . . . . . . . . . .310
Bandwidth Issues and Mitigation Steps . . . . . . . . . . . . . . .310 Bandwidth Scheduling . . . . . . . . . . . . . . . . . . . . . . . . .311 Trackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Sharing of Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Snort IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
xx Contents
IPTables String Match Module . . . . . . . . . . . . . . . .349 P2PWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .350 Snort IDS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .356
Part III Internet Relay Chat Networks . . . . . . . . . . . . . 359 Chapter 13 Internet Relay Chat—Major Players of IRC 361 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 IRC Jargon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Nick . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Ident or Username . . . . . . . . . . . . . . . . . . . . . . . . .364 Channel Operator . . . . . . . . . . . . . . . . . . . . . . . . .364 Nick Delay and Time Stamps . . . . . . . . . . . . . . . . .365 Nick Delay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366 Time Stamps . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 IRC Server Software Packages . . . . . . . . . . . . . . . . . . . . . .368 ircd 2.11.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 ircd-hybrid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 bahamut . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 ircu (and Derivatives) . . . . . . . . . . . . . . . . . . . . . . . . . .370 UnrealIRCd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Major Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 Quakenet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 Undernet, IRCnet, DALnet and EFnet . . . . . . . . . . . . .372 Rizon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 GameSurge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 Freenode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .376
Chapter 14 IRC Networks and Security . . . . . . . . . . . . 377 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 IRC Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378 EFnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 DALnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Contents xxi NickServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 ChanServ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Undernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384
IRCnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
IRC Servers in Sum . . . . . . . . . . . . . . . . . . . . . . . . . .385
File Transfer Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
IRC Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Automated Shares/Fserve Bots . . . . . . . . . . . . . . . . . . . . .388
File-Sharing Botnets . . . . . . . . . . . . . . . . . . . . . . . . . .390
Channel Protection Botnets . . . . . . . . . . . . . . . . . . . . .390
Channel Takeover Botnets . . . . . . . . . . . . . . . . . . . . . .391
Channel Flooding Botnets . . . . . . . . . . . . . . . . . . . . . .391
Spamming Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . .392
DDoS Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Proxy Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Other Uses for IRC Bots . . . . . . . . . . . . . . . . . . . . . .393
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .396
Chapter 15 Global IRC Security . . . . . . . . . . . . . . . . . 399 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .400 DDoS Botnets Turned Bot-Armies . . . . . . . . . . . . . . . . . .400 Methods of Botnet Control . . . . . . . . . . . . . . . . . . . . .401 Reprisals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404 The ipbote Botnet: A Real World Example . . . . . . . . .405 Information Leakage . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407 Copyright Infringement . . . . . . . . . . . . . . . . . . . . . . . . . .408 Other Forms of Infringement . . . . . . . . . . . . . . . . . . .408 Transfer of Malicious Files . . . . . . . . . . . . . . . . . . . . . . . . .411 How to Protect Against Malicious File Transfers . . . . . .413 What to Do if a Malicious File Infects Your Network . .414 Prevention of Malicious File Sends in the Client . . . . . .414 DCC Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414 Firewall/IDS Information . . . . . . . . . . . . . . . . . . . . . . . . .415 Port Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415 IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
xxii Contents Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .419
Chapter 16 Common IRC Clients by OS . . . . . . . . . . . 421 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 Windows IRC Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .422
mIRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422 X-Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424 Opera IRC Client . . . . . . . . . . . . . . . . . . . . . . . . . . . .425 ChatZilla . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425 WinBot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425 Visual IRC (vIRC) . . . . . . . . . . . . . . . . . . . . . . . . . . .425 Trillian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425 UNIX IRC Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
X-Chat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .426
IRSSI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427 BitchX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427 KVIrc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428 sirc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428 ircII . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428 Apple Macintosh IRC Clients . . . . . . . . . . . . . . . . . . . . . .428 ChatNet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428 Snak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 Homer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 Ircle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 MacIRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429 Colloquy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430
Other IRC Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .430 PJIRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431 J-Pilot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431 CGI:IRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431 SILC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .435 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437