Sophos Cloud OptixAn interesting area of research is finding malware samples scattered about the internet. The aim is to find samples and ensure we provide detection before any of our customers are affected. There are several different ways to go about this ranging from custom web crawlers, peer-to-peer (P2P) clients and even search engine results. Unfortunately it doesn’t take a lot of effort to find something of interest.
One of the simplest ways the bad guys can try and distribute their malware is by using P2P networks. P2P networks such as KaZaA and Gnutella are file sharing systems and typically host, possibly illegal, copies of MP3s, films and software. These networks might seem like an odd choice to spend time researching since the primary users of these networks are probably under the age of 14. The point is that they are simply a distribution system and the chances are high that malware found on these networks will also appear in other locations. P2P networks are also relatively easy to crawl.
Within a P2P client we did some keygen related searches. Keygens (key generators) are programs that generate valid serial numbers / registration codes for applications so they are basically used by software pirates. A couple of searches we carried out were:
Sophos keygen
Linux keygen
These are ridiculous searches since no Sophos product uses this type of registration model and Linux certainly doesn’t! They did however turn up some (not so unexpected) results:
Troj/Agent-GGQ
PlayMP3z Installer
Troj/Agent-GFL (twice)
On this occasion we found some Trojans and adware installers that are getting on for 5 months old – nothing too exciting but it highlights the price you pay for trying to steal software.
Sophos customers will probably be aware that they can prevent access to P2P networks using Application Control and I’d strongly recommend using it if you aren’t already. Groups such as FAST (The Federation Against Software Theft) are dedicated to prosecuting those involved in software theft so the last thing you want to find is an illegal repository of copyrighted material on your corporate servers.
Here in SophosLabs we can only see a few legitimate uses of P2P networking software in a corporate environment and even then, only for certain staff. If you disagree and actually use P2P networks for legitimate reasons, why not let us know by emailing us.