Date: Tue May 09 2000 - 16:18:37 PDT
(((can you say "duh!"? heavily reformatted. sloppy h4x0rs)))
From: Seth McGann <firstname.lastname@example.org>
Self-Replication Using Gnutella
Team RAZOR - Seth McGann <email@example.com>
Remember the game telephone? Yeah, you know...someone whispers
something to you, and you're __supposed__ to whisper that to someone
else, and so on and so on? And the guy at the end of the chain got a
whisper that sounded nothing like the original whisper. Well, Gnutella
is similar in many ways.
--- Excerpt from Gnutella homepage (emphasis added)
Gnutella is a protocol recently re-released after a brief period with
no official home. Now at a new domain and back under official
development, Gnutella is poised to revolutionize media distribution.
Along with its new method of media distribution it provides some
interesting routes for abuse. In light of the recent "ILOVEYOU" worm,
and general rekindling of public interest in worm design, here is
another potential vector that may soon be used by to distribute
Alice: A user searching for a file.
Bob: A user who has the file Alice wants.
Carl: A user who has the file Alice wants (behind firewall).
Mallory: A malicious user.
The key component of Gnutella is a piece of software dubbed a
"servent" by the designers. This servent both accepts and sends
Gnutella messages. When a user wants to join the network, he picks a
few known hosts from a seed list provided by the Gnutella web site and
connects. The user could also create a private Gnutella network with
no exterior connections (remember no centralization). All that is
needed for this subset to become a part of the larger public
GnutellaNet is a single connection:
A --> (GnutellaNet) <-- B <-- | Firewall | <-- C <-- (Other Servents)
Each servent has a unique 128-bit identifier that is used to determine
which packets should be forwarded. Discovery of hosts is done both
actively and passively. Passive discovery occurs when Alice recovers
hosts from the packets she is routing. Active discovery occurs when
Alice sends out a "ping" packet. This ping elicits a "pong"
containing the IP address and port of every servent that receives it.
Searching for content is conducted as follows:
(1) Alice generates a "query" packet and forwards to all her
(2) Each recipient searches its local database, decrements TTL
and forwards to each of its connection.
(3) Bob receives the packet, and replies with a "query-reply"
containing his IP address and port.
(4) These packets are forwarded back along the search path
eventually returning to Alice.
(5) On receipt of the response, Alice attempts to initiate a
direct connection with Bob and transfer the file.
(6) In the event that she cannot connect for some reason
(perhaps Carl has the file instead of Bob) a "push-request"
containing Alice's IP address and port is sent by Alice.
(7) On receipt of this packet, Carl will attempt to create an
outbound connection to Alice to transfer the file, circumventing
For further information on the protocol see the Gnutella homepage ,
but this should be sufficient to understand the following attacks.
=Self Replicating Servents
The most significant problem is that there is no way to verify the
source or contents of a message. A particularly nasty attack is for
Mallory (a servent attached to GnutellaNet in an arbitrary location)
to simply respond to all query packets. This results spoofing attack
is a known issue covered in the Knowbuddy FAQ  and is conducted as
(1) Alice generates a query packet and forwards.
(2) Mallory receives one of these packets and responds with a query-reply.
(3) If Alice decides to pick the reply provided by Mallory she will
receive potentially malicious content.
This content could be an executable containing a trojan horse, such as
BO2K . A more sinister payload would be to create a trojan that
when executed attaches to the GnutellaNet. Once attached to the net,
it would respond to all queries and provide itself as the content. To
increase the probability of Alice executing the file, it would be
renamed to something containing the original query. For instance, a
search for "crack" would elicit a reply of "crack.zip". Other
extensions could also be used besides ".zip" and ".exe". A Winamp
".pls" file exploiting an overflow in Winamp could be used for
example. With source code available for both Windows and *nix
servents, creating a self-propagating servent is trivial. The worm
could even update itself using GnutellaNet to distribute signed
updates in a manner similar to the "wormnet" described in Michael
Zalewski's "I don't think I really love you" post.
What is disturbing here is the combination of low accountability and
trust of the individual servents. In a web, ftp, or email transaction
if malicious content is discovered on a server the administrator can
be notified. On Napster , if a user is distributing malicious
content, his account can be disabled. If removal was not possible, at
the very least a warning could be posted regarding a particular site
or Napster user. With Gnutella anyone can attach to the network and
provide malicious content tailored to specific search requests with
relatively small chance of detection. The IP address of each
transaction could be recorded, as Zeropaid  has done with their
listing of people attempting to retrieve child pornography. The
official servent does not display IP addresses. In addition, Mallory
only has to infect one host and the infection will spread
automatically. Once victims begin executing the content the
GnutellaNet can be used to mask the interactions with the victims. In
most traditional backdoors, a direct connection is required between
the attacker and the victim. With Gnutella, no direct connection is
needed for a bi-directional channel.
The most obvious covert channel for controlling these rogue servents
is already being used to allow chatting among Gnutella users:
(1) Alice and Bob both turn on their search monitors (which
display all the queries passing through them.
(2) When Alice wants to talk she searches for the chat
message ("Hi Bob!").
(3) Bob will see this query appear in his monitor. He then
searches for the reply ("Hi Alice").
Another stealthier channel is the 128-bit GUID. This would allow
relatively undetectable signaling between Mallory and her rouge
servents. There are several other fields available but queries and
GUIDs are the most significant.
==Man in the Middle Attacks
There are two flavors of man in the middle attacks. For these to work,
Mallory has to be in the path between Alice and Bob (or Carl). The
first attack goes as follows:
(1) Alice generates a query packet and Bob responds.
(2) Mallory receives one of these query-reply packets and
rewrites it with her IP address and port instead of Bob's.
(3) Alice receives Mallory's reply first.
(4) Alice decides to download the content but connects to
Mallory instead of Bob.
(5) Mallory downloads the original content from Bob,
infects it and passes I on to Alice.
The second attack relies on push-request interception:
(1) Alice generates a query packet and Carl responds.
(2) Alice attempts to connect but Carl is firewalled, so
she generates a push-request.
(3) Mallory intercepts the push-request and resends with
her IP address and port.
(4) Carl connects to Mallory and transfers his content.
(5) Mallory connects to Alice and provides the modified content.
=Gnutella Port Scanner
If Mallory wants to check what ports on a given host are accessible
she can perform the following steps:
(1) Alice sends a query and Bob responds with a query-reply.
(2) Mallory rewrites the query-reply passing through to point at
the IP address and port to be scanned.
(3) Since most likely the port is not listening, Alice will
generate a push-request.
(4) If the port happens to be listening and is not running
the Gnutella service, no push-request will be generated.
(5) Mallory repeats the process several times to make sure
she has an accurate determination of the port's state.
Using this procedure a network can be slowly scanned using servents.
This process will generate a significant amount of noise, which can be
used to decoy another attack. Another way to generate Gnutella noise
is for Mallory to send pong packets with the IP address of hosts she
wants others to attempt to connect to. Each servent receiving her
pong will add these to its table of potential hosts. As servents
exhaust their host tables these entries will be tried eventually
resulting in spurious connections to a given network.
Gnutella is gaining popularity quickly and has already been featured
in several mass media outlets. As it stands now it provides an almost
ideal environment for the spread of self-replicating malicious agents
with the additional bonus of providing anonymous control. With full
source available, parties previously unable to craft a worm of their
own now have a robust framework to build on.
-1- - Gnutella Homepage - http://gnutella.wego.com
-2- - Knowbuddy FAQ - http://www.rixsoft.com/Knowbuddy/gnutellafaq.html
-3- - Back Orifice 2000 - http://www.bo2k.com
-4- - Napster - http://www.napster.com
-5- - Zeropaid - http://www.zeropaid.com/busted/
This archive was generated by hypermail 2b29 : Wed May 10 2000 - 21:54:29 PDT