DETECTION OF PEER TO PEER APPLICATIONS

Transcription

1 DETECTION OF PEER TO PEER APPLICATIONS AN OPSWAT WHITE PAPER Author: Priti Dadlani Contributors: Benny Czarny, Steven Ginn, Toshit Antani April 2008 OPSWAT, INC.

2 CONTENTS Introduction... 3 Methods of Detecting P2P Applications... 3 Network Based Detection... 3 Client Based Detection... 4 Client Behavioral Detection... 4 About OPSWAT

3 INTRODUCTION: A peer to peer (P2P) application, such as BitTorrent, Kazaa, Napster, etc., is software where clients communicate directly with each other over a common network. The application acts both as the client as well as the server. A common use case of a P2P application is file sharing. Simple file sharing has raised a lot of controversy and questions challenging the usage of P2P applications. An issue that has been raised is the legality of file sharing. Many files that are being shared between clients do not have authorization of the copyright owner, making it illegal to transfer. Also, the bandwidth consumption of P2P applications has caused a network delay for users. Computers running P2P applications are also vulnerable to data leaks simply because important information can be easily transferred over a network that may not be tracked or monitored. P2P applications have caused concern in etwork administrators, forcing them to disable P2P applications from gaining network access. This document will outline two technologies in detecting P2P applications, client based and network based. METHODS OF DETECTING P2P APPLICATIONS: There are various methods that security vendors use in order to detect P2P technology, below are two common methods that are currently used. Network Based Detection Some P2P applications communicate and function thru a common port, common protocol, or use a common traffic pattern. A Network based approach uses both network sniffing and network scanning. Network sniffing looks for both P2P traffic patterns and packets. Network scanning looks for common ports or protocols that may be open. These methods are useful for detecting P2P applications such as Piolet. Piolet is an executable which can be dropped and run from anywhere. It requires no installation and leaves no footprint behind. An administrator is able to watch the network traffic and determine whether an application like Piolet is in use. Network scanning or sniffing to see if certain P2P patterns are present can have its limitations. New age P2P applications use what is called anonymous P2P technology. The networks used by these anonymous P2P applications (Winny, Imule, Rodi, etc.) carry no identifiers and the IP addresses of the networks are encrypted. This makes it almost impossible for P2P traffic to be traced and identified. 3

4 Client Based Detection Client based detection is typically performed by analyzing the footprint that the P2P application leaves behind. This includes the registry keys installed, binary files installed, MD5 signature of the running process, and the name of the running process. With client based detection it is easy to take remediation actions against the P2P application. Administrators can prevent the application from being run and can even monitor the files that are being transferred. This method of detection can detect anonymous P2P applications, as well, by using the footprint left behind. RShare is an example of a P2P application that anonymizes and encrypts the network traffic it uses. Detection of this application can be based on the registry information that gets installed or the running processes. Unfortunately, a disadvantage to this is the P2P applications footprint can be tampered with. A user can easily go in and delete the installed registry keys of the product, rename the executable, or change the MD5 signature to spoof something safe and reliable, once again leaving network administrators unaware that a P2P application is running and in use. Client Behavioral Detection Every P2P applications executable contains a binary representation of instructions that it needs in order to run correctly. Behavioral detection of P2P applications tracks the execution patterns and specific code patterns, such as state machines, protocols, and or network activity. By using the assembly based binary signatures and other behavior of the application (ports opened, files being accessed, and other techniques), security software can identify whether or not an executable in question is a valid P2P application or not. By enumerating through all the running processes and monitoring its behavior it is possible to detect a P2P application disguising itself as a valid executable such as notepad.exe. Winny is an example of an anonymous P2P application that leaves no footprint behind. Network based and pure client based detection would not be able to detect a product like this. Analyzing the assembly signature of the executable and monitoring the behavior of how this application works could give an administrator insight on if this product is running or not. There are of course drawbacks to this method of detection. The application must be analyzed on the endpoint and behavioral detection can make it difficult to guarantee a certain level of performance. 4

5 ABOUT OPSWAT Founded in 2002, OPSWAT ( is the world leader in development tools and data services that power products managing features of security applications. OPSWAT SDKs and services enable integration with a broad range of applications from traditional security products such as antivirus, antispyware, personal firewalls and hard disk encryption applications to more conventional products such as browsers, instant messenger and peer to peer applications with security-related features. OPSWAT is headquartered in San Francisco, California, with an additional office in Herzliya, Israel. OPSWAT and the OPSWAT logo are trademarks of OPSWAT, Inc. or its affiliates. All other names mentioned herein are trademarks or registered trademarks of their respective owners. 5