I received a nice email with a very good question from Mehdy Mohajery. It is not the first time I am asked the same question.
This time I am documenting the answer I always give.
I saw you profile on linkedin.com just tonight , and I noticed that you are specialist
in both p2p systems and designing security systems. that encouraged me to
ask a question from you.
As you know, nowadays a lot of viruses are being distributed via p2p networks like KAD
& EDonkey. If an anti virus vendor like avira could provide a plug-in for a major p2p2 client
(emule) to detect viruses before downloading by their FileID (MD4 Hash) , then a major part of
virus traffic on p2p networks can be eliminated. So why nobody on security industry seems to care
about securing p2p networks with this method? should I download every piece of scrap to know
if it’s infected?
I like to know your opinion about this.
Dear Mehdy Mohajery,
There are several reasons why nobody adds an AV for the P2P programs:
1. Having in mind the “free of charge” nature of the P2P networks, nobody will pay for an Antivirus program.
And do not forget how many users are out there… The bandwidth required for such a service would be immense.
For a security company, the trouble just doesn’t pay back.
2. Checking the checksum of the file will not help you very much.
These days we see between 30-200 new malware each day(including variants).
In a P2P network, you do not usually have the malware (virus, trojan, etc.) downloaded as a simple file. It usually comes in an archive or otherwise disguised.
To be able to reliably use a blacklist of checksums, you need to have the malware in “clear”. (reliably = with a very good detection rate)
Of course, it would be possible to be able to blacklist any checksum, but who will submit the files there ?
This brings us back to the users. Let’s assume that we have an online service where users can blacklist any checksum.
How do we check this ? Should we rely on good will and trust ? Of course NOT 🙂
So, we need a reputation algorithm. But, in order such an algorithm to function, we need to have somebody who’s reputation is beyond doubt.
Somebody like an AV producer. This entity must 100% say that the file is infected or not. Anybody who votes the contrary, has automatically bad reputation.
Let’s assume that somebody can say with 100% precision that a file is or not malware. In reality this is not true.
But, to have a central authority is contrary to the whole idea of P2P. So, this can not work by definition.
The alternative is to rely again on users. They should vote against each other. The majority wins.
This is how the reputation should be created and maintained. There are many algorithms out there who can deal with several methods of trust assignment.
– we need a distributed checksum blacklist where anybody can submit any file with the tag : malware or not and the degree of probability that the statement is true.
– we need an algorithm to calculate the reputation of a user and update the probability of a file to be malware or not.
Not an easy task… to be made for free.
3. The files are downloaded in chunks from multiple sources.
Usually, the AV programs can scan files only when they are completed. So, the scanning is possible only at the end of the download.
This means, one has to download the file completely and only then can scan it, which brings no benefit to the user (as of download size is concerned).
4. If you have an AV with an On Access scanner, it will scan the file after it is completely downloaded.
Of course, this depends a lot on the scanning settings of your product. Usually, no On Access scanner will scan archives by default because it is very time consuming.
5. If you have an AV installed, it must also have an On Demand scanner. After the file is downloaded, you can safely scan it before you unpack it or use it on your computer.
This is what comes right now in my mind when I think about an Antivirus for P2P programs.
As you see, no commercial company will invest so many resources (man,hardware,bandwidth->money) in a business model which doesn’t have too many chances to work.
© Copyright 2008 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch