Information Disclosure by Malicious Code
Over the last several months, new cases of information disclosure have been reported by the media nearly every day in Japan. These incidents are often caused by variants of the W32.Antinny worm that targets the Winny P2P file-sharing network. Once W32.Antinny infects a computer, it captures a screen shot and searches for Microsoft Office documents, email folders, and photos on the compromised computer and uploads these files to the Winny P2P network. Then, not only the author of the worm but also any other Winny users can download that information.
Winny is a P2P program that has several interesting features, one of them being anonymity. Users can search and download files from the Winny network, but noone can know who has the file or where the file is from because Winny hides this information from users. Users can only access the filenames that are available for download from the network. Another interesting feature is the way in which newly downloaded files are shared. Once the file is downloaded from the Winny network to the local download folder, other Winny users can immediately search for and download that file. By using these features, it is very difficult to stop the spread of the information (often sensitive) once it is leaked. Downloaded files are automatically shared with other Winny users and people cannot identify who has the information.
Alarmingly, several examples of sensitive information from enterprise and government offices have been found circulating on the Winny network. These include: nuclear power plant documents from the Japan Atomic Power Company, national defense documents from Japan Defense Agency, criminal investigation documents from the police agency and also sales documents from a well known antivirus vendor. These leaks can occur if employees remove documents from the enterprise network, either on disk or a portable computer, in order to work on them on their home network. If they are using Winny on the computer or home network they run the risk of infection by the worm, and their information could end up being made public, even if it is confidential.
P2P applications and the worms that target those programs are not only a personal issue, they have also become an enterprise issue; however, companies or organizations cannot easily administer an employee’s home computer or network. Therefore data management, security policy, and user education are very important.
For more on the Antinny worm, please see: http://securityresponse.symantec.com/avcenter/venc/data/w32.hl