Like thousands of other music lovers, Scott Hurring recently downloaded a Napster-like music file-sharing program called Grokster to test drive for chasing tunes. A programmer at advertising services agency Graphic Type and a Net veteran, Hurring disliked the program and uninstalled it. Or so he thought.
On Dec. 27, he noticed a small program titled "DLDER.exe" on his hard drive. Hurring studied the program and learned that it was associated with a piece of software called "Clicktilluwin" that Grokster had packaged with its basic installer. Trouble was, Clicktilluwin is supposedly an optional piece of online-sweepstakes software. Hurring had opted out, but the software had installed anyway against his wishes.
That bothered him, as well it should have. Turns out that the persistent piece of software was a Trojan horse -- that is, it appeared to be one thing but in reality was another. In fact, it placed software on Hurring's hard drive that recorded every URL he visited, as well as some of the user IDs he employed on his Web travels.
The software then may have broadcast this information from his machine over the Internet to a still-unidentified Web server. When he dissected the program, Hurring found that it was designed to launch anytime he started his PC. His discovery has since been corroborated by several antivirus companies.
Hurring's experience was no isolated case. The Trojan horse he discovered appears to have been packaged in official download versions of not only Grokster but other popular peer-to-peer (P2P) products including LimeWire, KaZaa, and BearShare, according to numerous postings spreading on bulletin boards across the Internet. LimeWire alone recorded 150,000 downloads of the infected software. KaZaa's client software is downloaded more than 1 million times each week, according to Cnet's download.com. If you add in Grokster and BearShare, the reach of this still-mysterious Trojan horse may be in the millions -- representing more than 50% of the file-sharing market for free music.
KaZaa and BearShare could not be reached for comment for this story. But Grokster and LimeWire say they included the Clicktilluwin software, thinking it was only an installer package and were unaware that it harbored such secret behaviors. To date, no one seems to know what entity is responsible. The maker of the Clicktilluwin software is still unclear. Greg Bildson, chief technology officer of LimeWire, says he believes it came from an Israeli online advertising software company called Cydoor. Repeated efforts to try to contact Cydoor were unsuccessful. LimeWire has since removed the Trojan Horse from its download package.
The Clicktilluwin incident comes at a bad time for the remaining free file-sharing vanguard. In December, the Big Five record labels launched their own paid music subscription services, Pressplay and MusicNet (see BW Online, 12/28/01, "Pay-to-Play Music: Lots of Missed Notes"). These new services could provide the first legal competition to the remaining P2P networks. With threats of lawsuits from the Recording Industry Association of America already hanging over their heads, these fledglings could now face a backlash from angry users who may have downloaded a Trojan program. "I have no clue what this software is doing to my system," says Hurring via e-mail.
Anytime software is compromised at the source, it's usually a indicator of larger problems. In this case, the problem is associated with so-called freeware downloads. Some big-name programs, such as the LINUX operating system, are freeware, but they receive intense scrutiny before release. Many lower-profile downloads, however, aren't tightly vetted.
That's because small freeware startups often rely on third parties to provide key pieces of their software and then bundle them into the package. In the case of the DLDER.exe Trojan, that software was an installer that configured the P2P program on the user's computer. "It seems that a huge amount of the P2P world was taken in by this bundle," says LimeWire's Bildson.
Small P2P file-sharing companies such as LimeWire, which has only a handful of programmers, just don't have the time or manpower to look through the code for themselves to vet it for any potential problems. "We were paid to distribute a Clicktilluwin installer. All it was supposed to do was drop an icon and install. Apparently it was downloading some nefarious stuff in the background," says Bildson.
How serious a breach remains an open question. Antivirus companies are ho-hum about the threat, saying they haven't yet seen any direct harm. While the DLDER.exe Trojan may have recorded Web-surfing habits, no direct evidence has been found that it has broadcast this info to any specific cybersnoopers. Nor is there any evidence that the program has done something harmful, such as erase a hard drive. "This program is much more along the lines of 'spyware' than a 'virus.' Any likelihood of any damage to a user's computer files is remote," says a Grokster spokesperson via e-mail.
Tiny freeware companies aren't alone in running risks such as this one. Big commercial entities have gotten caught distributing malicious code in supposedly trusted downloads. Witness an embarrassing incident last April, when Microsoft inadvertently distributed the "FunLove" virus from its own download servers when it contracted the pathogen after mistakenly leaving antivirus protection turned off.
Unfortunately, LimeWire and the other P2P companies don't record the e-mail addresses of downloaders so they have no way to warn them of the possible security risks. And they may not be able to get much help from the smaller programming companies they rely on for support. "It is hard to monitor the behavior of bundled software over the life of that software. Changes can be made on the servers that interface with software which allow the software to become dangerous," says Bildson.
At the least, the incident could leave a bad taste in the mouths of digital-music lovers used to getting a free ride with little to fear from rollicking P2P networks. One more sign that the happy times of unrestricted file-sharing may be coming to an end, as the kind of threat security experts have long warned about may be coming true. The lesson? Be very careful what you download -- free software can give you more than you bargained for.
By Alex Salkever
Edited by Douglas Harbrecht