Expert warns of Trojan explosion

A technology researcher at Berkeley, University of California, has described distributed computing systems that connect to a central server as security blunders waiting to happen.

The warning follows the news last week that peer-to-peer file sharing software Kazaa contains a Trojan that puts millions of machines at risk.

In a federal securities filing last week, it was revealed that Kazaa contains another program designed to create a second underlying distributed computing network made up of unwitting Kazaa users.

Brilliant Digital Media, the company behind the stealth peer-to-peer software, known as Altnet, plans to activate the software on users' machines in the next few weeks to be used for distributed computing.

The terms and conditions included with Kazaa read: "You hereby grant [Brilliant] the right to access and use the unused computing power and storage space on your computer/s and/or internet access or bandwidth for the aggregation of content and use in distributed computing."

But Nicholas Weaver, a technology security researcher at Berkeley, attacked Kazaa for bundling the "small Trojan program".

Weaver said that any distributed or peer-to-peer network client that periodically connected back to a central server posed a security risk.

"The recent revelation that Brilliant has bundled a small Trojan with Kazaa has underscored another means by which an attacker could gain control of so many machines: poorly secured automatic updaters. If an attacker can distribute his own code as an update, he can take control of millions of machines," he warned.

Kazaa has been downloaded by around three million people to date.

"Any program which connects back to the server to gain updates should be scrutinised very heavily because, as a program becomes widespread, the update server and mechanisms become highly attractive targets for attack," said Weaver.

"Each new program with an automatic update feature is a new point where an attacker can gain control of a huge number of machines."