Vulnerability of the Process Communication Model in Bittorrent Protocol a Study of Bittorrent Protocol Trap Door and Potential Attacks on Peer-to-peer Users

— BitTorrent is the most extensively used protocol in peer-to-peer systems. Its clients are widely spread worldwide and account for a large fraction of today's Internet traffic. This paper will discuss potential attack that exploits a certain vulnerability of BitTorrent based systems. Code injection refers to force a code – which may be malicious-to run inside another benign code, by inserting it into known process name or process ID. Operating systems supply API functions that can be used by third party to inject a few lines of malicious code inside the original running process, which can effectively damage or harm user resources. Ethernet is the most common internetwork layer for Local Area Networks; the shared medium of LAN enables all users on the same broadcasting domain to listen to all exchanged packets through the network (promiscuous mode), so any adversary can easily perform a simple packet sniffing process on the medium access layer of the network. By capturing and analyzing the sent packets from the P2P application, an adversary can use the revealed process ID by BitTorrent protocol to start the code injection action. So the adversary will be able to seize more machines from the network. Controlled machines can be used to perform many attacks. The study revealed that any adversary can exploit the vulnerability of the process communication model used in P2P by injecting any malicious process inside the BitTorrent application itself exposed by sniffing the exchanged BitTorrent packets through LAN.


INTRODUCTION
P2P or "Peer-to-Peer" is a network of host computers that operate and communicate with each other without the need for a centralized server-the opposite of a client-server network model.A peer-to-peer file sharing system is a network of interconnected computers using P2P networking model to share and exchange data (digital documents) between connected computers.Peer-to-peer file sharing technology allows people worldwide to share and exchange their files and data as long as their PCs are connected to the Internet.P2P file sharing system users can easily exchange and access other users' media files like books, music, movies, games, software, etc. by using special P2P software program installed on both sender and receiver PCs [1].Copyright issues have popped up by rights holders as peer-to-peer networks can be used to share copyrighted data without getting permissions from data copyright holders or considering its legitimate usage.
The FBI is teaching and cautioning users about specific dangers of using Peer-to-Peer frameworks while connecting to the Internet.While the FBI backs and empowers the advancement and development of new technologies and techniques, they additionally perceive that innovation can be abused for illegal and, sometimes, criminal purposes [2].
Peer-to-Peer systems permit clients joined with the Internet to connect their machines with other machines as far and wide as possible.These systems are secured with the end goal of sharing files.Normally, clients of Peer-to-Peer systems use free software tools on their machines which permits them: (1) to discover and download files found on an alternate Peer-to-Peer client's hard drive, and (2) to impart to those other client's files located on the user's machine.Undesirably in some cases these data-sharing frameworks have been utilized to participate in illegal activities.
Code injection refers to a process of injecting or inserting a code into a known running process.The injected code always came in the form of dynamic link library (DLL), as that meets the nature of DLL: Dynamically load a code as needed.The code injector should have an appropriate level of authority on the system under attack, in order to be able to write into program memory [3].
Windows operating system provides a few API functions that allow users to debug running programs, and to insert functions into any running process, makes the targeted program execute the injected code as if is a part of its original code [4].
Ethernet is the most popular internetwork for wired Local Area Network (LAN).Ethernet is completely insecure; developers and vendors may implements their own nonstandard solutions to overcome Ethernet weakness, but as a standard, Ethernet is an open medium access, as every client connected to the same logical broadcasting domain can easily listen to Ethernet frames travelling through the physical medium [5].
Network sniffing refers to capturing packets/frames being transferred over a network using sniffer software.There are many sniffers commercially available or offered by researchers and security groups as open source software.Sniffers may come with their own network drivers that enable the network interface card to capture frames which are directed to other receptors.Modern sniffers offer capabilities to analyze www.ijacsa.thesai.orgcaptured packets in order to extract useful information in a user friendly format [6].

II. LITERATURE REVIEW
Substantial research was found related to the examination of P2P networks and their applications.
Scanlon, Mark, and M. Kechadi.[7], presented the Universal Peer-to-Peer Network Investigation Framework (UP2PNIF), a structure which empowers essentially quicker and less work escalated examination of newfound P2P organizes through the misuse of the shared qualities in system usefulness.In mix with a reference database of known system conventions and attributes, it is imagined that any known P2P system can be right away explored using the framework.The skeleton can cleverly emphasize the best procedure subject to the center of the examination bringing about an altogether assisted proof get-together process.
Acorn Jamie; in his research entitled "Crime scene investigation of BitTorrent", [8] recognized scientific relics delivered by BitTorrent file offering, and particularly, to create if the remaining could prompt the IDs of the records downloaded or the files shared.The dissection showed that it was conceivable to distinguish files that were at present being downloaded and records presently being shared.It was additionally conceivable to recognize the measure of information that had been traded i.e. transferred or downloaded for particular files.Some users delivered relics that uncovered a complete record of the torrent documents that had been downloaded and shared.Dissection likewise uncovered that some users kept the Internet Protocol (IP) locations of remote machines, with which they had associated when downloading or sharing particular files.The point of interest and legal nature of data distinguished differed between the users' clients tested.
Liberatore, Marc, et al. in their paper entitled -Forensic investigation of peer-to-peer file sharing networks" [9] detailed the usefulness of two P2P conventions, Gnutella and BitTorrent, and portrayed the legitimate issues relating to exploring such systems.The author investigated the conventions and concentrated on the things specifically noteworthy to agents, for example, the estimation of proof provided for its provenance on the system.They additionally reported development of RoundUp, a gadget for Gnutella examinations that takes after the standards and systems the author detail for systems administration examinations.
Park, Sooyoung, et al. in their research entitled -Methodology and implementation for tracking the file sharers use BitTorrent" [1], proposed a philosophy for the examination of unlawful file sharers utilizing BitTorrent systems through the utilization of a P2P computerized examination process.In this paper, an examination process for illegitimate file sharing focused around attributes of file that BitTorrent has recommended for the sharing procedure utilizing.By emulating this process, an agent can successfully lead an examination about unlawful document imparting.
CybersTc developed P2P Marshal™ [10] as an advanced scientific tool for the programmed recognition, extraction and dissection of information connected with peer-to-peer applications on a hard drive.It computerizes the monotonous and tedious methodology of searching for P2P proof.P2P Marshal naturally locates a program of the most ordinarily utilized P2P customer projects and presents for every client data on those customers, including imparted documents, downloaded records, peer servers, and arrangement and log data.P2P Marshal performs these assignments in a forensically legitimate manner and presents the results in an effortlessly intelligible structure on-screen and in a configuration that can without much of a stretch be joined into a report.P2P Marshal takes after scientific best practices and keeps up a detailed log record of all exercises it performs.It has broad hunt capacities, produces reports in CSV, RTF, PDF and HTML organizations, and runs on normal Windows stages.P2P Marshal is accessible in a in a software-only version called Forensic Edition, and in a USB 2.0 flash drive version called Field Edition.
Farina, Jason, Mark Scanlon, and M. Kechadi in their research entitled -BitTorrent Sync: First Impressions and Digital Forensic Implications" [11] considered BitTorrent Sync as an optional P2P application.Its administration is totally decentralized, offers a great part of the same synchronization usefulness of cloud powered administrations and uses encryption for information transmission (and alternatively for remote storage).The vitality of comprehension Bit-Torrent Sync and its ensuing advanced investigative consequences for law requirement a scientific specialist will be foremost to future examinations.This paper plots the customer application, its recognized system activity and distinguishes artifacts that may be of worth as confirmation for future advanced examinations.
Lallie, Harjinder Singh, and Philip James Briggs, in their research entitled "Windows 7 registry forensic evidence created by three popular BitTorrent clients‖ [12] presented the concept of web file sharing through the utilization of peer-topeer systems movement that has been developing consistently for a few years.It has quickly turned into the broadest technique for the trade of computerized material and accordingly raises much debate.The present, most prevalent convention in this field is BitTorrent.Despite the fact that it is generally basic as a rule to connection specific file sharing exercises to an IP address, this does little to demonstrate that a specific client was in charge of utilizing the connection.This study investigates three prominent BitTorrent customer applications: Bitcomet, Vuze and Utorrent, and outlines the registry artifacts that are produced by the establishment and utilization of these projects on a Windows 7 client.These artifacts are analyzed in point of interest to build what helpful evidence, if any, can be recovered from them.Important data is highlighted for every application.
Liberatore, Marc, Brian Neil Levine, and Clay Shield, in their research entitled "Strengthening forensic investigations of child pornography on P2P networks‖ [13] introduced new methods that draw a fine line between the estimation or reconnaissance of P2P systems and gathering of forensically legitimate evidence from their clients.Approving the evidence gathered within a system examination is troublesome in light of the fact that remote clients don't keep up a novel and unmodifiable identifier that can be retrieved upon seizure of their machine with a warrant.They proposed a novel strategy for quietly labeling a remote machine over the system to make www.ijacsa.thesai.orgsuch an identifier.Their methodology is a development over past techniques for social event data around a remote machine that depend on factual characterizations, including clock skew or radio-measurements.These past characterizations differ with environmental elements, for example, temperature or assault, prompting both false positives and false negatives, and essentially, fail to offer the capacity to connect together successive perception by autonomous observer.Also, they detail why their methodology, which is equated to checking bills, is legitimate.For this work, they introduced a framework to accumulate evidence of ownership of child erotic entertainment on a P2P system.It is being used by law requirement in 49 U.S. states that have assembled information for the investigators over a five-month period of time.To date, the framework and its information have been utilized to get in excess of 1,000 court search warrants.They describe these estimations with a specific end goal of persuading their tagging strategies.

III. PROPOSED ATTACK AND RISK ANALYSIS
This section introduces how the BitTorrent's discovered vulnerability will be exploited.

A. Problem definition
This study investigated the network activity of BitTorrent protocol by using packet sniffing technique on a P2P enabled system based on BitTorrent protocol.The author noticed that during its startup, the BitTorrent based system, established a communication session with BitTorrent server and sent the BitTorrent software process ID identified by the OS.As per the definition of OS frameworks, it is not really programming pieces (i.e., programs) that are communicating, yet in fact processes are responsible for the communication part in OS frameworks.At this point, an adversary can eavesdrop on all packets being sent from a targeted client during BitTorrent software startup process, with assistance of a Trojan being planted in the targeted host (Trojans can easily spread over a torrent media file and can be activated during running and execution of torrent downloaded media).Adversary can remotely inject a malicious code inside BitTorrent software itself, and run that malicious code as if it were a part of BitTorrent software.In the following few subsections, the attacking scenario is discussed in details.

B. The proposed attacking overall scenario
The proposed attack scenario consists of four tasks as shown in Fig. 1.

1) Trojan distribution among tergeted hosts:
The distribution process of Trojans can be held very easily in P2P based systems.The following figure (Fig. 2) shows a group of torrent clients exchanging an infected torrent media file.The main seeder for that file implants a Trojan in torrent media/application file that will be resident after extracting and executing the downloaded media/application file.That Trojan is the main play maker of our attack scenario.Figure 2 shows the main tasks of implanted Trojan, which are: infecting targeted host, running as OS service, listening to a pre-defined port, waiting for attacker's calls and requests, and finally injecting malicious code received from attacker into BitTorrent software using received process ID. Figure 3 shows the basic steps of implanting Trojans into targeted hosts.As attacker is going to sniff packets that are not directed to the attacker's machine, Wireshark should be configured to "promiscuous mode", and, on a switched Ethernet network, attacker must specifically set up the machine in order to capture that traffic.Wireshark capturing process is shown in Fig. 4.
After capturing, the attacker starts analyzing the captured packet by filtering the captured packet by destination IP of LAN gateway, then searching for TCP packet contain the -PID=‖ string in its data field, which is the BitTorrent software process ID number that was sent by BitTorrent software to BitTorrent server.Fig. 5 shows the steps of that task.

3) Remote malicious code injection
The final step of the attack is explained in Fig. 6 www.ijacsa.thesai.orgIV.PROPOSED ATTACK IMPLEMENTATION As mentioned in section 3, attack scenario consists of four tasks.To verify the proposed attack, two software programs were written in C++ language, on Dev-C++ free IDE.Two free and open source programs were used in testing the proposed attack scenario, those are -Wireshark‖ and -Process Monitor‖.Wireshark is a packet sniffer and analyzer software, used by the attacker to capture the packet being sent to LAN gateway, in order to get the PID sent by BitTorrent software during its initialization.Process Monitor software collects all running processes and displays their process IDs on a local machine.Which was used to verify the discovered PID by attacker.

V. PROPOSED ATTACK TESTING & VERIFICATION
In this section, the captured images of the complete attack scenario are shown, presenting step-by-step attacking process.
In this scenario, two virtual machines were built using VMware software to present attacker and host under attack.Windows 7 was installed on both machines.
In the host machine under attack, author performed the following:  Installed uTorrent software (an example of BitTorrent based software) and a BitTorrent file containing the media files is in the process of being downloaded.The following figures (Fig. 7 -Fig.11) show the entire attack process as captured from the practical experiment.

VI. CONCLUSION
BitTorrent based applications are freeware tools that are basically used to share illegal resources in addition to its legal utilization.Users of these applications are not aware about the protocol trapdoor, which is basically leaking the BitTorrent application process ID during its initialization process.Author established and proved attacking scenario based on such leakage.Software programs were developed using Dev-C++ to simulate implanted Trojan and attacker frontend.Author encourages BitTorrent based application users to avoid downloading any executable applications that may be infected with implanted Trojans which may indirectly damage user resources through injecting malicious code during run time of BitTorrent application itself.www.ijacsa.thesai.org

Fig. 1 .
Fig. 1.Proposed attack overall scenario 2) Packet sniffing Wireshark is a free network protocol analyzer that runs on Windows, Linux/Unix, and Mac computers, allowing users to display the contents of messages undergoing shared network segment at different levels of the protocol stack.

Fig. 2 .Fig. 3 .
Fig. 2. Left: a group of torrent clients exchanging an infected torrent media file.Right: the client infected with attacker Trojan


Installed Process Monitor software to discover PIDs of running processes. Installed the developed program -GetPID.exe‖, which returns the local PID of uTorrent.exe. Installed developed program -RemoteTrojanServer.exe‖, which presents the implanted Trojan. Installed WireShark software to capture gateway packets and analyze them to get PID sent by uTorrent during its initialization.www.ijacsa.thesai.orgInstalled developed program -RemoteInjectorServer.exe‖, which sends PID and injected malicious code.