Scanning Your Network For Copyrighted Material

Note: This blog was first posted on November 27, 2006. Since then, plugin ID #11777, which enumerates files that potentially represent copyright violations, has been rewritten.  It is now dependent on plugin ID #23973 which enumerates files hosted on SMB shares and checks for a much broader range of file extensions. 

Nessus includes three plugins to look for systems containing movies and music files being served through web servers, ftp servers and SMB shares. This blog entry will discuss why this is something you might want to look for, how these plugins work and how you can use the Security Center to analyze these results.

Background

Plugins #11777, #11778 and #11779 look for files with the following extensions:

.mp3
.mpg
.mpeg
.ogg
.avi
.wma
.vob

These files are normally associated with movies, music and DVDs that have been obtained from the Internet through P2P file sharing such as Bittorrent, BearShare, eMule, Kazaa and WinMX. 

Having a movie or music file on a computer is not a crime, however, having data that is copyrighted can be a crime. If users on your network are sharing this sort of data illegally, they may be exposing your organization to potential investigations from the Recording Industry Association of America (RIAA) or the Motion Picture Association of America (MPAA).

Tenable's university customers (and even our corporate customers) regularly tell us that if a user starts to blatantly use the network for sharing files with music or movie content, that they can expect to get a letter from the RIAA or MPAA. This can take time for the IT staff to respond to.

Internally, any organization that hosts a file server containing copyrighted material may be open to lawsuits or even embarrassment if news of this leaves the organization.

There are also a great deal of security threats from shared illegal content such as this. The SANS Q4 Top 20 list identifies both media players (C5) and P2P applications (C3) as being targeted by malicious users. An attacker who wishes to compromise a large number of systems could create a music or movie file with very appealing content, such as a popular song or movie, and also include an exploit which attacks iTunes, Media Player or Quicktime.

The NASL Scripts

Tenable has produced three different plugins to search for files with these extensions in SMB shares, on FTP servers and on Web servers.

#11777  SMB share hosting copyrighted material

This plugin uses the current scan credentials to find file archives of movies and music on SMB shares. For performance reasons, the script only looks for three levels of recursion deep.

#11778 Web Server hosting copyrighted material

This plugin is dependent on the webmirror.nasl script. The webmirror.nasl script creates a virtual archive of all content on the scanned web server. Plugin #11778 then searches this archive in the Nessus knowledge base for any file extensions which match those of movies and music.

Typically, users will find web archives on port 80 servers, but if a user is more savvy, they may try to hide their web server on a high port. If Nessus is performing a full port scan, it will find this port, identify it as a web server and log in. If performing a full port scan is not an option for all systems, using the Passive Vulnerability Scanner (PVS) to monitor network traffic to find web servers on non-standard ports is suggested.

#11779 FTP server hosting copyrighted material

This plugin logs into detected FTP servers and traverses the directories of hosted files for archives of movies and music. For performance reasons, the script only looks for three levels of recursion deep.

As with off-port web servers, if Nessus finds an FTP server not running on port 21, it will still attempt to perform this analysis. The PVS will also find off-port FTP servers.

Interpreting The Results

Finding a movie or a music file does not imply that the host is indeed violating someone else's copyrighted material. Many of the following situations occur on modern enterprise networks:

• legally obtained content is being shared unintentionally
• content intended for downloads (such as podcasts, movie trailers, .etc) is found
• content included with applications and operating systems is found

When analyzing systems with this data on them, consider the following concepts:

• Is this data something required for normal usage?
• Is this data consuming network bandwidth or storage?
• Does this data contain offensive material or subjects?

Analyzing Results with the Security Center

Below is an image of a server at 192.168.20.23 that was hosting copyrighted material over an SMB share:

This system had a few movies (Cars and Monster House) as well as some MP3s. If we had many hundreds (or even thousands) of servers with this condition, how could we use the Security Center to narrow these down into different groups? There are several things we could do:

• The Security Center has a "Search Vuln Text" field. If we wanted to find just movies, just music, .etc we could refine our search there. For example, we could type "cars.avi" and we'd find just systems that had that movie.
• We could extend this concept to look for "dirty" words which were associated with pornographic material. This would find systems potentially hosting adult entertainment content.
• We could also extend this concept to look for music of popular bands and title such as "ColdPlay", "U2" and "Madonna". 
• These filters could also be used to create a Security Center dynamic asset list. These rules could either simply match plugins #11777, #11778 and #11779 or have a more refined algorithm by also performing a text search to look for specific content. 
• Lastly, once these dynamic asset rules were in place, the Log Correlation Engine could be used to analyze network traffic (via direct sniffing or netflow) going to and from these devices to look for who has been accessing this data and how long they've been accessing it. 

For more Information

If this type of monitoring is interesting, Tenable customers should request a copy of our "Realtime Compliance Monitoring" paper. It has a section for strategies on dealing with RIAA and MPAA inquiries. All request for the paper should be sent to [email protected].

Also, both the PVS and Nessus have extensive families for detecting P2P applications in use. The Nessus plugin family for identifying P2P apps is available for analysis online. The PVS is a commercial product. If there is interest in that, please contact [email protected].

Lastly, we've previously blogged about using the PVS for corporate monitoring.