×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Has the RIAA Wormed 95% of P2P Networks?

CmdrTaco posted more than 11 years ago | from the gotta-hope-not dept.

The Internet 887

DancingSword was one of many to submit links to a strange story about the RIAA hacking back by sending a worm through the major peer-to-peer networks, supposedly with a 95% infestation rate. Hoax or not?

Sorry! There are no comments related to the filter you selected.

hub (-1)

macksav (602217) | more than 11 years ago | (#5079933)

it's all about the hub. fp!?

IN SOVIET RUSSIA (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5080072)

...P2P networks worm the RIAA!

Spank me! (-1)

613746 (613746) | more than 11 years ago | (#5079935)

I love a good spanking... with hot grits and a goat.

w00t!

GiZ lives! www.geekizoid.com... sucka.

Remember (5, Insightful)

lifechooser (446921) | more than 11 years ago | (#5079937)

95% of networks is not 95% of files.

Re:Remember (5, Informative)

Tim C (15259) | more than 11 years ago | (#5079961)

Ah, but it's not "95% of networks", it's "95% of computers participating in p2p networks".

That said, I really doubt the veracity of this. To me, it's more likely to either be a hoax by someone trying to get noticed, or scare tactics to get people to stop using p2p and delete their mp3s. It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed.

Re:Remember (0, Redundant)

BlackHawk-666 (560896) | more than 11 years ago | (#5079965)

That's 95% of hosts they are claiming...not networks.

Re:Remember (-1, Redundant)

Tuna_Shooter (591794) | more than 11 years ago | (#5080035)

Article Content: -----BEGIN PGP SIGNED MESSAGE----- It seems the exploit was not included in the first vulnwatch e-mail. Here you go. - - ----- Forwarded Message from gobbles@hushmail.com ----- ___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______ / __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / / | (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V / \___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_| "Putting the honey in honeynet since '98." Introduction: Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org) to invent, create, and finally deploy the future of antipiracy tools. We focused on creating virii/worm hybrids to infect and spread over p2p nets. Until we became RIAA contracters, the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks. We focused our research on vulnerabilities in audio and video players. The idea was to come up with holes in various programs, so that we could spread malicious media through the p2p networks, and gain access to the host when the media was viewed. During our research, we auditted and developed our hydra for the following media tools: mplayer (www.mplayerhq.org) WinAMP (www.winamp.com) Windows Media Player (www.microsoft.com) xine (xine.sourceforge.net) mpg123 (www.mpg123.de) xmms (www.xmms.org) After developing robust exploits for each, we presented this first part of our research to the RIAA. They were pleased, and approved us to continue to phase two of the project -- development of the mechanism by which the infection will spread. It took us about a month to develop the complex hydra, and another month to bring it up to the standards of excellence that the RIAA demanded of us. In the end, we submitted them what is perhaps the most sophisticated tool for compromising millions of computers in moments. Our system works by first infecting a single host. It then fingerprints a connecting host on the p2p network via passive traffic analysis, and determines what the best possible method of infection for that host would be. Then, the proper search results are sent back to the "victim" (not the hard-working artists who p2p technology rapes, and the RIAA protects). The user will then (hopefully) download the infected media file off the RIAA server, and later play it on their own machine. When the player is exploited, a few things happen. First, all p2p-serving software on the machine is infected, which will allow it to infect other hosts on the p2p network. Next, all media on the machine is cataloged, and the full list is sent back to the RIAA headquarters (through specially crafted requests over the p2p networks), where it is added to their records and stored until a later time, when it can be used as evidence in criminal proceedings against those criminals who think it's OK to break the law. Our software worked better than even we hoped, and current reports indicate that nearly 95% of all p2p-participating hosts are now infected with the software that we developed for the RIAA. Things to keep in mind: 1) If you participate in illegal file-sharing networks, your computer now belongs to the RIAA. 2) Your BlackIce Defender(tm) firewall will not help you. 3) Snort, RealSecure, Dragon, NFR, and all that other crap cannot detect this attack, or this type of attack. 4) Don't fuck with the RIAA again, scriptkids. 5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet. Due to our NDA with the RIAA, we are unable to give out any other details concerning the technology that we developed for them, or the details on any of the bugs that are exploited in our hydra. However, as a demonstration of how this system works, we're providing the academic security community with a single example exploit, for a mpg123 bug that was found independantly of our work for the RIAA, and is not covered under our agreement with the establishment. Affected Software: mpg123 (pre0.59s) http://www.mpg123.de Problem Type: Local && Remote Vendor Notification Status: The professional staff of GOBBLES Security believe that by releasing our advisories without vendor notification of any sort is cute and humorous, so this is also the first time the vendor has been made aware of this problem. We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP Exploit Available: Yes, attached below. Technical Description of Problem: Read the source. Credits: Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode. -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wlwEARECABwFAj4jFUIVHGdvYmJsZXNAaHVzaG1haWwuY29tAA oJEBzRp5chmbAPJgsA nAnM8UDSXkairnRtit9avLxELv+YAJ9PFrHNlLWQYu0hfdCD6K oJd+xALQ== =c41P -----END PGP SIGNATURE-----

Well, it's been posted on Slashdot. (0, Troll)

JeffSh (71237) | more than 11 years ago | (#5079940)

With the track record lately, I'd wager hoax.

If you can't beat 'em (1)

anothermortal (577394) | more than 11 years ago | (#5079941)

Join 'em! I mean, if the RIAA does an illegal act to counter an illegal (only if copyright material) act, then its justified, right? First?

Re:If you can't beat 'em (3, Funny)

squiggleslash (241428) | more than 11 years ago | (#5080008)

Given the number of times the RIAA's website has been hacked, I'm guessing they're thinking the way you are...

Re:If you can't beat 'em (1)

Squareball (523165) | more than 11 years ago | (#5080017)

umm.. but 2 wrongs don't make a right, atleast that is what my mom always said

Re:If you can't beat 'em (-1)

Anonymous Coward | more than 11 years ago | (#5080041)

But three rights make a left.

Hahaha! I kill myself! In Soviet Russia, three lefts make a right! 1. Go right. 2. ????? 3. Left! Can you imagine a beowulf cluster of right turns? (etc)

Worms up my Arse (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5079942)

Fuck you slashdot. Furthermore, fuck linux.

Re:Worms up my Arse (1)

mcbridematt (544099) | more than 11 years ago | (#5079995)

Sounds like a angry Microsoft PR rep.
I hate to go off topic, but:
  • Don't bag web sites because of their reader views: Free Speech prevails. Sure I respect your right to say what you did, but it's not appropriate
  • Don't bag operating systems harsly: Heck, It's not every day I phone my local Microsoft office and say f[swearing] you.

first post (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5079943)

More Pie, Admiral?

george bush (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5079944)

is a maniacal killer.

Windows Clients/hosts? (5, Interesting)

pgrote (68235) | more than 11 years ago | (#5079946)

No mention of whether this affectes Windows clients/hosts or not. Any idea?

Re:Windows Clients/hosts? (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5079976)

Of COURSE it does! If it effects Linux, then a crappy Windows program is definatly going to be effected!

Re:Windows Clients/hosts? (-1, Offtopic)

Alan Partridge (516639) | more than 11 years ago | (#5080051)

I'm not surprised that you choose to remain anonymous with spelling like that.

DEFINITELY going to be AFFECTED, numbnuts

Re:Windows Clients/hosts? (5, Informative)

Anonymous Coward | more than 11 years ago | (#5079982)

Read the advisory written by Gobbles:



Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.

Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de

Problem Type:
Local && Remote

Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

Exploit Available:
Yes, attached below.

Technical Description of Problem:
Read the source.

Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.

Re:Windows Clients/hosts? (2)

Mr Guy (547690) | more than 11 years ago | (#5080082)

evidence in criminal proceedings against those criminals who think it's OK to break the law

coughcoughbullshitcoughcough

Please. Evidence? Collected by hacking and compiling a list and transmitting that data illegally.
Even the RIAA's lawyers aren't stupid enough to think that'd fly.

Re:Windows Clients/hosts? (2, Interesting)

Zayin (91850) | more than 11 years ago | (#5079993)

If 95% of all p2p-participating hosts are infected (as the article claims) then the answer must be yes.

(Simple math: If the answer is "no", then that would mean that 5% or less of p2p-participating hosts run Windows. That is not the case.)

Re:Windows Clients/hosts? (5, Interesting)

Geertn (526524) | more than 11 years ago | (#5079994)

On bugtraq, this was mentioned by gobbles, who also did the Apache and OpenSSH exploit. The signed message verify at hushmail says it is signed correctly, so I guess it's the real Gobbles. The scary thing is, GOBBLES always mentions something really unrealistic, but suddenly he proves it...... like the apache and openssh exploits... scary

Re:Windows Clients/hosts? (5, Informative)

t0shstah (629986) | more than 11 years ago | (#5080027)

Apparently the "hydra" uses exploits/overflows on a number of popular media players - including xmms, which is a Linux mp3 player and WinAMP, which is a Windows mp3 player. Therefore that would suggest it can infect multiple operating systems.

More details including the original post can be found here [securityfocus.com] .

I still doubt the possible risk/effectiveness - or even that its true though.

Re:Windows Clients/hosts? (2)

Big Mark (575945) | more than 11 years ago | (#5080084)

Perhaps it works in a platform-independent way... maybe it submits requests in KaZaA / Gnutella / [whatever filesharing network]-speak, so that a Windows client could infect a Linux one just as easily as it was infected from a Mac solely by issuing weird protocol commands which would make the client do as the worm commanded - remember, searches are propogated through the filesharing networks exactly as worms spread, but as we like commiting copyright theft we don't complain about it.

Just a thought, if they're getting that much proliferation they can't be doing it using worms in the traditional sense of dodgy platform-specific programs...

-Mark

Is the RIAA liable to hacking chages? (5, Insightful)

mcbridematt (544099) | more than 11 years ago | (#5079947)

I wonder, If the RIAA sends a worm through P2P networks and shut's the networks down, can the RIAA representatives be charged with hacking?. Besides, not all files on P2P networks are illegal.

Re:Is the RIAA liable to hacking chages? (4, Interesting)

uncoveror (570620) | more than 11 years ago | (#5080057)

Indeed. The Berman Bill has not become law, and under the USA Patriot Act, Hacking can be considered terrorism. One thing we sould all do is boycott the recording industry. [dontbuycds.org]

SO WHAT.... (0)

Anonymous Coward | more than 11 years ago | (#5079951)

like
i said, so what -

Of Course Not (0)

Anonymous Coward | more than 11 years ago | (#5079953)

The RIAA is a bunch of lobbiests and pencil pushers. They wouldn't know if the firm that they hired to do all this stuff actually did its job or not. Best of all, this has no actual effect on peer to peer networks at all. Everybody laugh at the Recording Industry Ass. of America.

While I'm at it, I want to mention how I'm keeping track of radio stations that play the ``add up how many clicks...'' advertisements, and how I'm not going to buy any products advertised on those stations.

*cough* bullshit *cough* (2)

metacosm (45796) | more than 11 years ago | (#5079954)

For some reason I think we may find out this is a hoax. Just guessing.

Re:*cough* bullshit *cough* (5, Insightful)

wackysootroom (243310) | more than 11 years ago | (#5080004)

I agree. A healthy dose of scepticism is needed here. First of all, if the RIAA really *did* want to infect the p2p networks with a worm, they would make GOBBLES sign a non disclosure agreement.

Could this be FUD straight from the RIAA to scare people into not running p2p apps? Is it a rumor started by GOBBLES to create a stir against the RIAA, or is it legit?

Who cares? I'm gonna fire up my gnutella client and share open source software until the day that p2p is illegal.

Re:*cough* bullshit *cough* (2)

PeterClark (324270) | more than 11 years ago | (#5080065)

Agreed. After all, the RIAA can't even prevent their own web page from getting hacked. Obviously, we are not dealing with the brightest lightbulbs in the box. The effort and amount of work, not to mention sheer skill, in worming an international network without detection does not seem to match the RIAA's skill set.

Hmm...the RIAA webpage [riaa.org] is still down. Amusing.
:Peter

hmmm (2, Insightful)

Rcknight (640267) | more than 11 years ago | (#5079956)

95% infection, sounds pretty unlikely to me.

RIAA trying to scare us again?

I really doubt it (1, Insightful)

PhysicsGenius (565228) | more than 11 years ago | (#5079957)

Worms work by finding an open port (like a P2P client), copying themselves to the target and then executing themselves on the remote machine. This means that all the machines must be able to run the same binary program format. It also means that the software must be exploitable.

I really doubt 95% of all P2Pers are running the same OS. In fact, given the mindset of Linux users in general, I would expect their representation among IP "sharers" would be much higher than the regular population. So that makes about 25-50% of targets unimpeachable, due to quality Open Source bug-finding.

In short, hoax.

Re:I really doubt it (0)

Anonymous Coward | more than 11 years ago | (#5080078)

This means that all the machines must be able to run the same binary program format. It also means that the software must be exploitable.

hydra worm, and software on windows and linux is exploitable. we need to all start running MacOS X, or OS/2

Poor choice of headline (2, Funny)

hyacinthus (225989) | more than 11 years ago | (#5079958)

Anyone who owns a dog knows that "to worm" means to _get rid_ of worms, not to infect with them.

hyacinthus.

Re:Poor choice of headline (0, Offtopic)

FleshWound (320838) | more than 11 years ago | (#5080023)

(Score:1, Offtopic)
I wonder how much crack must be smoked before a moderator will mod one of the most on-topic posts as "off-topic."

That explains... (5, Funny)

Anonymous Coward | more than 11 years ago | (#5079960)

why all my porn has been changed to Hillary Rosen with a strap-on.

Must be true (0)

Anonymous Coward | more than 11 years ago | (#5079963)

It has become self-conscious last thursday, sends mails to every email address it can find and claims to be "big@boss.com".

Creation of viree is a crime (5, Insightful)

Max Romantschuk (132276) | more than 11 years ago | (#5079964)

Well a worm is a form of a virus, and it is a crime to create one... One would presume that the RIIA would not be stupid enough to try and play a vigilante.

Re:Creation of viree is a crime (1)

Bugmaster (227959) | more than 11 years ago | (#5079977)

Isn't it legal for them to do it now ? I seem to recall reading something about a bill which allows RIAA to hack any network for the purposes of rooting out evil pirates (arrrrr). Has this bill become law ?

I wonder... (1)

Spad (470073) | more than 11 years ago | (#5079966)

What the RIAA think about Gobbles telling everyone about this.

I mean normally they want everyone to know about their "anti-piracy" efforts - but when they're this dubious legally, do they really want it out in the open?

it is all very clear to me now (0)

Anonymous Coward | more than 11 years ago | (#5079967)


http://online.securityfocus.com/archive/1/306476 /2 003-01-11/2003-01-17/0

*running norton* (1)

Cyno01 (573917) | more than 11 years ago | (#5079969)

Nope, nothing here, and i have 2 disks full of stuff i've downloaded from Kazaa. It's a hoax.

Re:*running norton* (1)

Spad (470073) | more than 11 years ago | (#5079984)

If Norton et al detected it (assuming it exists), we'd have heard of it before now (especially with a 95% infection).

Re:*running norton* (1)

opto (592314) | more than 11 years ago | (#5080014)

I hope this was supposed to be funny.

You do realize Norton, in general, only finds virii in it's database right? Good luck with that antivirus software on an unknown virus.

How are you Gentlemen?! (0)

Anonymous Coward | more than 11 years ago | (#5079971)

All your computer are belong to RIAA!

Not for me (0)

perdelucena (455667) | more than 11 years ago | (#5079973)

My gnutella linux client still working fine. Thank you.

Dunno about all that (5, Insightful)

Etrigan_696 (192479) | more than 11 years ago | (#5079974)

But there's definitely some sort of maliciousness out there. Grab a gnutella client and search for something - ANYTHING - and it'll likely show up as an mpeg of about 1.5MB. Typically it's one of three or four porn movies. Search for "Smoke Marijuana on the International Space Station" and you'll end up downloading a blonde chick dancing around in a red towel.

Re: Dunno about all that (0, Offtopic)

Cyno01 (573917) | more than 11 years ago | (#5079987)

Search for How to Smoke Weed Marijuana Out of a Bong, Its just some dumbass kids, but its funny as hell. "Dont let the passing out fool you, its the sign of a good bong hit."

This is SPAM (4, Informative)

inerte (452992) | more than 11 years ago | (#5080062)

Gnutella has been spammed for a long time now. It's just someone or a company that programmed a client to analize the queries and return the proper filename.

Shareaza, Gnucleus and Bearshare offer protections against some of these spammers, by blocking their hosts.

Re: Dunno about all that (5, Funny)

BabyDave (575083) | more than 11 years ago | (#5080064)

That's malicious? I'd say it's pretty damn generous!

Oh, and this is vaguely relevant [penny-arcade.com]

Sue RIAA for screwing legal data? (1)

RMH101 (636144) | more than 11 years ago | (#5079978)

Say I've got stuff on my machine that I legally own: recordings of my band, videos I shot etc. If the RIAA screws up my collection of legally owned media, can I not sue them for trespass, damage to data, hacking, supporting terrorism or whatever?

The Register is wrong.. (5, Informative)

dj28 (212815) | more than 11 years ago | (#5079979)

The actual exploit was posted on buqtraaq yesterday. You can find it here. [securityfocus.com] That link has the original post from the group explaining what the exploit is, how the RIAA is supposedly involved, and it has the exploit as an attachment. Check it out and decide for yourself if it's a hoax.

Re:The Register is wrong.. (5, Insightful)

EricWright (16803) | more than 11 years ago | (#5080086)

The scary thing behind what was posted to Bugtraq is that it explicitly states that all digital media on the system is cataloged, and the list is sent to the RIAA. This assumes all digital media on a system is an illegal copy.

Sure, if the worm comes into your system over a P2P network, there's a good chance that at least *some* of your mp3s are pirated, but there's no way to differentiate pirated mp3s and those you ripped/encoded from your own CD collection.

I could easily see someone downloading a public domain work via P2P network, getting infected, and having their 40GB mp3 (ripped/encoded from legally obtained sources) library listed to the RIAA "for future prosecution."

I love the whole guilty until proven innocent attitude here. Sounds like a bad "In Soviet Russia..." joke.

URL to the original BugTraq posting (5, Informative)

sboyko (537649) | more than 11 years ago | (#5079980)

This is the original posting [securityfocus.com] .

Reading the posting, it seems unlikely.

Link to Security Focus (5, Informative)

MImeKillEr (445828) | more than 11 years ago | (#5079981)

This [securityfocus.com] article may have more info that the one linked in the article.

worm code (5, Funny)

macrophage (198249) | more than 11 years ago | (#5079983)

Hey, I found a copy of the worm's code:

RIAA - 0wn3d by.... ;p
oooh riaa want's to hack Filesharing Users / Servers ? - better lern to secure your own server...
Sorry Admin - had to deactivate ur accounts - they'll be reactivated after 2 hours

greetz : Rage_X, BRAiNBUG, SyzL0rd, BSJ, PsychoD + all the others who want to stay anonymous :]
wanna contact ? mailto:h4x0r0815@mail.ru

Oh, wait, that was the RIAA's web page. Never mind!

5% listing (2)

dago (25724) | more than 11 years ago | (#5079989)

Maybe we can begin a list of all people in those 5%.

It reminds me of a old coldwar joke :
In soviet russia, 98% of the population was satisfied with the current regime. But no matter who you speak to, you always encounter people in the other 2%

Re:5% listing (2)

cperciva (102828) | more than 11 years ago | (#5080013)

In soviet russia, 98% of the population was satisfied with the current regime. But no matter who you speak to, you always encounter people in the other 2%

I'd think it was the other way around: 98% of the population was not satisfied with the regime, but whoever the police spoke to, they always encountered people in the other 2%.

Re:5% listing (-1)

Anonymous Coward | more than 11 years ago | (#5080021)

In Soviet Russia, 2% encounters you!

ha (1, Insightful)

Anonymous Coward | more than 11 years ago | (#5079990)

You don't want to believe anything GOBBLES says. He's the biggest wind-up merchant in the security community.

Scaring the whitehats (1)

veg (76076) | more than 11 years ago | (#5079997)

Gobbles have got a history of releasing some pretty scary exploits (remember the apache chunking vuln ?) but this time the actual message was a release of a straightforward buffer overflow in mpg123. I suspect that the stuff about the RIAA was added to make this release more interesting - and scare the whitehats a bit more.

Having said that, I have to admit that this and several other recent bl4qh47 posts on full-discolsure have genuinely made me feel very nervous. Especially the "sourceforge is our bitch" posts....

I'd certainly feel better if someone who knows, publicly debunked these as myths. Until then I'm wearing reinforced pants.

RIAA Counting (0)

Anonymous Coward | more than 11 years ago | (#5079998)

The Regested was probably told that it was the "equivilent" to 95% infected, so its probably somewhere around 24% inreality ;-)

Legally (5, Insightful)

Hasie (316698) | more than 11 years ago | (#5080001)

Where does this leave the RIAA legally? The bill mentioned in the article that would allow the RIAA and other copyright holders to crack computers to prevent piracy is not law yet. Does that mean that this would be regarded as just another worm with the authors being thrown in jail (like the authors of Love Bug and others)?

Nah. (5, Funny)

llamalicious (448215) | more than 11 years ago | (#5080002)

I've got at least 7 mp3 downloads running right now and none of them appear to be infe($!$%. .AF0ERIAA.`/2#..-

i can't resist this - what i think of gobbles (0)

Anonymous Coward | more than 11 years ago | (#5080006)

[MOD: This is a troll, yes, but i can't resist.]

Gobbles is a f*** idiot. He thinks he has a great sense of humour and he also thinkg he's smarter than he really is. From his previous e-mails etc. I could say he is 13 years old.

He has no sense of honour or respect to other people, he doesn't care about anything. All his "advisories" are only meant to insult people and cause havoc. He doesn't care that what he sais hurts people on many levels. He doesn't warn projects, etc. He's just out there for his own personal fame and satisfaction. He probably is a miserable person.

Now I have said it. There are still people who think he's funny. I don't agree. He is psycotic.

Consider This (2, Insightful)

Anonymous Coward | more than 11 years ago | (#5080009)

Keeping in mind the number of times their website has been hacked I seriously doubt they have the technical ability to do this. Also keep in mind that no corporation is going to essentially admit liable without some impending legal action as a catalyst.

Re:Consider This (0)

Anonymous Coward | more than 11 years ago | (#5080044)

Read the article fagtard, a hired consultant of the RIAA did it not the actual RIAA.

I'm sure george bush doesn't know how to drop 2 ton bombs on afghan farmers from a b-52, but he doesn't have to he just hires some poor people to do it for him.

These groups obviously just hire out contractors fucking ah duh.

It's funny when people try to block riaa.org's ip from their pc, as if hillary rosen is going to personally monitor your activities.

Duh they just hire someone else to do the dirty work.

hell ya (0)

Anonymous Coward | more than 11 years ago | (#5080010)

Fluffy Bunny is a bad mofo and Theo knows it.

biatch.

Hoax (5, Informative)

evilviper (135110) | more than 11 years ago | (#5080012)

I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

In addition, I find it had to believe that all the antivirus companies are sitting on their collective asses, and completely missed an infection that is supposedly on 95% of computers that participate in P2P.

Further, if anyone was to do something such as this, they would most certainly get in serious trouble for, what is essentially a widespread, illegial, interstate, wiretap.

In addition, I'd just like to say that there is no reason to put much faith in Gobles... As Theo said, he's more or less the next ``fluffy bunny". If anyone can be said to have a severe ego problem, it is him...

Re:Hoax (5, Insightful)

Zayin (91850) | more than 11 years ago | (#5080077)

I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

Have you considered the possibility that they were hired by the RIAA to *claim* that they wrote the software, to scare people away from p2p networks?

True! (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5080020)

I just fired up my Napster client (which I haven't looked at in years) and it says there aren't any servers! I then fired up my Scour client and it said the same thing! Killer worms!

Thank God for NNTP (2, Insightful)

Perlguy (17814) | more than 11 years ago | (#5080022)

Man, I sure am glad I use the newsgroups for music rather than P2P apps... I seem to get better quality files as well.

Re:Thank God for NNTP (1, Informative)

Anonymous Coward | more than 11 years ago | (#5080089)

I like using the IRC for my file sharing app.

I have only recently started using DC++ once in awhile for hard to get anime.
-_-

95%? Not likely. (3, Interesting)

achurch (201270) | more than 11 years ago | (#5080024)

I doubt you could get 95% of people on the Internet to agree on anything, much less taste in music, and even if this worm/virus infected every MP3 on a computer, 95% infestation seems really, really unlikely.

On the other hand, this (worming P2P clients) has been talked about a lot in the past--and there are already viruses spreading via P2P, though the community seems to detect them pretty quickly--so I wouldn't put it past the RIAA to do something like this. Much less this Gobbles character; he's pretty infamous on the Bugtraq mailing list for trying to make fun of / piss off as many people as he can. (Incidentally, Gobbles is also known for overstatement, and as he was the one who stated the 95% figure in the article . . . well, you decide.) And it would of course be trivial to "phone home" to the RIAA with information about shared files on the computer.

So while I could believe the existence of the worm, I seriously doubt the 95% infestation figure.

you might want to read this... (0)

Anonymous Coward | more than 11 years ago | (#5080026)

this is froma discussion a friend at I had..

<snip>

I'm not kidding, yes this is serious and no don't take the piss

See URI below

fred:/home/users/jail# chroot /home/fred/jail ./mpg123 pos.mpg
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59s-mh4 (2000/Oct/27). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!

Playing MPEG stream from pos.mpg ...
rm -rf ~ in 5 seconds.. CTRL-c to abort
;pPpPpPpPpPfred:/home/fred/jail#

Here's what it runs:

gettimeofday({1042546623, 823644}, NULL) = 0
read(3, "\377\345\352\0", 4) = 4
read(3, "\370\226\377\277AAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 2877) = 2877
read(3, "\232\377\277\264", 4) = 4
read(3, "\232", 1) = 1
read(3, "\377", 1) = 1
read(3, "\277", 1) = 1
read(3, "", 1) = 0
write(2, "rm -rf ~ in 5 seconds.. CTRL-c t"..., 41rm -rf ~ in 5 seconds..
CTRL-c
to abort
;) = 41
write(2, "pP", 2pP) = 2
nanosleep({1, 0}, NULL) = 0
write(2, "pP", 2pP) = 2
nanosleep({1, 0}, NULL) = 0
write(2, "pP", 2pP) = 2
nanosleep({1, 0}, 0) = -1 EINTR (Interrupted system
call)
--- SIGWINCH (Window changed) ---
write(2, "pP", 2pP) = 2
nanosleep({1, 0}, 0) = -1 EINTR (Interrupted system
call)
--- SIGWINCH (Window changed) ---
write(2, "pP", 2pP) = 2
nanosleep({1, 0}, 0) = -1 EINTR (Interrupted system
call)
--- SIGWINCH (Window changed) ---
execve("/bin/sh", ["/bin/sh", "-c", "rm -rf ~"], [/* 0 vars */]) = -1
ENOENT (No
such file or directory)
_exit(0) = ?

IT WILL delete you home dir

and this using mpg123-.59s ish

Apparently mpg123 xmms xine and mplayer are all sploited.. along with
winamp and wmp7..

http://online.securityfocus.com/archive/ 1/306476

I would seriously look at this exploit and then NOT play any more mp3
files until it has been suitable patched

the bug lies in a buffer overrun to strcpy

What happens if my mp3s are legit (1)

Wtcher (312395) | more than 11 years ago | (#5080056)

What happens if my mp3s are legit rips? Yay, more wood for the fire.

Re:you might want to read this... (0)

Anonymous Coward | more than 11 years ago | (#5080071)

Nice attempt at FUD fagmaster...

Where's the counter-exploit? (1)

Uninvited Guest (237316) | more than 11 years ago | (#5080028)

If this Gobbles virus/worm is real, it should be easy enough to find. What's more, it should be easy enough to write a counter exploit that hunts down and removes the Gobbles virus/worm. Perhaps, the counter exploit could even propogate in the same way as Gobbles --a bit like an innoculation. I don't know how to do it, and I can't google-out a link to such an effort; does one exist?

RIAA Giving Up That Easily? (1)

the_mad_poster (640772) | more than 11 years ago | (#5080029)

"The Berman bill, ensured a copyright owner would not be liable for "disabling, interfering with, blocking, diverting, or otherwise impairing the unauthorized distribution, display, performance, or reproduction of his or her copyrighted work on a publicly accessible peer-to-peer file trading network, if such impairment does not, without authorization, alter, delete, or otherwise impair the integrity of any computer file or data residing on the computer of a file trader."


So, basically the RIAA/MPAA is immune to certain portions of the DMCA that's supposed to be there partially to help them. Too bad irony is dead.


Well, for one thing, I say there's a 95% chance of a hoax. I mean, let's face it, if the RIAA actually DID something to thwart real piracy, they'd be neutering their own efforts to gain absolute control over the distribution medium. No piracy = no justification to keep marauding for DRM and other technologies that would effectively provide them with absolute control over who uses their content, when they use it, and for how long they use it. That's a MUCH nicer looking bottom line to the RIAA than actually stopping pirates.

And what are they goingto do about it? (1)

WestieDog (592175) | more than 11 years ago | (#5080031)

So lets assume they are monitoring 95% of P2P clients (hosts, or whatever). What are they going to do whith the data they collect from that monitoring? Are they going to send everyone a bill? Put them all in jail? Wipe their hard drive? I don't like being watched but so what.

not sure (5, Interesting)

Tom (822) | more than 11 years ago | (#5080032)

Forget the RIAA bashing, the Gobbles guys know what they do. That said, this is very un-gobbles from what I've seen from them in the past. Not the technology, but the comments in the source, for example. Then again, they're supposedly a large group.

From the little info that is available, I'd give them a 50-50 chance that it's true. That would be interesting.

Subject? (1)

TheCrimsonUnbeliever (638597) | more than 11 years ago | (#5080037)

"1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet."

Or: 'HEY MA - Look how cool I am'

Sounds like crud

Text of the Bugtraq Posting (2, Interesting)

terraformer (617565) | more than 11 years ago | (#5080038)

Gobbles Security has posted crap like this before to security sites and this is in keeping with their other posts.
(http://www.google.com/search?q=gobbles%20 security &sourceid=mozilla-search&start=0&start=0&ie=utf-8& oe=utf-8")
It seems to be an obvious prank.
See below for text of latest post.

[snip for lameness filter]
"Putting the honey in honeynet since '98."

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org) to invent, create, and finally deploy the future of antipiracy tools. We focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could spread malicious media through the p2p networks, and gain access to the host when the media was viewed.

During our research, we auditted and developed our hydra for the following media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of our research to the RIAA. They were pleased, and approved us to continue to phase two of the project -- development of the mechanism by which the infection will spread.

It took us about a month to develop the complex hydra, and another month to bring it up to the standards of excellence that the RIAA demanded of us. In the end, we submitted them what is perhaps the most sophisticated tool for compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would be. Then, the proper search results are sent back to the "victim" (not the hard-working artists who p2p technology rapes, and the RIAA protects). The user will then (hopefully) download the infected media file off the RIAA server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate that nearly 95% of all p2p-participating hosts are now infected with the software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details concerning the technology that we developed for them, or the details on any of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the academic security community with a single example exploit, for a mpg123 bug that was found independantly of our work for the RIAA, and is not covered under our agreement with the establishment.

Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de

Problem Type:
Local && Remote

Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

Exploit Available:
Yes, attached below.

Technical Description of Problem:
Read the source.

Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29t AA oJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJ sFFhywKWzMoiT/Qiy4FV +r1inukA==
=OjMp
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wj8DBQA+IwO0HNGnlyGZsA8RAuusAJ49gGSCJzKlRpn+7b9v d+ GYydWzUQCgjq3Ofe2n
WBnlQNf4GeyaFTit5N0=
=RBjc
- ----END PGP SIGNATURE-----

So you rekon even uncopyrighted? (1)

KickTheDog (583548) | more than 11 years ago | (#5080039)

So what they are saying is that it "uninteligently" kills all the files and essentially corrupts the DB.. even if no pirate material is located on the users machine.... Hmm Im not sure but I'd say that was illigal... ooops

RIAA Latest Hack (1)

coolmacdude (640605) | more than 11 years ago | (#5080046)

I set up a mirror of the latest hack which occured a few days ago. http://homepage.mac.com/coolmacguy/riaahacked.html

Btw, GOBBLES's homepage is at... (1)

daveaitel (598781) | more than 11 years ago | (#5080047)

http://www.immunitysec.com/GOBBLES/ [immunitysec.com] . I'm not yet hosting their latest files, however.

What will kill the networks (2)

brejc8 (223089) | more than 11 years ago | (#5080048)

I think RIAA is too keen to kill the networks that are slowly killing themselves. Take gnutella which when you search for a song you will get several different names for the same song, some other song wrongly labled, a few more truncated files and the rest are hosts which have been turned off days ago.
There is no point RIAA attacking now when the networks are a mess. They shoud save their main thrust for when these problems are fixed. In the mean time publisize these problems and that its more hassle than its worth.

hacking is a crime (0)

noisyb (630181) | more than 11 years ago | (#5080053)

but RIAA.gov is an exception, huh?

If It's True... (5, Insightful)

E-Rock-23 (470500) | more than 11 years ago | (#5080055)

...then it's an illegal act, period. Unless the Berman Bill is retroactive to a date prior to this supposed worm launch, it occoured before the bill is ever passed, and is illegal no matter what.

This supposed worm disables functions of a computer. Therefore, it is malicious, as is anything that modifies system performance without the user's knowledge and consent.

If this is true (95% infection rate? Doubt it), then we have one heck of a piece of ammo to use against the RIAA, if indeed they contracted this worm. The Price Fixing settlement, in that case, is just the beginning.

If its a virus then when will the update be out? (1, Insightful)

g(zerofunk.org) (596290) | more than 11 years ago | (#5080058)

Just a few random thoughts about this.
If this is a virus, as they so professionally put it, then when will the virus update be out so I can clean a system that was infected.
I do not know of many Admin's that would like to have their entire network infected with this *virus* reguardless of the RIAA's wishes. Im thinking more along the lines of K12 & College's; think of the number of problems this could rasie IF any of this is true. Last I heard creating a virus and then claiming owership of it, or braggin like a tool, is enough to get you tossed in the pokey.
Lastly, If I am following this correctly it infects the files, do you think that certain corporations will like the fact that another *corporation* is targeting their formats? Whould this not convince you to switch to another format that isnt targeted? Microsoft WMA comes to mind in this matter.
g

Dubious Legality (5, Insightful)

Mr Guy (547690) | more than 11 years ago | (#5080061)

An exploit of this nature is of dubious legality

Dubious? How is there any doubt? Assuming this passes the farmer test (it's not just bullshit in a bag), how can there be doubts it's illegal. At best, it's invasion of privacy. At worst, it's cyber terrorism as defined by the Patriot Act.

The existance of a P2P client doesn't a criminal make, especially since the example given in the article by the l33t hacker is a perfectly legal file: the public MP3s (written to celebrate each OpenBSD release).

It's junk, like the quad-browser yesterday.

The biggest thing to fear is that the RIAA will use this to make up more numbers [guidance.net.nz] .

arms race (1)

opencity (582224) | more than 11 years ago | (#5080063)

There was talk of flooding Napster with super servers, so the RIAA-ites are bound to get into a technological arms race with the p2p's, the idea being to make it as difficult and dangerous as possible. Not stopping p2p, but constantly battling with salaried code departments. This is a lot of money we're talking about (industry tracked duping) and they sure ain't gonna lie down.

The joke to me is that, IMHO (and I'm in the music biz) p2p actually is good for global sales. Disk to disk copying is where they're getting hit - kids go in three ways on a disk (which should cost 1/3).

More power to them (1)

LiquidAsphalt (627915) | more than 11 years ago | (#5080066)

Everyone here knows how dumb it is to trust anyone on the internet. P2P file sharing in itself is dangerous is you participate. Is it a great way to trade music, hell yeah, but the RIAA doesn't think so, and *technically* it is illegal.

On the other hand do I think huge multi-billion dollar organizations should amount to kiddie style file corrupting/hacking in order to prove their point like whiny babies, no. It goes to show you who the real professionals are, oh yeah and I wouldn't put it past them.

Source Code for supposed worm (1)

terraformer (617565) | more than 11 years ago | (#5080075)

Here is the source code attached to the original posting on Bugtraq. Due to lameness filter you will need to dl it from here [terranovum.com] .

Want to be secure? Use systrace... (5, Interesting)

evilviper (135110) | more than 11 years ago | (#5080081)

Currently, systrace is available for OpenBSD and NetBSD, but work is going on to make it available for Linux as well.

So, any program you have that opens untrusted content (xmms, mplayer, mozilla, etc) can be run with systrace, and you can selectively enable certain types of activity all the time... disallow certain activities allways, and be prompted for selective approval or denial of everything else.

Even though I believe this to be a hoax, it's certainly true that it could be done, and something like systrace is needed to guarantee a bug in a program you run can't be used to take over your system.

Way to go RIAA!!!! Yeaaaa! (0, Redundant)

Jerry (6400) | more than 11 years ago | (#5080087)

Sending out a worm to disable all those Windows OS media tools is a perfect way to drive more people away from Windows and to the Linux OS.


Keep up the good work!

PS. Your 'worms' won't work so well under Linux.... rof,l

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?