Slashdot Mirror
Has the RIAA Wormed 95% of P2P Networks?
DancingSword was one of many to submit links to a strange story about
the RIAA hacking back by sending a worm through the major peer-to-peer networks, supposedly with a 95% infestation rate. Hoax or not?
Ah, but it's not "95% of networks", it's "95% of computers participating in p2p networks".
That said, I really doubt the veracity of this. To me, it's more likely to either be a hoax by someone trying to get noticed, or scare tactics to get people to stop using p2p and delete their mp3s. It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed.
It's official. Most of you are morons.
The actual exploit was posted on buqtraaq yesterday. You can find it here. That link has the original post from the group explaining what the exploit is, how the RIAA is supposedly involved, and it has the exploit as an attachment. Check it out and decide for yourself if it's a hoax.
This is the original posting.
Reading the posting, it seems unlikely.
SCO, Microsoft, P2P, what's your hot button?
This article may have more info that the one linked in the article.
Cruising the internet on my TI-99/4A @ a whopping 300 baud!
I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?
In addition, I find it had to believe that all the antivirus companies are sitting on their collective asses, and completely missed an infection that is supposedly on 95% of computers that participate in P2P.
Further, if anyone was to do something such as this, they would most certainly get in serious trouble for, what is essentially a widespread, illegial, interstate, wiretap.
In addition, I'd just like to say that there is no reason to put much faith in Gobles... As Theo said, he's more or less the next ``fluffy bunny". If anyone can be said to have a severe ego problem, it is him...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Apparently the "hydra" uses exploits/overflows on a number of popular media players - including xmms, which is a Linux mp3 player and WinAMP, which is a Windows mp3 player. Therefore that would suggest it can infect multiple operating systems.
More details including the original post can be found here.
I still doubt the possible risk/effectiveness - or even that its true though.
I like using the IRC for my file sharing app.
I have only recently started using DC++ once in awhile for hard to get anime.
-_-
Can you say "sue us please"?
No business financed with actual money of actual shareholders will ever open itself up for litigation in such a manner. The due-diligence folks would grill them.
Pathman, Free (as in GPL) 3D Pac Man
How? Its a buffer overflow exploit in the MP3 header tags, apparently. He has a history of finding expoits of this type in Apache etc, so it may well be true.
Its nice to know it relies on an infected mp3 being played in one of the standard players, and then relies on the p2p software to transmit itself elsewhere - I had visions of this getting onto machines that don't have p2p stuff on them, like mine.
"I Know You Are But What Am I?"
Ok, say in theory you could do that. Now, is that buffer overflow going to exist in all the different players they list? Or do they have to write multiple exploits into the headers? And if they screwed around that much with the headers, someone would have noticed by now because it's likely some mp3 player, somewhere, blew chunks trying the read this majorly-screwed-up header. Even if, somehow, no one noticed/experienced this, that STILL doesn't explain how it could modify/infect files without attracting the notice of checksum-verification programs like Integrit.
Sorry... I can believe they found an exploit for mpg123. But the other claims they make are unbelievable, and border on just plain silly.
End of lesson. You may press the button.
The idea behind it isn't that it uses an executable file, but as another poster in this thread said, using tag overflows. Standard stack overflow procedure applies - you stuff too much data into a small container and if this buffer is unchecked then it will overflow. At the end of the data string you place architecture/operating system code that you want to execute, and with luck the overflowing program will dump the memory pointer to your code, executing it.
:-)
I'm not sure using this procedure how you would set it up so you could comprimise many different OS types etc. I *still* think this is all just bullshit though
It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed
I wish I could agree, but from reading the article and the Bugtraq post, it seems that for now, all this thing really does is sends the RIAA a list of what MP3 files you have on your system. It apparently doesn't destroy anything, and the post vaguely describes the method of contacting the RIAA as "specially crafted requests over the p2p networks." For both of these reasons, it may very well go unnoticed on many systems. It is unclear, however, what happens on machines with infected MP3s, but no P2P software.
However, the post also goes on to mention that the OpenBSD release song MP3s on the ftp.openbsd.org server are/were supposedly infected with this worm, and that Theo De Raadt was none the wiser to this fact. This is not surprising, since it's clear that Gobbles does not like Theo, but it is significant if it is true.
-- Never hit a man with glasses. Hit him with a baseball bat.
oh please, this comes from the same guy that bought you Hewlett Packard 48 Series Calculators advisory.
its funny, laugh.
ex$$
"Over at SourceForge eMule is one of the largest downloaded clients on the list...
Change one byte of any file and the MD5 hash for said file changes"
Just FYI emule as an edonkey2000 network client uses MD4 hashes, not MD5.
graspee
Gobbles is very tongue-in-cheek. Their posts, while they contain actual, working exploits, are meant to be funny. They deride or praise the list moderator, poke fun at script kiddies (shout outz duudz), and are generally pretty damn funny.
This is no different.
My main .mp3 playing machine has no internet connection at all. No modem, no NIC. I get my .mp3s from another machine, burn onto cd-rom, and then transfer over to the main machine and play or create audio compilations.
.mp3, the moment I play it, something should be going on, the hybrid should be cataloging all my .mp3s. Since I have several thousand .mp3s, I would suspect my hard drive to start spinning as the worm runs its course. Yet my drive stays down.
I have yet to see any kind of activity where some program attempts to access a dial-up or network connection.
So if I've got an infected
Methinks this is FUD on the part of the RIAA.
So rise up, all ye lost ones, as one, we'll claw the clouds.
Not only sued into oblivion, but the individuals creating/distributing/authorizing the worm/virus/invasive program are subject to arrest and a per infection fine should the government feel the desire.
That what was all this school was for... to teach us how to solve our own problems. -- janeowit
You have no idea what you are talking about.
/home, but NOT write, not have access to the network, not have permission to basically anything else. Then, even if a serious bug was found in xmms, there would be no way an attacker could do anything that would be useful. They could have xmms read your files, output something to the soundcard, etc, but not write itself onto another program, it couldn't open a port, it couldn't send information back, it couldn't do much of anything.
First of all, there is no way you could even get Root from an exploit of mpg123, mplayer, xmms, or anything else Gobbles listed... They all run as users, not SUID or anything like that.
Secondly, Systrace is not an antiworm program. It is a program wrapper, which you use to restrict the permissions of other programs. For instance, you could create a systrace script for xmms that would allow it to read all the files in
So, systrace is really a preventative measure.
Of course, you could have done a 2 minute search on google and found that out for yourself.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
This is from Winamp.com... Probably not exactly what the "worm" says is there as a security flaw, but even so...
"Some people just have too much time on their hands. Looks like someone out there discovered how to make programs crash by screwing around with the id3 tags in music files. We have taken measures to block anyone from taking advantage of you by adding a few security fixes to both Winamp 2.81 and Winamp3.
We would like to say that these builds have new features but in actuality they are the same versions of the programs that you already know and love. However, to be fully protected, we suggest that you download the latest versions of them from our site right away.
If you haven't downloaded Winamp since 12-17-2002 then you are vulnerable to the security exploit. "
graspee
So what you're saying is that my mp3 files which belong to my user account and run with user privileges in mpg123 (and how about mpg321, which I'm actually using) can somehow infect my mpg123 binary which is read-execute-only for the user? Otherwise, this worm would take an awfully long time to infect my entire collection of mp3s, since it would require me to play an infected mp3 then play a whole bunch more mp3s after that to ever get much traction.
While I believe that it is possible for the mp3 player to have an overflow error that can be exploited by a trojaned data file, I'm skeptical as to how much damage this can actually cause on a properly configured system. In fact, first thing I'm going to do when I get home is chown all my mp3 files to a new user id that never gets used except when writing mp3 files. Then chmod them 644 (which they probably already are) so that my user account can play them. Now tell me how a trojaned mp3 can possibly hope to infect other mp3s.
The 95% figure is obviously false, so are the claims that RIAA is backing him.
But it's possible to create an MP3 file, that when played in WinAmp, executes arbitrary code:
- Sandblad advisory #5 - Title: Mp3 file can execute code in Winamp. Date: [2002-04-26] Software: Nullsoft Winamp 2.79 Rating: High because mp3 files are widely trusted as safe. Impact: Specially crafted mp3 file can execute arbitrary code when played in Winamp due to a buffer overflow condition. Vendor: Nullsoft has confirmed the vulnerability. Patch: Winamp 2.80 released 02-04-25 will fix the issue. Download at: http://www.winamp.com/ Workaround: Disable the minibrowser (enabled by default) Author: Andreas Sandblad, sandblad@acc.umu.se (o o) NON TECHNICAL DESCRIPTION: It is possible to modify an existing mp3 file in such a way that it can carries a virus. The virus is activated when the mp3 file is played in Winamp and can then infect other mp3 files found on harddrives or network shares. In order to protect yourself you need to upgrade to Winamp 2.80 or disable the minibrowser.
Maybe, in some inmature way, he wants to warn us....
It is normally for a 700MB ISO to take 2-3 days on the eDonkey [eMule] network. Remember that you are not downloading from an FTP site or web server; you are downloading from peers with a finite amount of bandwidth. Most people, like me, have a capped upload speed which is 25% of my download speed. The quality of files on this network is the main reason people use it - not the speed.
200 connections is normal too. I currently have 90 connections because of the limitations with Windows 98. You are constantly asking other peers for files at the end of the day.
100 used ports is wrong though and I would be worried about this too. I only use two...
This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
What makes this hoax so good, if it is a hoax, is how utterly plausible it seems, even to a well-trained engineer. The only things that don't fit, actually, are their announcement, as many have said, and a small detail about application signatures, which I'll get to in a minute.
If their request looks like a regular query or other baseline P2P activity, it will be like finding a needle in a haystack the size of the empire state building to discover it by packet sniffing.
It gets worse. Fasttrack is encrypted over the wire. If anyone has the keys besides its creators, they're keeping quiet about it. You can't even sniff it, let alone begin the impossible process of distinguishing a few spurious bits of baseline-appearing activity (which could use the very nature of the network itself not to always be directed towards a specific host or set of hosts).
Talk of being protected from this by Symantec or another AV vendor is just talk. There is no mention of protection against this or any similar worm in the published databases. Generally these AV systems can only protect you from A) things they know about, and if we can't find this, neither can they, and B) things that might do harm, i.e. "You didn't just select the Format option, did you?" Further, there is nothing saying these guys would take our side over the RIAA's if there were a dispute about what was a virus and what was "legitimate." Especially if there were a hefty bribe on offer.
The government is not prosecuting over 99% of the people involved with Enron, and those guys turned the lights off in California. What makes you think they'll bite this particular hand that feeds them either?
Protection from personal firewalls is more tricky, and this is where the implicit proof that this is a hoax lies. Most personal firewalls are very dumb - they grant blanket permissions to an application, or not. A few will go farther (like Agnitum's excellent but utterly unstable product) and authorize only specific kinds of activity (so authorizing Winamp to call home to check for an update doesn't authorize it to call anyone else). But regardless, for P2P software, which talks to everybody, these firewalls basically just give up and let them do whatever they want.
But on the upside, almost all of them checksum the applications they are watching... so any virus/worm/whatever which attempted to modify your P2P software would immediately be detected and stopped. Hundreds of thousands of people would have noticed this worm, if it existed.
Hence, hoax.
Want to Know How to Cheat the GPL? Read On!
See this mail, this chapter and the rest of the NSA paper
Saying that NSA has characterized Systrace as flawed is wrong, IMO.
/Styx
It's very possible if there's a buffer overflow condition in the decoder. In that case the MP3 player doesn't just "skip it". An overflow can cause the data to be written over-top of parts of the running program's code. Normally this just causes a crash, but if carefully designed, the overflow can be used to inject in exploit code instead. From that point on, the program is running altered code and you may never be aware anything's happened.
This article IS a hoax. if you'll notice, the article is NOT from the register at all. It's amazing the editors at slashdot didn't check this...
Facts:Suggested reading:
- BugTraq post with the funny RIAA bit, followed by actual mpg123 exploit code
- Gobbles Homepage (sometimes available at bugtraq.org, but currently down there, and up here)
So, in conclusion, the news here is this:You may now return to filesharing as usual.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
Yep I did, and it said:
As I was running it under cygwin at the time (don't ask) I don't think it'll let me run the resultant mp3! Just for fun though I did run it and it threw back the following (for Suse): The slack version is identical except for addrloc: 0xbfff96f4.Now the files it spits out are 2888 bytes and the strings output of the Suse and Slack versions are identical (1763 bytes) starting with a line containing "A" 1663 times followed by a 1 and then:
The actual Suse file contains (as displayed by less): Then the 1663 "A" and the "1" then : This is followed by <FC><95><FF><BF> a mere 240 times! The Slack file is very similar, all I can see different is in the start the ^@@ becomes ^@ and then the repeated <FC><95><FF><BF> becomes <B4><9A><FF><BF>While I was writing this the RIAA have confirmed (allegedly) that they have nothing to do with this and have only just heard of it as they forwarded the e-mail. I honestly think it was a hoax to try and discredit the RIAA, but it was the most pathetically handled hoax of all time. To have made this work to any effect, he should have setup a P2P client to distribute a "document" he sent to the RIAA confirming discussing the development and deployment. If he had just pushed out a few copies of this a day (using the deceptive filenames technique) you can be sure someone who got it would have leaked it soon enough. As long as he could actually write real english as oppossed to the crap he dribbled here, it probably would have taken quite a lot more effort for people to get to the bottom of it. However, no-one (well some of the more rabid /. readers excluded) was ever going to believe that someone hired by the RIAA would disclose this like this, slagging Theo and saying things like "We hope that you're as amused with our maturity as we are", "Don't fuck with the RIAA again, scriptkids", "We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet" and the icing on the cake " Remember, Napster is Communism, so fight for the American
way of life."
Never underestimate the dark side of the Source
There's no way that anything can modify your files if you've gone in and change the permissions, even if you have admin privs (of course, if you do have admin access, you can change the permissions back again)
If you're doing it over a network, there's no chance to change anything, unless microsoft actualy included exploit code in there software, and then never patched the exploit (which I doubt)
autopr0n is like, down and stuff.