Has the RIAA Wormed 95% of P2P Networks?

DancingSword was one of many to submit links to a strange story about the RIAA hacking back by sending a worm through the major peer-to-peer networks, supposedly with a 95% infestation rate. Hoax or not?

Re:Remember

[Tim+C]

Ah, but it's not "95% of networks", it's "95% of computers participating in p2p networks".

That said, I really doubt the veracity of this. To me, it's more likely to either be a hoax by someone trying to get noticed, or scare tactics to get people to stop using p2p and delete their mp3s. It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed.

The Register is wrong..

[dj28]

The actual exploit was posted on buqtraaq yesterday. You can find it here. That link has the original post from the group explaining what the exploit is, how the RIAA is supposedly involved, and it has the exploit as an attachment. Check it out and decide for yourself if it's a hoax.

URL to the original BugTraq posting

[sboyko]

This is the original posting.

Reading the posting, it seems unlikely.

Link to Security Focus

[MImeKillEr]

This article may have more info that the one linked in the article.

Re:Windows Clients/hosts?

Read the advisory written by Gobbles:

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.

Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de

Problem Type:
Local && Remote

Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

Exploit Available:
Yes, attached below.

Technical Description of Problem:
Read the source.

Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.

Hoax

[evilviper]

I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

In addition, I find it had to believe that all the antivirus companies are sitting on their collective asses, and completely missed an infection that is supposedly on 95% of computers that participate in P2P.

Further, if anyone was to do something such as this, they would most certainly get in serious trouble for, what is essentially a widespread, illegial, interstate, wiretap.

In addition, I'd just like to say that there is no reason to put much faith in Gobles... As Theo said, he's more or less the next ``fluffy bunny". If anyone can be said to have a severe ego problem, it is him...

Re:Windows Clients/hosts?

[t0shstah]

Apparently the "hydra" uses exploits/overflows on a number of popular media players - including xmms, which is a Linux mp3 player and WinAMP, which is a Windows mp3 player. Therefore that would suggest it can infect multiple operating systems.

More details including the original post can be found here.

I still doubt the possible risk/effectiveness - or even that its true though.

Re:Remember

[dohcvtec]

It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed

I wish I could agree, but from reading the article and the Bugtraq post, it seems that for now, all this thing really does is sends the RIAA a list of what MP3 files you have on your system. It apparently doesn't destroy anything, and the post vaguely describes the method of contacting the RIAA as "specially crafted requests over the p2p networks." For both of these reasons, it may very well go unnoticed on many systems. It is unclear, however, what happens on machines with infected MP3s, but no P2P software.

However, the post also goes on to mention that the OpenBSD release song MP3s on the ftp.openbsd.org server are/were supposedly infected with this worm, and that Theo De Raadt was none the wiser to this fact. This is not surprising, since it's clear that Gobbles does not like Theo, but it is significant if it is true.

Re:Windows Clients/hosts?

[taviso]

oh please, this comes from the same guy that bought you Hewlett Packard 48 Series Calculators advisory.

its funny, laugh.

People Lack Humor

[Col.+Panic]

Gobbles is very tongue-in-cheek. Their posts, while they contain actual, working exploits, are meant to be funny. They deride or praise the list moderator, poke fun at script kiddies (shout outz duudz), and are generally pretty damn funny.

This is no different.

Re:Remember

[Oculus+Habent]

Not only sued into oblivion, but the individuals creating/distributing/authorizing the worm/virus/invasive program are subject to arrest and a per infection fine should the government feel the desire.

Re:Windows Clients/hosts?

[kilgore_47]

hesiod says: Is he saying that "Gobbles" runs Bugtraq.org? Am I missing something here, or is he full of shit?

Jesus fuck, people on slashdot are fucking stupid!

Facts:

1. Gobbles are not stupid, they've come up with many innovative exploits, and are without a doubt very talented hackers. You may remember them from such classics as the linuxslapper worm (based on their apache-scalper code), or the nifty ettercap remote-root-via-irc exploit.
2. Obviously, the RIAA didn't hire them to "hack back". If the RIAA hired people to hack, they wouldn't talk about it on a fucking mailing list. (Furthermore, the bill that hinted at such "hack backs" wasn't ever passed.)
3. Gobbles is prone to making hilarious outlandish claims. Clearly, this is a simple mpg123 exploit preceeded with a very funny joke to make the RIAA look bad.
4. Yes, gobbles runs "bugtraq.org". That has nothing to do with the securityfocus mailinglist called bugtraq, however. It's just a domain name.

Suggested reading:
- BugTraq post with the funny RIAA bit, followed by actual mpg123 exploit code
- Gobbles Homepage (sometimes available at bugtraq.org, but currently down there, and up here)

So, in conclusion, the news here is this:

mpg123 has a vuln.
Gobbles are some funny guys.
The p2p networks are not 0wned.
(And, oh yeah, both the register and slashdot got trolled again. But thats not news anymore than "it's raining in seattle".)

You may now return to filesharing as usual.