Has the RIAA Wormed 95% of P2P Networks?

DancingSword was one of many to submit links to a strange story about the RIAA hacking back by sending a worm through the major peer-to-peer networks, supposedly with a 95% infestation rate. Hoax or not?

Remember

[lifechooser]

95% of networks is not 95% of files.

Re:Remember

[Tim+C]

Ah, but it's not "95% of networks", it's "95% of computers participating in p2p networks".

That said, I really doubt the veracity of this. To me, it's more likely to either be a hoax by someone trying to get noticed, or scare tactics to get people to stop using p2p and delete their mp3s. It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed.

Re:Remember

[dohcvtec]

It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed

I wish I could agree, but from reading the article and the Bugtraq post, it seems that for now, all this thing really does is sends the RIAA a list of what MP3 files you have on your system. It apparently doesn't destroy anything, and the post vaguely describes the method of contacting the RIAA as "specially crafted requests over the p2p networks." For both of these reasons, it may very well go unnoticed on many systems. It is unclear, however, what happens on machines with infected MP3s, but no P2P software.

However, the post also goes on to mention that the OpenBSD release song MP3s on the ftp.openbsd.org server are/were supposedly infected with this worm, and that Theo De Raadt was none the wiser to this fact. This is not surprising, since it's clear that Gobbles does not like Theo, but it is significant if it is true.

Re:Remember

[Oculus+Habent]

Not only sued into oblivion, but the individuals creating/distributing/authorizing the worm/virus/invasive program are subject to arrest and a per infection fine should the government feel the desire.

Re:Remember

[Markus+Landgren]

Maybe it's "the equivalent of 95%" (about 20 real percent).

Re:Remember

[orangesquid]

I'm not so totally sure this isn't real. I have mp3's that play fine on my intel machine but crash xmms and mpg123 (but not amp) on sun, sgi, and pa-risc. Of course, there's always a chance that the files are merely corrupted or the mp3 player doesn't work properly on other platforms, but I wouldn't expect *all* other platforms to die like that, at times. Of course, this has only happened with files I downloaded, not files I've ripped. 95% of my mp3's are my CD's (my music is too valuable not to make backups of!), and most of the rest is mp3's I've downloaded when the CD's have become too scratched to be readable, or when it's a song I had on tape or vinyl and didn't feel like re-recording onto my computer. So I may be a bad way to test this. But who knows---if I can figure out just which files these are, I'll try to analyze the crash dumps a little more and see if I can find anything.

Re:Remember

[orangesquid]

Well, I tried straceing mpg123 on an intel box on the files (have yet to try on other platforms), but no sockets or anything get opened. Perhaps they check the parent process, though? mpg123 calls getpid() but never getppid() in my logs, though.

Re:Remember

[Junior+J.+Junior+III]

They don't need a worm to do that; all they have to do is log in to the p2p network, do a search for *.mp3 and username=%yourID% and they can tell what mp3 files you have on your hard drive... well, at least the one's you're sharing anyway.

Re:Remember

[Peterus7]

Well, three things...

A: I wouldn't put it past the RIAA, they may be at their last straw...

B: But then again, if it is, that might be the end of them when they're figured out

C: So, I doubt the RIAA would be that stupid. If they did that it would just make them look even more bad than they look now, and they would have a hell of a big lawsuit on their tail, so I doubt it is them.

So what is it? In any scenario, I think the RIAA will get some grief for this.

Windows Clients/hosts?

[pgrote]

No mention of whether this affectes Windows clients/hosts or not. Any idea?

Re:Windows Clients/hosts?

Read the advisory written by Gobbles:

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.

Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de

Problem Type:
Local && Remote

Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

Exploit Available:
Yes, attached below.

Technical Description of Problem:
Read the source.

Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.

Re:Windows Clients/hosts?

[Geertn]

On bugtraq, this was mentioned by gobbles, who also did the Apache and OpenSSH exploit. The signed message verify at hushmail says it is signed correctly, so I guess it's the real Gobbles. The scary thing is, GOBBLES always mentions something really unrealistic, but suddenly he proves it...... like the apache and openssh exploits... scary

Re:Windows Clients/hosts?

[t0shstah]

Apparently the "hydra" uses exploits/overflows on a number of popular media players - including xmms, which is a Linux mp3 player and WinAMP, which is a Windows mp3 player. Therefore that would suggest it can infect multiple operating systems.

More details including the original post can be found here.

I still doubt the possible risk/effectiveness - or even that its true though.

Re:Windows Clients/hosts?

[Xner]

5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet.

Can you say "sue us please"?
No business financed with actual money of actual shareholders will ever open itself up for litigation in such a manner. The due-diligence folks would grill them.

Re:Windows Clients/hosts?

[evilviper]

What are you talking about? The only thing ``unrealistic" about the Apache exploit was that the ``experts" didn't believe it was exploitable on 32-bit systems.

As for the OpenSSH bug... it was discovered by ISS, announced and fixed by the OpenBSD team, and then, a week later (or so), they released an exploit. All they did was make a diff of the two versions to find the security problem, then write a small script that exploits it... That's more tame than almost all other exploits, since they did not find it themselves, and did not have to do much work to exploit it, since it (the bug) was already explained in detail.

Re:Windows Clients/hosts?

[i.r.id10t]

If this is the case and they are distributing a binary based on GPL code from xmms/mpg123/etc. then don't they have to release the source as well?

Re:Windows Clients/hosts?

[taviso]

oh please, this comes from the same guy that bought you Hewlett Packard 48 Series Calculators advisory.

its funny, laugh.

Re:Windows Clients/hosts?

[Technician]

Doesn't anybody lock down critical program files by checksum checking anymore? At that infection rate, it should have tripped someone's altered file monitor. Then they would have been in the major A/V signature files long ago. That infection rate could not have been a secret very long. I have a bunch of program files that are always checksum'ed at startup. If they change, and I didn't change it, bootup is halted for system repair. Signature files are no longer enough. Virus like activity needs to be watched.

Re:Windows Clients/hosts?

[ShavenYak]

No, Gobbles was the retarded turkey that Timmy befriended on one of the Thanksgiving episodes of South Park.

Re:Windows Clients/hosts?

[ManUMan]

How does their software know what media is illeagal? If I have ripped my own collection of CD's so that I can listen to them when I want to using my PC, how does the RIAA know? Further, if I am not sharing those files, download a song just to listen to it then delete the file, why does the RIAA get to infect my PC with a virus? --JS

Re:Windows Clients/hosts?

[Total_Wimp]

>3) Snort, RealSecure, Dragon, NFR, and all that other crap
>cannot detect this attack, or this type of attack.

But if it has infected "95% of all P2P participating hosts" then a few of us should be able to slap on a sniffer and simply look for the unauthorized traffic to prove if this is real or not. I personally don't trade over P2P so it wont do me much good, but there should be a bunch of you out there that could take this test.

If the exploit really is sending out the volume of data it claims, it should be fairly easy to spot. I know he "specially crafted" the traffic to make this more difficult, but how sneaky can it be when a catalog contains a few thousand MP3s? If "all media on the machine" is cataloged but you're only sharing out a subset of that media then a delta in the traffic would be pretty apparent.

The only thing I could think of that would make this really difficult is if the program sent the catalogs and then just stopped doing much until it was contacted or until a predetermined time. Solution: Attach a clean host with an infectable P2P client to your network with the suspected infected one. Make sure it has a HUGE catalog of music that isn't being shared to the P2P network. Then look for corresponding traffic.

Sounds like a lot of work, I know, but as my dad always said, "it builds character." Or, I suppose, we could just sit around and say "I think it's true" or "I think it's phony" all day.

TW

Re:Windows Clients/hosts?

[Nevermore-Spoon]

Where is the part about how the alien hybrids helped pitched a hand?

Re:Windows Clients/hosts?

[kilgore_47]

hesiod says: Is he saying that "Gobbles" runs Bugtraq.org? Am I missing something here, or is he full of shit?

Jesus fuck, people on slashdot are fucking stupid!

Facts:

1. Gobbles are not stupid, they've come up with many innovative exploits, and are without a doubt very talented hackers. You may remember them from such classics as the linuxslapper worm (based on their apache-scalper code), or the nifty ettercap remote-root-via-irc exploit.
2. Obviously, the RIAA didn't hire them to "hack back". If the RIAA hired people to hack, they wouldn't talk about it on a fucking mailing list. (Furthermore, the bill that hinted at such "hack backs" wasn't ever passed.)
3. Gobbles is prone to making hilarious outlandish claims. Clearly, this is a simple mpg123 exploit preceeded with a very funny joke to make the RIAA look bad.
4. Yes, gobbles runs "bugtraq.org". That has nothing to do with the securityfocus mailinglist called bugtraq, however. It's just a domain name.

Suggested reading:
- BugTraq post with the funny RIAA bit, followed by actual mpg123 exploit code
- Gobbles Homepage (sometimes available at bugtraq.org, but currently down there, and up here)

So, in conclusion, the news here is this:

mpg123 has a vuln.
Gobbles are some funny guys.
The p2p networks are not 0wned.
(And, oh yeah, both the register and slashdot got trolled again. But thats not news anymore than "it's raining in seattle".)

You may now return to filesharing as usual.

Is the RIAA liable to hacking chages?

[mcbridematt]

I wonder, If the RIAA sends a worm through P2P networks and shut's the networks down, can the RIAA representatives be charged with hacking?. Besides, not all files on P2P networks are illegal.

Re:Is the RIAA liable to hacking chages?

[uncoveror]

Indeed. The Berman Bill has not become law, and under the USA Patriot Act, Hacking can be considered terrorism. One thing we sould all do is boycott the recording industry.

Re:Is the RIAA liable to hacking chages?

[mpe]

The Berman Bill has not become law, and under the USA Patriot Act, Hacking can be considered terrorism.

Even if it was law it would only protect the RIAA if they only hacked machines in the US. Which wouldn't be easy to do. Imagine how silly the US government would look refusing an extradtion request for a "terrorist suspect" too.

That explains...

why all my porn has been changed to Hillary Rosen with a strap-on.

Creation of viree is a crime

[Max+Romantschuk]

Well a worm is a form of a virus, and it is a crime to create one... One would presume that the RIIA would not be stupid enough to try and play a vigilante.

Re:Creation of viree is a crime

[hesiod]

Never use "RIAA" and "not [...] stupid enough" in the same sentence... It's bound to get you proved wrong.

The Register is wrong..

[dj28]

The actual exploit was posted on buqtraaq yesterday. You can find it here. That link has the original post from the group explaining what the exploit is, how the RIAA is supposedly involved, and it has the exploit as an attachment. Check it out and decide for yourself if it's a hoax.

Re:The Register is wrong..

[EricWright]

The scary thing behind what was posted to Bugtraq is that it explicitly states that all digital media on the system is cataloged, and the list is sent to the RIAA. This assumes all digital media on a system is an illegal copy.

Sure, if the worm comes into your system over a P2P network, there's a good chance that at least *some* of your mp3s are pirated, but there's no way to differentiate pirated mp3s and those you ripped/encoded from your own CD collection.

I could easily see someone downloading a public domain work via P2P network, getting infected, and having their 40GB mp3 (ripped/encoded from legally obtained sources) library listed to the RIAA "for future prosecution."

I love the whole guilty until proven innocent attitude here. Sounds like a bad "In Soviet Russia..." joke.

Re:The Register is wrong..

[UCRowerG]

Correct me if I am missing something here, but isn't it a no-no to put your legally ripped-from-cd tracks into your "share" directory for others to copy? So if this worm goes cruising through your shared directories and finds copyright material, you're still in breach of copyright since you're basically giving away copies of these songs.

Re:The Register is wrong..

[Hellkitten]

isn't it a no-no to put your legally ripped-from-cd tracks into your "share" directory for others to copy?

all digital media on the system is cataloged, and the list is sent to the RIAA.

So what exactly makes you think it'll only search your shared folder?

Re:The Register is wrong..

[LostCluster]

It might be able to claim your P2P shares are for that purpose, but it's perfectly legal to put your MP3s on a server within your own house and then have all of your other devices access from a share on that server. It's being shared in a tech sense, but in reality its transfering from one computer of yours to another computer of yours, so it's you-to-you and no copyright violation can happen there.

URL to the original BugTraq posting

[sboyko]

This is the original posting.

Reading the posting, it seems unlikely.

Link to Security Focus

[MImeKillEr]

This article may have more info that the one linked in the article.

worm code

[macrophage]

Hey, I found a copy of the worm's code:

RIAA - 0wn3d by.... ;p
oooh riaa want's to hack Filesharing Users / Servers ? - better lern to secure your own server...
Sorry Admin - had to deactivate ur accounts - they'll be reactivated after 2 hours

greetz : Rage_X, BRAiNBUG, SyzL0rd, BSJ, PsychoD + all the others who want to stay anonymous :]
wanna contact ? mailto:h4x0r0815@mail.ru

Oh, wait, that was the RIAA's web page. Never mind!

Legally

[Hasie]

Where does this leave the RIAA legally? The bill mentioned in the article that would allow the RIAA and other copyright holders to crack computers to prevent piracy is not law yet. Does that mean that this would be regarded as just another worm with the authors being thrown in jail (like the authors of Love Bug and others)?

Nah.

[llamalicious]

I've got at least 7 mp3 downloads running right now and none of them appear to be infe($!$%. .AF0ERIAA.`/2#..-

Re:Nah.

[Anonymous+Brave+Guy]

I've got at least 7 mp3 downloads running right now ...

We know, thanks.

Love and hugs,
The RIAA

Re:*cough* bullshit *cough*

[wackysootroom]

I agree. A healthy dose of scepticism is needed here. First of all, if the RIAA really *did* want to infect the p2p networks with a worm, they would make GOBBLES sign a non disclosure agreement.

Could this be FUD straight from the RIAA to scare people into not running p2p apps? Is it a rumor started by GOBBLES to create a stir against the RIAA, or is it legit?

Who cares? I'm gonna fire up my gnutella client and share open source software until the day that p2p is illegal.

Re:If you can't beat 'em

[squiggleslash]

Given the number of times the RIAA's website has been hacked, I'm guessing they're thinking the way you are...

Hoax

[evilviper]

I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

In addition, I find it had to believe that all the antivirus companies are sitting on their collective asses, and completely missed an infection that is supposedly on 95% of computers that participate in P2P.

Further, if anyone was to do something such as this, they would most certainly get in serious trouble for, what is essentially a widespread, illegial, interstate, wiretap.

In addition, I'd just like to say that there is no reason to put much faith in Gobles... As Theo said, he's more or less the next ``fluffy bunny". If anyone can be said to have a severe ego problem, it is him...

Re:Hoax

[Zayin]

I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

Have you considered the possibility that they were hired by the RIAA to *claim* that they wrote the software, to scare people away from p2p networks?

Re:Hoax

[Zigg]

Have you considered the possibility that they were hired by a group who wants to make the RIAA look more evil (or perhaps are acting on their own), and the RIAA actually has nothing to do with it?

95%? Not likely.

[achurch]

I doubt you could get 95% of people on the Internet to agree on anything, much less taste in music, and even if this worm/virus infected every MP3 on a computer, 95% infestation seems really, really unlikely.

On the other hand, this (worming P2P clients) has been talked about a lot in the past--and there are already viruses spreading via P2P, though the community seems to detect them pretty quickly--so I wouldn't put it past the RIAA to do something like this. Much less this Gobbles character; he's pretty infamous on the Bugtraq mailing list for trying to make fun of / piss off as many people as he can. (Incidentally, Gobbles is also known for overstatement, and as he was the one who stated the 95% figure in the article . . . well, you decide.) And it would of course be trivial to "phone home" to the RIAA with information about shared files on the computer.

So while I could believe the existence of the worm, I seriously doubt the 95% infestation figure.

not sure

[Tom]

Forget the RIAA bashing, the Gobbles guys know what they do. That said, this is very un-gobbles from what I've seen from them in the past. Not the technology, but the comments in the source, for example. Then again, they're supposedly a large group.

From the little info that is available, I'd give them a 50-50 chance that it's true. That would be interesting.

If It's True...

[E-Rock-23]

...then it's an illegal act, period. Unless the Berman Bill is retroactive to a date prior to this supposed worm launch, it occoured before the bill is ever passed, and is illegal no matter what.

This supposed worm disables functions of a computer. Therefore, it is malicious, as is anything that modifies system performance without the user's knowledge and consent.

If this is true (95% infection rate? Doubt it), then we have one heck of a piece of ammo to use against the RIAA, if indeed they contracted this worm. The Price Fixing settlement, in that case, is just the beginning.

Dubious Legality

[Mr+Guy]

An exploit of this nature is of dubious legality

Dubious? How is there any doubt? Assuming this passes the farmer test (it's not just bullshit in a bag), how can there be doubts it's illegal. At best, it's invasion of privacy. At worst, it's cyber terrorism as defined by the Patriot Act.

The existance of a P2P client doesn't a criminal make, especially since the example given in the article by the l33t hacker is a perfectly legal file: the public MP3s (written to celebrate each OpenBSD release).

It's junk, like the quad-browser yesterday.

The biggest thing to fear is that the RIAA will use this to make up more numbers.

Re:Dubious Legality

[John+Hasler]

> Assuming this passes the farmer test (it's not
> just bullshit in a bag), how can there be doubts
> it's illegal.

There can also be no doubt that there would never be a criminal prosecution. The best we could hope for would be that the ISPs would file a lawsuit and get an injunction ordering them to stop.

> The existance of a P2P client doesn't a criminal
> make, especially since the example given in the
> article by the l33t hacker is a perfectly legal
> file: the public MP3s (written to celebrate each
> OpenBSD release).

The RIAA objects to the existence of such music: they make no money from it. Their goal is more ambitious than just stopping unauthorized copying. They want to make distribution of music outside their control impossible.

> It's junk, like the quad-browser yesterday.

Very likely.

Re:Dubious Legality

[Sycraft-fu]

Oh you bet there would be criminal prosecution if this were real. See this isn't just something that deals with illegality on a federal level, but state and local too. YOu don't think there' at least one DA that would take the case? OR fine, assume that all the US prosecutors are unwilling to go after this (I find that higly unlikely) such a thing would have affected international computesr as well. I can gaurentee you other countries would go after this.

No if this BS were true, everyone invloved would be in deep, deep shit.

Re:Dubious Legality

[nolife]

Another thing..

Retrieving a list of file names from someone should not be enough to prosecute them. I believe in order to prove you had a copyrighted file, the RIAA would have to download the entire file from that person and then listen to it to ensure it is what they thought it was. Nothing prevents me from creating thousands of fake files and giving them arbitrary names like "Metallica - Ride the Lightning.mp3". Having a file with this name is NOT illegal. I would also have to assume that the RIAA would have to provide some logs above and beyond what a P2P client has that shows where they got the file from and what time, maybe traceroutes and and traffic logging?. There are already tons of bogus files out there, wether they were planted or there by accident there is a chance you have a file name that is not what you think it is. I find it odd they have the power to mail abuse@your.isp and getting anything accomplished with that. You need solid evidence, you will not get arrested for having a file named i_tape_little_girls.mpg (although it may raise questions), but somehow you have less rights by having popular_song.mp3. It is obviously the corporate intrests involved that this is heading where it is. You need solid evidence to support a violation of the law for everything else in the world except for proving copyright violations.

Want to be secure? Use systrace...

[evilviper]

Currently, systrace is available for OpenBSD and NetBSD, but work is going on to make it available for Linux as well.

So, any program you have that opens untrusted content (xmms, mplayer, mozilla, etc) can be run with systrace, and you can selectively enable certain types of activity all the time... disallow certain activities allways, and be prompted for selective approval or denial of everything else.

Even though I believe this to be a hoax, it's certainly true that it could be done, and something like systrace is needed to guarantee a bug in a program you run can't be used to take over your system.

Re:*cough* bullshit *cough*

[Verteiron]

This is amusing, actually. Tell me again how one puts a "virus-worm hybrid" into a non-executable file and have it infect mp3 players on multiple platforms? Oh, and do it so that none of the millions of people listening to MP3s notice? While maintaining compatibility with things like handheld players? Oh, and let's not forget the linux people running programs like Integrit, which would let them know if something had modified their mpg123.

Please, I can't even believe this got posted.

Hoax

[phreaknb]

This is a hoax. If you check the PGP signature, you can see that it isnt valid.

No need to worry...

[anthony_dipierro]

I'm sure if you are only sending/receiving legal mp3 files you won't run across this worm. And we all know that slashdotters never download illegal files.

Typical RIAA stupidity?

[dmaxwell]

Assuming that the RIAA has created a p2p worm wouldn't it be the height of stupidity to announce it's existence? On the one hand they can generate some fear among p2p users and get a slight decrease in trading. On the other hand, if it really exists it is going to be found in very short order. If it's found by the wrong people (to them) then this is going to backfire in very short order. Once the details are known, I don't imagine it would be very hard to inject loads of spurious info into their violator database.

The SecurityFocus posting has lots of bragging about how network security tools won't find their exploit. I beg to differ. They aren't going to dodge tcpdump running on a machine that is a gateway for an infected machine. The way gnutella is supposed to work is known. To a trained eye, their "cleverly crafted" network requests are going to stick out like a sore thumb. In any case, just knowing a thing exists greatly simplifies finding it. We'll know in short order if they're hoaxing or not.

Now that I have read the fine article...

[PeterClark]

I take back what I said--ok, so the RIAA may not have the brightest lightbulbs, but they can outsource.

BUT...
Unless I am mistaken (already happened once today), this is just a buffer exploit. By the end of the work day, there should be patches for mpg123, xmms, and any other open source mp3 player affected. Then what is the RIAA going to do? Bang its collective shoe on the table and scream "Kill them! Kill them!"?

:Peter

Re:Poor choice of headline

[Etrigan_696]

Unless you modify it with the word "UP". As in:
My dog ate road-kill and got all wormed up.

The typical cure for this is (if you have money) to get the wormer from the vet/wal-mart/pet store and hope... Or...(if you are poor and the dog means alot to you) you force feed the pooch a huge wad of "Chaw"... Chewing Tobacco.... Several times. It does the trick, but it's like chemotherapy - you're just hoping the worms die before the dog does.

Okay - maybe this is a Southern Redneck Hunting Dog thing...I dunno.

More commentary

[sheriff_p]

More commentary including thoughts on some of the implications here:

http://www.virusbtn.com/news/latest_news/gobbles.x ml

Bugtraq Source

[BadBlood]

So, has anyone downloaded the source example from bugtraq, compiled it, and seen what happens?

Re:Bugtraq Source

[bfree]

Yep I did, and it said:

$ ./mp3exploit.exe @! Jinglebellz.c: mpg123 frame header handling exploit, 0.1 @! Usage: ./mp3exploit Target list: 0 Prepare evil mp3 for SuSE 8.0 1 Prepare evil mp3 for Slackware 8.0 2 Debug

As I was running it under cygwin at the time (don't ask) I don't think it'll let me run the resultant mp3! Just for fun though I did run it and it threw back the following (for Suse):

$ ./mp3exploit.exe 0 evilSuse.mp3
@! Jinglebellz.c: mpg123 frame header handling exploit, 0.1 @!
+ filling bogus mp3 file
+ preparing evil header
* header (0xffe00000) state: 0: 1111 1111 1110 0000 0000 0000 0000 0000
* header (0xffe40000) state: 1: 1111 1111 1110 0100 0000 0000 0000 0000
* header (0xffe40800) state: 2: 1111 1111 1110 0100 0000 1000 0000 0000
* header (0xffe50800) state: 3: 1111 1111 1110 0101 0000 1000 0000 0000
* header (0xffe5e800) state: 4: 1111 1111 1110 0101 1110 1000 0000 0000
* header (0xffe5ea00) state: 5: 1111 1111 1110 0101 1110 1010 0000 0000
+ checking if header is valid: YES
+ addrloc: 0xbfff923c
+ writing shellcode
+ all done, evilSuse.mp3 is ready for use

The slack version is identical except for addrloc: 0xbfff96f4.

Now the files it spits out are 2888 bytes and the strings output of the Suse and Slack versions are identical (1763 bytes) starting with a line containing "A" 1663 times followed by a 1 and then:

hort
ho abh-c thCTRLhs.. hcondh5 seh in hrf ~hrm -
hf ~Xhm -rh-cXrhAAAAhAAAAhAAAAhAAAAh/shCh/bin1

The actual Suse file contains (as displayed by less):

<FF><E5><EA>^@@<92><FF><BF&gt ;

Then the 1663 "A" and the "1" then :

<C0>1<DB>1<C9>1<D2><B0>;P1<C0>ho rt ho abh-c thCTRLhs.. hcondh5 seh in hrf ~hrm -<B3>^B<89><E1><B2>)<B0>^D<CD><80>1&l t ;C0>1<FF><B0>^E<89><C7>1<C0>1<DB>1<C9&amp ; gt;1<D2>f<BA>pPR<B3>^B<89><E1>1<D2><B2&g t ;^B<B0>^D<CD><80>1<C0>1<DB>1<C9>P@P<89&g t ;<E3><B0><A2><CD><80>O1<C0>9<C7>u<D 1>1<C0>1<DB>1<C9>1<D2>h f ~Xhm -rh-cXrhAAAAhAAAAhAAAAh AAAAh/shCh/bin1<C0><88>D$^G<88>D$^Z<88>D$#<89>d1&l t;DB><8D>\$^X<89>\$^L1<DB><8D>\$ESC<89>\$^P< 89>D$^T1<DB><89><E3><8D>L1<D2><8D>T$^T&l t ;B0>^K<CD><80>1<DB>1<C0>@<CD><80>^@<FC ><95><FF><BF><FC><95><FF><BF> ho abh -c thCTRLhs.. hcondh5 seh in hrf ~hrm -<B3>^B<89><E1><B2&gt ;)<B0>^D<CD><80>1<C0>1<FF><B0>^E<89>& l t;C7>1<C0>1<DB>1<C9>1<D2>f<BA>pPR<B3>^B& l t;89><E1>1<D2><B2>^B<B0>^D<CD><80>1<C0 >1<DB>1<C9>P@P<89><E3><B0><A2><CD>&amp ; lt;80>O1<C0>9<C7>u<D1>1<C0>1<DB>1<C9>1&l t ;D2>hf ~Xhm -rh-cXrhAAAAhAAAAhAAAAhAAAAh/shCh/bin1<C0><88>D$^G &lt ;88>D$^Z<88>D$#<89>d1<DB><8D>\$^X<89>\$^L1<D B><8D>\$ESC<89>\$^P<89>D$^T1<DB><89><E3>&amp ; lt;8D>L1<D2><8D>T$^T<B0>^K<CD><80>1<DB>1&amp ; lt;C0>@<CD><80>^@<FC><95><FF><BF><FC& g t;<95><FF><BF>

This is followed by <FC><95><FF><BF> a mere 240 times! The Slack file is very similar, all I can see different is in the start the ^@@ becomes ^@ and then the repeated <FC><95><FF><BF> becomes <B4><9A><FF><BF>

While I was writing this the RIAA have confirmed (allegedly) that they have nothing to do with this and have only just heard of it as they forwarded the e-mail. I honestly think it was a hoax to try and discredit the RIAA, but it was the most pathetically handled hoax of all time. To have made this work to any effect, he should have setup a P2P client to distribute a "document" he sent to the RIAA confirming discussing the development and deployment. If he had just pushed out a few copies of this a day (using the deceptive filenames technique) you can be sure someone who got it would have leaked it soon enough. As long as he could actually write real english as oppossed to the crap he dribbled here, it probably would have taken quite a lot more effort for people to get to the bottom of it. However, no-one (well some of the more rabid /. readers excluded) was ever going to believe that someone hired by the RIAA would disclose this like this, slagging Theo and saying things like "We hope that you're as amused with our maturity as we are", "Don't fuck with the RIAA again, scriptkids", "We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet" and the icing on the cake " Remember, Napster is Communism, so fight for the American way of life."

MD5 Hash

[Inda]

Over at SourceForge eMule is one of the largest downloaded clients on the list...

Change one byte of any file and the MD5 hash for said file changes. This is nothing new or even that clever but it does stop bad files from spreading around the network.

As I understand it, Kazza is still number one when it comes to P2P file sharing. When I last opened Kazza it reported 4 million users. Kazza also uses a file hash to allow segmented downloads as do most P2P clients these days.

These **AA infected files would be a drop in the ocean and they would not spread far. If this is a hoax then it's not even a very clever one.

And the #1 Reason this is probably a hoax....

[disc-chord]

This would be a lot easier to swallow if the RIAA.org wasn't so blatently easy to hack, then you could reasonably assume that the RIAA even knows a decent hacker let alone contracts them.

But seriously, let's say this isn't a hoax. Big Effing Deal. So the RIAA gets one day to make the P2P networks all DDOS themselves to hell. Yippie. That's just one day of interupted service. Within hours of this hyrda going off there will be virus definitions and patches from all the anti-virus vendors to fix the issue. And all of the software that is being exploited would also recieve patches.

Does anyone seriously believe that any significant percentage of P2P users are going to suddenly say "wow the RIAA has been right all along I better start paying for things" because they get exploited by Hilary & Friends?

I mean seriously here, the dilema is: a) Don't pay for anything and risk getting hacked by the RIAA *maybe* once. b) Pay for everything.
Wow that's sure gonna be a tough choice for the P2P crowd. What an insane waste of money for the RIAA to even bother with this nonsense.

RIAA statistics

[Loonacy]

Only 10% of the computers were really infected. But they were FAST computers, so they count as 95%.

Re:*cough* bullshit *cough*

[Mattsson]

I wonder...
Would a NDA be legally binding for something as illegal as creating a worm that "hacks" itself onto peoples computers?
Wouldn't the one approched with a deal like that be obliged by law to report it to the police?
If someone asks me to do something illegal in exchange for money, am I breaking the law if I don't report it? Even if I turn the offer down? =/

Re:*cough* bullshit *cough*

[Verteiron]

Ok, say in theory you could do that. Now, is that buffer overflow going to exist in all the different players they list? Or do they have to write multiple exploits into the headers? And if they screwed around that much with the headers, someone would have noticed by now because it's likely some mp3 player, somewhere, blew chunks trying the read this majorly-screwed-up header. Even if, somehow, no one noticed/experienced this, that STILL doesn't explain how it could modify/infect files without attracting the notice of checksum-verification programs like Integrit.

Sorry... I can believe they found an exploit for mpg123. But the other claims they make are unbelievable, and border on just plain silly.

Re:Want to be secure? Use systrace...

[Tom]

Systrace is a nice toy, but unfortunately a flawed concept. There's a whitepaper from the NSA about the why, look on their selinux site (www.nsa.gov/selinux)

Re:*cough* bullshit *cough*

[Cally]

> Please, I can't even believe this got posted

I think it's interesting, and I'm glad it was posted, although my first reaction was the same as everyone else, BOLLOCKS! But as lots of other people, including the mighty Register have pointed out, Gobbles has a good record for making apparently silly claims, letting people scoff, then proving them wrong. I think the real story is "Gobbles makes outraegous claim, what the hell is he up to?"

Speculation: Theoretically, I guess it's possible that there's an overflow in a library widely used in mp3 players. Remember the SMTP vulnerabilities last year, or the zip library hole that affected everyone from RedHat to Microsoft? Heh, that's the trouble with those pesky BSD licensed libs ;) Suppose Gobbles did find a zero-day hole. Remember that 95% of p2p users are going to be Windows users, so they're probably all using the same OS libs in their clients - for network access, say, if not for mp3 playback. Bear in mind that this worm would be pretty silent - it wouldn't be throwing rude messages up on the screen, it'd be sneaking around and trying to hide itself... Suppose it was only released in the wild a week ago. Perhaps it used the Kazaa auto-updating features to distribute itself over the network . Hmmm, this is actually starting to sound feasible. Now, obviously if the RIAA hav done this, then they're in deep, deep trouble: even the copyright mafia and Bush junta would have a problem trying to make out that this is anything but deeply criminal action. Posit: Gobbles, or another ethically challenged researcher, decides to try to discredit the RIAA... what better way to do it? Can you imagine the 9o'clock TV news headlines if there turns out to be a whiff of fire behind the smoke?

Antivirus

[artemis67]

That was my first thought. If this is on the level, then anti-virus software should be catching it.

After all the anti-virus attacks of the last few years, consumers and businesses alike have dumped a ton of money into anti-virus software. I find it hard to believe that a worm could get 95% penetration in this group.

These hackers are just looking for some recognition, that's all.

Re:That explains...(hold on a minute)

[gosand]

why all my porn has been changed to Hillary Rosen with a strap-on.

Wait a minute...
THAT'S NO STRAP-ON !

I'm pissed off

[Sandman1971]

Ya know what pisses me off? If this is true, then users like myself have been illegitamately hit.

I have a copy of Metallica's Kill Em All on tape. My tape is pretty worn out. So I hit the Fastrack network to download the songs. Now under Canadian law, this is perfectly legal as I own an original copy of the album.

But now my PC is infected by a worm/trojan because a cartel ^H^H^H^H^H some 'company' believes that everyone who downloads MP3s are doing so illegally. Nice when a company thinks that everyone is a criminal. Congress really needs to wake up and start protecting the people again, and not mega corporations. And other countries need to shove back when the US tries to push it's own laws onto them.

Gobbles is a glory whore

[essdodson]

To anyone who's read their advisories in the past this comes as no surprise. Gobbles's sole motivator here is to draw attention. From their security advisories that sound as if they're written by a third grader, to their advisories posted in comic form on their highly deceptive website www.bugtraq.org I've seen little from them that demands respect.

Besides, if they were working with RIAA, wouldn't the RIAA also have paid them a few bucks to secure their site? If they have, wow, bang up job so far.

Joke

[dissy]

This is so obviously a joke its not even funny.

> Things to keep in mind:
> 1) If you participate in illegal file-sharing
> networks, your computer now belongs to the RIAA.

Im sure glad there are no illegal file-sharing networks yet!

> 2) Your BlackIce Defender(tm) firewall will not
> help you.
> 3) Snort, RealSecure, Dragon, NFR, and all that
> other crap cannot detect this attack, or this
> type of attack.

Admitting its an attack, and admitting you are purposly designing it to avoid current defences, that will look good to a judge.

> 4) Don't fuck with the RIAA again, scriptkids.

Oh, your 13 years old?

> 5) We have our own private version of this hydra
> actively infecting p2p users, and building one
> giant ddosnet.

So any future DDoS we now can blame on these people who openly admitted to it.

GO get em yahoo and ebay!

> Due to our NDA with the RIAA, we are unable to
> give out any other details concerning the
> technology that we developed for them, or the
> details on any of the bugs that are exploited in
> our hydra.

An NDA is a legal document which cannot in any way override existing laws.
They admit to breaking numerous laws, and yet think a legal document will protect them?
I guess they really must all be under 13.

As a matter of fact, if my PC acts strange in any way shape or form, they now have opened themselfs up to a lawsuit.

They also claim the RIAA now has an illegally gained list of the perfectly legal files on my harddrive. This would be the perfect time for a large company to sue and request discovery, which would allow someone (generally feds, but still) to collect evedence (IE take any/all of their servers on the public network which ever have/had connections to a p2p network) which will cost them time and resources and frustrations. Then hopefully some evedence will be found as well.

My only wish is that alot of companys able to afford the legal fees open petty lawsuits aginst them for admitting all the crimes they have commited, if for nothing else than to cause them grief. Can also be used to harass the RIAA a little (Would be much better if the RIAA admitted this was true, but that will never happen.)
Turn the stupidity of the system aginst the enemy for a change.

People Lack Humor

[Col.+Panic]

Gobbles is very tongue-in-cheek. Their posts, while they contain actual, working exploits, are meant to be funny. They deride or praise the list moderator, poke fun at script kiddies (shout outz duudz), and are generally pretty damn funny.

This is no different.

If you wanted to...

[Windcatcher]

force the makers of MP3 players to recheck their source code to ensure that such holes DON'T exist, this would be a way to do it. Publish an exploit, link it to all major players, invoke the RIAA demon, and watch the coders scramble. Right now:

- Coders are, I'm sure, crawling through their code to look for and fix any security holes,

- Users are running firewalls and packet analyzers to check for any worm-like behavior,

- Some P2P users are taking a second look at checksums.

If such vunerabilities exist, I'm sure they won't for much longer. If the Berman bill ever becomes law, there won't be much to hack.

I Am Utterly Innocent but Possibly Infected

[FreeUser]

The scary thing behind what was posted to Bugtraq is that it explicitly states that all digital media on the system is cataloged, and the list is sent to the RIAA. This assumes all digital media on a system is an illegal copy.

Yes, it does. And it shows what criminal, despicable, disgusting excuses for human beings work for, or with, the RIAA.

Sure, if the worm comes into your system over a P2P network, there's a good chance that at least *some* of your mp3s are pirated, but there's no way to differentiate pirated mp3s and those you ripped/encoded from your own CD collection.

All of my mp3 and ogg files are ripped from my own rather large, but no longer growing CD and Vinyl collection (because now I do not buy CDs, ever, nor will I, ever again). All of my avi's are recorded from my own television, my own animations, or my own media, and are not traded, ever. Indeed, none of my stuff is traded, ever.

However, I did install gtk-gnutella in order to download the hiliarious fan fiction Star Trek episode "Savage Empire", because the web site distributing the files had been slashdoted. A perfectly legal download, for which, if this story is true, these unlawful thugs have infected my machine.

I have enough money, and the will, to persue a very harsh lawsuit against these fucks if this story has any veracity, and if I am infected, and I will not hesitate to do so.

"In Corporate Fascist America You and Your Data Belong to the Copyright and Media Cartels. Bend Over and Enjoy the Ride, Consumer."

Re:If you can't beat 'em

[RobotRunAmok]

Well, bad sentence construction usually indicates an American. Apparently, the US public education system is merely designed to instill a yearning for low quality cars, fast food and WWE into it's students - spelling, grammar, mathematics and any kind of art or culture seems to be off the menu

Hm. Interesting.

By the way, where are you from, son? If I was to judge you from your post, as you have seen fit to judge others, I'd say, hmmmmm, let's see... Arrogant... Cowardly... ridiculously placing foot in mouth by mis-using it's while criticizing another nation's school system...

France?

Let's see, how many languages can I say "liar' in?

[ndnet]

Where to begin.... I'll only deconstruct the SecurityFocus message.

First, the fact that these programs have exploits is no surprise, but one media clip (probably MPEG (maybe MP3)), since while Windows Media Player and WinAMP offer universal playback, do ALL of them? Could one file even hit exploits in all these programs?

Second, since each is likely to have a different vulnerability, the amount of worm data in a file would be a decent chunk. Wouldn't it be noticed?

Third, an NDA would state that there can be no mention of it until it is ACTIVATED and USED. Now, Ad-aware-style programs will pop up to clean it if it exists.

Fourth, how many files would this have to be to get 95% of P2P users? The only way it could is by infecting every file you share, but SOMEBODY would have to notice that, whether the file size changes or some A/V data is thrown out.

Also, the idea of "specially formatted P2P requests" to inform RIAA is laughable. Even if the P2P software itself were compromised, a firewall user could notice it. Furthermore, consider the average media collection - hundreds of MP3s. Considering it would have to send artist name and song name, the amount of data would be well over 1MB unless compressed, and even then on dialup users it would have to be staggered.

Also, what kind of backend would this take? Multiple servers, a huge internet connection. Considering how big the P2P networks are, wouldn't this have to be a massive monitoring system? There aren't that many locations with these resources INSTALLED, so finding the facility would not be hard.

And why mention you have a IDENTICAL worm that you use to build a DDOS NET? Simple. Get those who don't care about privacy too much kicked up about that.

Finally, this sounds very strangely like RIAA-induced hypnosis - here are a few lines which show that they probably are lying and not even working with RIAA, just agree with RIAA's ideas.

"victim" (not the hard-working artists who p2p technology rapes, and the RIAA protects)

4) Don't fuck with the RIAA again, scriptkids.

Until we became RIAA contracters, the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks.

There are some spelling mistakes. There are factual holes that they cover with the claim of an NDA. In short, the probability of a hoax is about 98%.

Gobbles was -kidding-, but has a point.

[Mordant]

Jeez.

He's trying to make a point - that running all this P2P crap blindly on your systems, -especially- Windows boxes, is a security nightmare.

Think about it; he's managed to get thousands upon thousands of people worldwide nervous and antsy about whether or not their boxes are in a semi-0wned condition. Why?

Because it's within the realm of possibility that something like this could be done. Not by the stupid RIAA, who can't even secure their own Web site, but by somebody a) more skilled and b) motivated to do something Really Bad, like build (and use) a gigantic DDoS network, or steal any kind of account/password info it can find, or any kind of documents which might contain proprietary information, etc.

The intellectual property aspect of filesharing aside, I personally think that anyone who runs a P2P app is asking to get burned. There simply hasn't been the kind of scrutiny turned on these things that we see on other types of apps and utilities (and we already know that the concept Gobbles is preaching about is valid due to the earlier KaZAa worm, etc.).

Re:Where's the counter-exploit?

[Hellkitten]

easy enough to write a counter exploit that hunts down and removes the Gobbles virus/worm

And then send the riaa a fake list of digital media

hilary_rosen_nude_1.jpg
hilary_rosen_nude_1.jpg
hilary_rosen_nude_2.jpg
hilary_rosen_nude_3.jpg
hilary_rosen_nude_4.jpg
hilary_rosen_nude_5.jpg
....

Re:*cough* bullshit *cough*

[Borealis]

Not to mention all the paranoid folks that monitor all their traffic. The worm claims to send info back to the RIAA, just try to tell me that somebody who's a religious packet sniffer won't notice that.

Did anyone think P2P was good for security?

[melonman]

I don't pretend to know much about the gory details of how it works, but P2P has never struck me as the best way ever invented to ensure the integrity of your system.

Last week a client asked to bring his PC into the cybercafe to download some files using eDonkey. After a couple of days, my observations were that

• It was going to take him another month to get a whole video of anything (cf 90 minutes for a whole Redhat CD over the same connection)
• The only downloads that worked were XXX
• His software opened 200 connections through my firewall, compared with about 20 for the rest of the cybercafe (our machines are thin clients, he was on a different subnet)
• He was receiving from 100 or so different ports, some of which are also used by well-known worms and trojans

So I told him to take his eDonkey elsewhere... is there any way to know what you are really connected to with this sort of system?

Re:Did anyone think P2P was good for security?

[Inda]

It is normally for a 700MB ISO to take 2-3 days on the eDonkey [eMule] network. Remember that you are not downloading from an FTP site or web server; you are downloading from peers with a finite amount of bandwidth. Most people, like me, have a capped upload speed which is 25% of my download speed. The quality of files on this network is the main reason people use it - not the speed.

200 connections is normal too. I currently have 90 connections because of the limitations with Windows 98. You are constantly asking other peers for files at the end of the day.

100 used ports is wrong though and I would be worried about this too. I only use two...

Why are you all so gullible?

[ProtonMotiveForce]

Come on, this is about as realistic as the computer jargon you hear on TV.

"My Subnetwork ping redistributer is down! I need to reboot my LAN before the virus infects my ethernet cable and gets everywhere!!!"

And yet I see people saying "this is probably not true" or "this may be a hoax", or "if they're doing this it should be illegal!". Come on. For Christ's Sake, this is totally idiotic and anyone with an iota of computer knowledge should immediately dismiss it.

I don't care if Linus Torvalds himself came out and said he'd done it, I'd laugh and point.

Well...

[autopr0n]

If you read the artical, you'll see that they code they released was for a UNIX Mp3 player, which means they certanly have the capacity to infect Unix machines using mpeg123, I doubt windows programs would be much harder, and I DID just upgraded winamp to cover up a buffer overflow problem in the id3 tag...

An MP3 based virus is possible these days, and it could easily spread to all your mp3s once activated. (even on unix, since obviously your mp3 player is going to have access to those files, unless they are read-only)

RIAA Math...

[dallask]

Lets not forget who were dealing with here.... these are the same people who claimed confiscation of thousands of cdroms in a raid, when in fact it was just several fast cd burners.... their justifaction of the false numbers... These burners were really fast, thus they were equivalent to thousands of "Normal" cd burners...

they probably just got it to run on a couple of systems and then multiplied that by the number of users on the p2p net.

Re:Kernel module rootkits == invisible

[evilviper]

You have no idea what you are talking about.

First of all, there is no way you could even get Root from an exploit of mpg123, mplayer, xmms, or anything else Gobbles listed... They all run as users, not SUID or anything like that.

Secondly, Systrace is not an antiworm program. It is a program wrapper, which you use to restrict the permissions of other programs. For instance, you could create a systrace script for xmms that would allow it to read all the files in /home, but NOT write, not have access to the network, not have permission to basically anything else. Then, even if a serious bug was found in xmms, there would be no way an attacker could do anything that would be useful. They could have xmms read your files, output something to the soundcard, etc, but not write itself onto another program, it couldn't open a port, it couldn't send information back, it couldn't do much of anything.

So, systrace is really a preventative measure.

Of course, you could have done a 2 minute search on google and found that out for yourself.

outbound network monitoring

[Nevermore-Spoon]

I download many mp3s via p2p, easily putting me in the 95%, I ahve zone alarm running on my P2P, and have never had any hits attempting to go outbound, with the latest versions of zone alarm, they can't merely mimic application names to get through, wouldn't this BS be provable by someone out there monitoring outbound network traffic....I'm calling HS hoax

Re:outbound network monitoring

[rmadmin]

Not so much that, but I know theirs geeks out their with a linux or BSD box firewalling, that logs EVERY packet for some paronoid reason. *G* Anyways, I'm guessing one of these people would have caught something like this already. I'll agree with the hoax line.

We're Sorry

[Flamesplash]

Oh sorry guys, we didn't mean to infect the p2p networks, really. It turns out that one of the people responsible for manning our monitoring systems accidently infected the monitoring system with a virus which then found it's way into the p2p network. We're really sorry we know absolutely nothing about technology, oh and please go pay $18 for a cd instead of getting them off of a p2p network, it would really suck if you accidently got a virus because you used p2p.

From Winamp.com

[Graspee_Leemoor]

This is from Winamp.com... Probably not exactly what the "worm" says is there as a security flaw, but even so...

"Some people just have too much time on their hands. Looks like someone out there discovered how to make programs crash by screwing around with the id3 tags in music files. We have taken measures to block anyone from taking advantage of you by adding a few security fixes to both Winamp 2.81 and Winamp3.
We would like to say that these builds have new features but in actuality they are the same versions of the programs that you already know and love. However, to be fully protected, we suggest that you download the latest versions of them from our site right away.

If you haven't downloaded Winamp since 12-17-2002 then you are vulnerable to the security exploit. "

graspee

What's the worm?

[phorm]

40% of this probably counts all the copies of Brittney Spears and Backstreet Boys songs squirming across P2P, often masquerading as different files. Personally, I'd rather take a real virus than these - an Antivirus can find trojans but none of them seem to have a feature to detect boy/girl-band of the moment type audio files.

Re:The RIAA as a terrorist organization

[orangesquid]

Yes, it *is* the artist's choice. Artists get to choose from one of three options:
(a) sell yourself to the RIAA,
(b) spend wads of cash letting people know you exist, or
(c) wither into oblivion.

Do *you* have wads of cash? No? Well, don't ever try to write music and expect anyone but your friends to hear it, then.

Some artists get lucky and get their name out via the Internet, or sign with an independent label.. but 90% of the artists you hear all the time are formerly-no-name guys that the RIAA noticed and invested in.

xmms running as root?

[gimpboy]

ok, so you exploit a buffer overflow in xmms, then what? how many people are running xmms as root? i'm kinda slow, so bare with my ignorance. how does a buffer overlflow in xmms give a "normal" user the ability to infect the operating system? how does one write a worm to infect multiple operating systems on multiple platforms efficiently? this sounds a bit hokey to me.

Gobbles??!?! Case closed - it's not real.

[schon]

This is not surprising, since it's clear that Gobbles does not like Theo, but it is significant if it is true.

Gobbles?

Jesus, then it's probably not real.. anyone remember his "security alert" about awhttpd? Basically, the "vulnerability" he described was Lynx retrieving the file from his local filesystem via a file:// URL-type.

A reply, showing just what an idiot this "Gobbles" is is here

Re:Gobbles??!?! Case closed - it's not real.

[EvilAlien]

Wow...

The security community needs more rational, intelligent minds like this, and less self indulgent halfwits like GOBBLES trying vainly to make names for themselves.

"Self indulgent halfwits"... I always thought they were a Security List Comedy group with the funniest code comments I've ever read, but if I need to change my BugTraq filter to point to the Self Indulgent Halfwit folder instead then I guess I'd better get to it.

Not to worry..

[iamabot]

If they have the same people securing their web servers as "infesting" peer to peer networks I don't think we have much to worry about.

Please view some screen shots from the last 96 hours.

http://iworktoomuch.com/images/riaa.com-download.j pg
http://iworktoomuch.com/images/riaa.org.jpg
http://iworktoomuch.com/images/riaa_tooled_again.j pg

rule breaker

[subgeek]

the world portrayed in this statement is not the world as it is now. it is the world that will be some day if entertainment companies don't figure out a way to give the customer a better reason to buy their products. legislation will not make consumers want to buy content they don't think is worth money. people buy DVDs and video games more and more all of the time. unlike VHS, DVD has extra features. something extra was given to the buyer to make it worth the higher purchase cost and increased copy protection. the video game industry continues to flourish because it continually strives to make new, different products (at least visually) and it has kept up with copy protection over time. there is some degree of copyright control, but the consumer has also been taken into consideration.

the RIAA and the MPAA dropped the ball and now want someone else to clean up their messes. let them clean it up. don't allow any industry to become vigilantes protecting its own interests. banks are not allowed to hunt down suspects in robberies. it would be a terrible precedent to set.

these "free" copies being distributed on the internet are lower quality than the originals they come from. if the free stuff bothers the industry, the industry should give consumers a reason to buy original copies other than, "we want you to." put DRM all over it. require new players, whatever. but make sure the consumer has incentive to accept all of that. do not bite the hand that feeds you. the industry feels cheated. if consumers didn't feel cheated by what they are offered, they wouldn't go looking elsewhere for free alternatives. if the content were compelling, people would pay for it.

THIS IS A HOAX - EVIDENCE TO FOLLOW:

[Featureless]

What makes this hoax so good, if it is a hoax, is how utterly plausible it seems, even to a well-trained engineer. The only things that don't fit, actually, are their announcement, as many have said, and a small detail about application signatures, which I'll get to in a minute.

If their request looks like a regular query or other baseline P2P activity, it will be like finding a needle in a haystack the size of the empire state building to discover it by packet sniffing.

It gets worse. Fasttrack is encrypted over the wire. If anyone has the keys besides its creators, they're keeping quiet about it. You can't even sniff it, let alone begin the impossible process of distinguishing a few spurious bits of baseline-appearing activity (which could use the very nature of the network itself not to always be directed towards a specific host or set of hosts).

Talk of being protected from this by Symantec or another AV vendor is just talk. There is no mention of protection against this or any similar worm in the published databases. Generally these AV systems can only protect you from A) things they know about, and if we can't find this, neither can they, and B) things that might do harm, i.e. "You didn't just select the Format option, did you?" Further, there is nothing saying these guys would take our side over the RIAA's if there were a dispute about what was a virus and what was "legitimate." Especially if there were a hefty bribe on offer.

The government is not prosecuting over 99% of the people involved with Enron, and those guys turned the lights off in California. What makes you think they'll bite this particular hand that feeds them either?

Protection from personal firewalls is more tricky, and this is where the implicit proof that this is a hoax lies. Most personal firewalls are very dumb - they grant blanket permissions to an application, or not. A few will go farther (like Agnitum's excellent but utterly unstable product) and authorize only specific kinds of activity (so authorizing Winamp to call home to check for an update doesn't authorize it to call anyone else). But regardless, for P2P software, which talks to everybody, these firewalls basically just give up and let them do whatever they want.

But on the upside, almost all of them checksum the applications they are watching... so any virus/worm/whatever which attempted to modify your P2P software would immediately be detected and stopped. Hundreds of thousands of people would have noticed this worm, if it existed.

Hence, hoax.

Re:Want to be secure? Use systrace...

[Styx]

See this mail, this chapter and the rest of the NSA paper

Saying that NSA has characterized Systrace as flawed is wrong, IMO.

Entirely possible. Here's how:

[lynx_user_abroad]

Shoot me down if I've missed something.

Clearly this is a contrived hoax.

Nevertheless, it could be instructive to consider the implications of how this could be accomplished. In doing so, we could establish a baseline and get a sense of things to look for if an exploit of this type were to be produced in reality.

Here is how I would create such a system, with an effort to address the many problematic areas pointed out by other readers. I invite all criticism.

1) A system can be created, using p2p protocols, to build a database of known infringing hosts. You simply ask p2p hosts for copyrighted files and make a note of what you get.

2) At a specific time, trigger a latent feature of software on the infringing hosts to expose personally identifiable information tying the infringing host to an infringing user for prosecution. This could be triggered by something as innocent as a remote system requesting an otherwise non-existant file with a special "trigger" filename.

3) The exposing feature would only be triggered on those hosts which have already been proven to be serving infringing material, only on those hosts which are within the requisite jurisdiction, and only after the proper warrants (authorizing the search) were secured. The information would simply not be requested from non-infringing hosts, or from hosts where the proper legal access could not be obtained. This should addresses any "illegal search" concerns.

4) It would be legal for a p2p client manufacturer to willingly include such a latent feature within their pre-compiled binary. This represents an "infection vector" which would not be detected by any virus scanning, or by looking for modifications to executables. Other infection vectors, such as the proposed MPAA "worm" would be technically possible, but likely untenable in a legal sense. The "infection vector" need not even be associated with the p2p application, a 3rd party DLL or service pack could provide an infection vector even on systems which use "historical" (existing prior to the development of this system) or open-source p2p client applications.

5) Since no "out of the ordinary" information would be sent until the moment the feature was triggered, network analysis would not detect the latent vulnerability. The only hint of a system compromise in this fashion would be the analysis of the date sent in response to a request for this non-existant file. Encryption could be used to obfuscate even that.

6) Since the p2p client has already been proven to be capable of sharing files with remote systems, no possible configuration of firewalling (or similar technology) would prevent the transfer of the requested personally identifiable data to a remote requesting system, provided the requesting system masqueraded as a simple p2p client requesting a willingly shared file..

7) The latent feature would be technically capable of performing any action the owning user is allowed to perform, inclusing relaying personally identifying information, compiling a list of all files on the system (or just those which are being illegally published), or any other action. In actuality, I suspect the latent feature would be only a stub allowing a more specific payload to be downloaded. This would allow the eventual exploit to collect only that information for which legal authorization to collect exists. This also allows the exploit to be developed for a specific hardware/os configuration. Most importantly, the development need not be done before this system is set up. Specific development could be performed up until the instant when the exploit needs to be delivered.

Such a system would, I believe, meet all the criteria of respecting user privacy, and acting within existing legal framework, while providing the access vectors which the proposed "MPAA worm" claims to offer.

No, I'm not really happy about what I've just written. Please shoot me down.

Never buy another again

[Mr.+Fred+Smoothie]

Is exactly what I will do if legislation like Berman's and all of the other stupid, dinosaur-Entertainment-cartel-protection-racket legislation passes.

As a professional in the IT industry and as an American citizen (NOT CONSUMER!), I care so much more about the usurpation of the American political process by and transfer of control over my rights regarding my personal property to big (mostly global) corporations than I do about what you mischaracterize as "piracy" -- piracy is commercial activity, passing out tapes for free on the streetcorner is not, and may even be protected under the Audio Home Recording act -- THAT I SIMPLY WON'T SPEND ANY MONEY ON ENTERTAINMENT AGAIN!

Read this, Rep. Goodlatte -- if that is really who you are -- over the past 5 years my income has been significantly higher than the national mean, due to my profession. I have spent an enormous amount of money on entertainment, computers and consumer electronics.

But with each step further into my home that the Entertainment industry attempts to exert power, my consumption has dropped and will continue to.

I do not, AND WILL NEVER own a DVD player thanks to CSS, region coding and other corporate attempts to control my private behavior.

I do not, AND NEVER WILL own an HDTV thanks to the broadcast flag and rules and legislation being proposed which seem to be designed to make things like the Linux computer which so empowered me (by, for instance, providing me with a learning platform which I used to leverage myself into this income bracket in the first place) illegal.

When ALL TV broadcasts are digital and protected, I won't be watching TV, and I'll just be one high-income but UNREACHABLE to advertisers "permanently potential consumer" thanks to you. Ask GM, Proctor and Gamble, and Pepsico how they feel about that. I will also be unable to view your campaign ads or those of like-minded fools who run for office in my district.

When ALL movies are only rentable on DVD (about 50% are only on DVD at my local Blockbuster now), I'll stop renting movies, AND MPAA MEMBER COMPANIES will stop receiving that much more of my large income -- as a frame of reference, I currently rent about 3 movies a week. By then, maybe even my wife will be so incensed that I'll be able to convince her of what I've been unsuccesful at convincing her in the past -- that we should stop going to movies alltogether.

If it gets to the point where music is only available on media or devices that are likewise crippled, I'll DISCONTINUE ALL MUSIC PURCHASES. I've already greatly curtailed my previously prodigious music buying behavior due to my outrage at this whole DRM regime bullshit.

And you know what? That's all fine by me. I own a guitar and a computer that can record music; I'll make my own music, and probably even give it away -- PROBABLY BECOMING ONE OF JUST MANY PROVIDING COMPLETELY FREE COMPETING PRODUCT for "consumers" to choose over that of your corporate pimps.

I have friends who own conventional and digital flim equipment.

I have a computer with which to compose and disseminate my views.

Unless you plan on making all means for individual citizens to produce their own entertainment and their own news media, you'll eventually fulfill the exact opposite goal of all this legislation; you'll help impoverish the very companies you're trying to protect. Let's see if they continue to fund your campaigns then!

Our forefathers died for (and grandfathers fought world wars for) freedom, NOT FOR DISNEY!

But I guess you can't tell the difference.

Re:Never buy another again

[Mr.+Fred+Smoothie]

You're willing to bet $1000 that I care more about seeing every crease in Hugh Grant's smarmy grin than our democracy? If Representative Goodlatte actually wrote that post, our democracy is in serious danger. So much so that I think it's nearly fair to say that it's a complete sham.

I have not been this disillusioned with American politics in over a decade.

I switched parties (from Independant to republican) so I could vote for McKain in the primary in my state, only to have the corporate-and-soft-money machine of the Bush campaign screw him in South Carolina before my state's primary even happened.

Now, McKain/Feingold has passed, and the corporatae stooges at the FEC gutted it. I'm willing to wait a couple of years to see if McKain succeeds in his vows to go to court to overturn the FEC's rules as obvious executive flouting of Congress's power, and to fight to have the FEC commisioners replaced with people with even a shred of integrity.

In the meantime, you can keep up your anonymous posting lamely equating your brand of limp-dick cynicism with growing up to like asparagus. People like you not only piss me off, but are fucking up our country bigtime. Nobody even vaguely remembers what the word "sacrifice" means anymore, apparently.

If shit doesn't start to get better, I'll not only stop buying the corporate crap that has apparently come to be our country's entire raison-d'etre (rather than individual liberty): I'll refuse to work or contribute positively to our economy at all; I'll agitate for a general strike; I'll hoof it all over this fat, lazy country to help save it from its complacent self by contributing time to the campaigns of any political candidate I can find with some integrity and vision; I'll do everything legal in my power to disrupt this whole stinking, corrupt system, to deprive these cynical "this Lear jet is my bonus for laying off 30,000 workers at a time of record profits for my company" evil scumbags of their livelihood. Get it?

Make your bet, but you'll lose your $1000.

Re:Resume buying CDs

[MickLinux]

You said that you will never buy CDs again.

Let me suggest something: go to any New Year's Eve "First Night" event (Williamsburg, VA has one, for example. So does Charlottesville, Harrisonburg, Norfolk... but I think they're nationwide).

Take a bunch of money with you (the ticket only costs $7, and you'll be able to go to 5-8 shows before the evening's fireworks). Buy CDs -- they'll have been produced by artists too small to get or want RIAA representation. They'll have been hand-produced, essentially. If you hear something you like, then buy it. *Ask* them if they mind you sharing over P2P or internet radio -- they may actually say "Please do."

I think I remember buying something from a group called "Trapezoid". But the group wasn't half as good as the woman and husband team that relaxed from playing by doing performance art. As befits a family event, it wasn't pornographic performance art, either. One performance was a story about her mother's wedding hat; another was a story about her father's singing lessons. *Extremely* entertaining.

But go ahead and buy CDs. Just don't buy RIAA CDs. They aren't worth listening to, anyhow [unless it's classical or jazz... but you still can find good stuff elsewhere].

You are forgetting something

[Audacious]

First, every time we buy a blank CD, DVD, VHS, or even audio cassette tape we are helping them out. There is a tax which we, in the US, pay every time we purchase any of the above. We also pay it every time we buy a radio, TV, or even a computer. So - we lose.

Every time we rent a CD, DVD, VHS, or even game cartridge - we are (again) paying this tax. So we lose there also.

Should we buy a book, a script, magazine, newspaper, or the like we are probably still paying this tax. So we've lost again.

Finally, even if everyone in the US refused to have anything else to do with the RIAA or MPAA they are still powerful enough to have new laws passed. As in "Atlas Shrugged," by Ayn Rand, if they can not take our money legally - then the thing to do is to change the laws so they can take it legally. After all - laws are nothing more than rules by which we play and those who have the money usually get to make the rules.

Sorry if this shocks anyone but the truth is that it is only because we respected each other, had a unified common sense approach to things, a scrupulous populus, and the knowledge that if you did wrong you would be held accountable for it - that we have made it this far. The "Anything goes" way of looking at things, not holding people's feet to the fire for doing something wrong, and (as bad as it might seem) not being willing to put to death those who really are doing terrible things to others (like Enron's execs who have ruined hundreds if not thousands of people's lives) that has caused us to come to this. What these people are doing is, IMHO, treasonous. Look it up. The act of "Treason" is where two or more groups (whether they be people, organizations, corporations, or whatever) attempt to remove the rights of their fellow citizens. According to the texts it is their "intentions" which merit this stamp So ask yourself this - what are their intentions when they attempt to force upon you their yoke of slavery? What are their "intentions" when they try to sneak, like theives, laws into Congress which remove our rights and preserve or expand upon their rights. What are their intentions? Those intentions are to take away your rights.

Now, someone will probably say "You don't go around killing people just because they are trying to get laws passed." That's true. You don't. Normally. But this is different. It is different because they are not trying to get laws passed for the betterment of mankind or to right an injustice. No. They are trying to twist the laws and our country (Heck! The world even!) to their needs. To enslave it. To enshackle it to their beliefs. Just like some religious cults have tried to enslave others to their will. It is an evil thing to do and it will have terrible consequences if it is allowed to endure.

Even if they were only brought up on charges it would shake up the corporate world enough that many things companies are beginning to attempt to do through the rewriting of our laws would be stopped. Companies would think twice about trying to change laws so they benefit only them and remove our rights. Which brings up - why do groups think they can get away with this? The answer is - they have in the past. The difference is the internet. Whereas before there was this huge time lag between when something happened and when we knew about it - now it only takes hours or minutes for word to be sent and a transgression found out. The problem is still though the complancey of many of the people in our country. "Oh! I might get involved." some whine. "I don't have the time." another chats. "It's not my place." a third comments. If you don't stand up and write your congressmen/women then you are already shackled. You already bear their mark. You already curl up at their feet, lick their hands, and eat the crumbs they throw to you.

So as always the question is - what are you going to do about it? Wallow in the filth on the floor or write and demand that these groups stop trying to infringe on your god given rights!

Well...

[autopr0n]

There's no way that anything can modify your files if you've gone in and change the permissions, even if you have admin privs (of course, if you do have admin access, you can change the permissions back again)

If you're doing it over a network, there's no chance to change anything, unless microsoft actualy included exploit code in there software, and then never patched the exploit (which I doubt)