Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-piracy Vigilantes Tracking P2P Users

Posted by CowboyNeal on from the trojans-of-a-different-breed dept.

brevard writes "From SecurityFocus comes news that a pair of coders with a deep hatred of software pirates have gone public with a months-old experiment to trick file sharers into running custom spyware they wrote that scolds users and phones home to a server. They circulated the program disguised as sought-after downloads like Unreal Tournament 2004 and Microsoft source code, and they have a website that updates in real time whever someone executes it. They've logged IP addresses for over 12,000 'pirates' since January. The EFF says the vigilantes may be committing a crime."

6 of 864 comments (clear)

  1. Re:Well, their server *did* update in realtime... by flimnap · · Score: 5, Informative

    Their results page simply lists the following info--

    Average time wasted: 12.888078236572 Seconds
    Total time: 1383.75 Minutes
    Hours: 23.0625 Hours
    Operating for: 928.40555555556 Hours

    Then there's a big table full of entries like this (reformatted to make it easier to view here)--

    ID: 6442
    PID: 3578
    FPID: 1
    Date: Mar 19 2004 07:42:53AM
    IP: xxx.xxx.xxx.xxx     (Well really, let's not pick on one person ;)
    Location: Germany
    Run time: 17
    Filename: Unreal Tournament 2004 ALL VERSIONS KeyGen Crack (1).exe

    The site continues in that vein for some time... fascinating stuff.

    My thoughts: Software piracy is bad, m'kay, but two wrongs don't make a right!

  2. Re:Vigilante by WARM3CH · · Score: 4, Informative

    This can certainly be classified as a torjan. Being malicious or not has nothing to do with classifying a program as torjan. The simple fact that you have a way to spread it, implemented some form of call-home functionality in it is sufficient to classify it as a torjan. About being malicious or not, some may say that sending private information (like IP address) back home can be considered as a malicious act.

  3. Re:which crime? by Anonymous Coward · · Score: 5, Informative

    which crime would they be committing?

    Electronic trespassing. Making use of system resources that are not theirs. Stealing electricity, hard drive, memory space and performing unauthorised network communications. Crackers have been put in jail for much, much less than the above.

    If they were disguised as codes for games like Unreal Tournament 2004 - I also imagine Epic games would have something to say about them:

    (1) Distributing what is effectively a virus using the Unreal name.
    (2) Taking the law into their own hands without the permission of the copyright holders.

    Only the copyright holder can determine 100% if distributing such codes are illegal. There are circumstances where wanting a new code is legitimate (loss of the manual, living in a country where the game is not available at retail). However, I'm fairly sure that Epic has the ability to remotely de-activate codes that were being illegally distributed (with the game validating your code with a central server before you're allowed to play online) - they already have a system in place for dealing with people spreading codes.

    Doubtless Epic wouldn't want to piss off potential customers by having a virus associated with them. And you bet your bottom dollar that the cracking groups are going to attempt to fight back and double their efforts to produce working codes now (if they've not done so already).

  4. Server hosed by yknott · · Score: 5, Informative

    Behold: Walk the Plank and Operation Dust Bunny
    Note: Due to responses by certain detractors, we've updated our legal section (again) to further clarify our stance.

    Apparently, this is becoming more and more newsworthy. Security Focus called today and interviewed me. Here is the resulting article: http://securityfocus.com/news/8279

    At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.

    Results Pages for the Impatient: Walk the Plank Status Page | Dust Bunny Status Page

    Walk the Plank, You Pirates!

    The first version of this was more-or-less a test to see if it would work. We created a program in C# that would pop-up a message scolding the user. When the program closes, it would "phone home" to our servers, giving us the filename, how long the program ran (run time), and their IP address. We entered the information we collected into a database.

    We copied the binary then renamed it to a bunch of warez-like filenames that we found via Jigle.com and searching different P2P networks. We put it up on the Gnutella file sharing network and waited. Within minutes, we had downloads. However, we didn't have entries in the database. The next day we came to the conclusion that people didn't have .NET installed and thus couldn't run the C# binary.

    So we rewrote it in C++. Once finished, we replaced all of the C# binaries with the C++ binary. Again within moments, we had downloads and this time we have entries in the database. Goes to show the penetration of .NET.

    After about two weeks, we noticed something: The file was spreading without our help. We stopped sharing after we realized this and the file kept propagating, and propagating, and propagating. In no time flat, we wasted over 16 hours of pirate time.

    Screenshot: (Top: WTP, Bottom, ODB)

    The Next Step: Operation Dust Bunny

    The original idea we had went beyond simply logging filename and run time. We wanted to track who got what file from who. So a month after WTP, we wrote Dust Bunny. It was a two-binary system that would read the Pirate ID (PID) encoded in itself, send it to a server, then grab a unique PID returned from the server, and rewrite the ID that is encoded in the binary. Using this information, we could see who got what binary from who.

    Written with one person using Visual Studio 2003, another using Dev-C++; one binary in C++, the other in C; and only one person knowing how to code in either language. It was a challenge since the "rabbit" (the GUI program) had to include the "eye" (the program that contacted the server and rewrote the rabbit) for execution. Plus the eye needed an offset that could only be gathered once the rabbit was compiled with eye included. Thanks to TightVNC and a lot of trading of information, we got through it.

    Just to be safe, we added a "kill switch" to the eye. If the server returned a special ID number, the eye would delete the rabbit. This way, in case it got out of control as WTP did, we could stop it. Also, if someone renamed it to a filename we didn't like, we could add that filename to the "evil filename list" on the server.

    After it was completed, we replaced all the binaries with the new version. Once again, they started to be downloaded instantly. The next day, we already had redistributions -- someone downloaded a copy from someone other then us. We could tell since we were logging the PIDs. It didn't take long until we had multi-branch trees of pirates.

    We decided after one month time of sharing Dust Bunny, we'd stop and let it propagate on it's own. That marker was around March 9th, 2004.

    Current Status

    By now, WTP has racked up over 62 hours in wasted pirate time. Dust Bunny is well on its way with 20 hours. Dust Bunny has around 3,500 unique pirates and over 6,200 ex

  5. Re:Vigilante by Sklivvz · · Score: 4, Informative

    this is in no way a trojan as it does nothing even slightly malicious

    You are tricking users in sending their personal information to you. This is a serious offense in Italy (where I live) and most of Europe. We take our privacy most seriously.
    Furthermore, cracks are legal in Italy (if you own a registered copy), because it is considered wrong for companies who sell you the software to try and restrict your access to it. For example, Playstation mod-chips are perfectly legal (tested in a court of law).
    So, you are actually defamating and violating the privacy people who are in fact not pirates or doing anything illegal.

    Thank you.

    --
    My Stack Overflow user
  6. Felonies vs. civil offenses by FreeUser · · Score: 4, Informative

    I don't stand up for it installing spyware, but if it just pops up a message with a black pirate flag and says you have been logged...the only thing that is harmed is the privacy of a criminal.
    If they start using this information for blackmail...that is illegal!

    No, unauthorized modification of a computer is a crime, in both the UK and the US (and probably most other developed nations' jurisdictions).

    What we have here are felons (system crackers planting trojans on people's PCs) who are compromising the privacy of individuals who have committed civil offenses (copyright violations). The seriousness of the former crime is much greater than the seriousness of the crimes of their victims.

    That having been said, the FBI has protected murderers who were on their payroll (including sending an innocent man to jail for the murder committed by one of their informants), who turned evidence against people guilty of far less. So the alluded to by others remains: given the current political climate the feds are likely to overlook the felonies being committed in the interest of persuing the civil offenses being committed against their primary constituency, namely the copyright cartels.

    --
    The Future of Human Evolution: Autonomy