Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anti-piracy Vigilantes Tracking P2P Users

Posted by CowboyNeal on from the trojans-of-a-different-breed dept.

brevard writes "From SecurityFocus comes news that a pair of coders with a deep hatred of software pirates have gone public with a months-old experiment to trick file sharers into running custom spyware they wrote that scolds users and phones home to a server. They circulated the program disguised as sought-after downloads like Unreal Tournament 2004 and Microsoft source code, and they have a website that updates in real time whever someone executes it. They've logged IP addresses for over 12,000 'pirates' since January. The EFF says the vigilantes may be committing a crime."

24 of 864 comments (clear)

  1. Trojans by myownkidney · · Score: 5, Insightful

    That's what they are essentially spreading. There's asses should land in jail as soon as possible.

    --
    Indefinitely Detained US Citizen
    1. Re:Trojans by s20451 · · Score: 5, Interesting

      Yeah, that's rich. They have a log of everyone who received a copy of their cracked software. Guess who gets that information in a deal with the Feds?

      Actually, I think this is pretty clever.

      --
      Toronto-area transit rider? Rate your ride.
    2. Re:Trojans by plugger · · Score: 5, Insightful

      I'm not so sure. The file was freely downloaded from their machine by others, who then passed it on. Ok, the software they offered has different functionality than the victims expected, but that could apply to any program that 'phones home' without the user's knowledge. As soon as the downloader opens the file, it declares its function on the screen. If this is illegal, so are the likes of Bonzai Buddy.

    3. Re:Trojans by TykeClone · · Score: 5, Funny

      Then please (oh please!) let them be illegal!

      --
      A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
    4. Re:Trojans by bcolflesh · · Score: 5, Interesting

      I wonder if his desktop software product also contains trojan code?

    5. Re:Trojans by Tony+Hoyle · · Score: 5, Interesting

      If any of their victims were in the UK they have committed a crime - unauthorised modification of data on a computer - which carries a 5 year jail term.

      So if the US don't want to prosecute them there are extradition treaties to fall back on...

  2. Obligatory /. effect comment by tweakt · · Score: 5, Funny
    "...and they have a website that updates in real time whever someone executes it."

    Yeah, not for long...

    1. Re:Obligatory /. effect comment by frs_rbl · · Score: 5, Funny

      A mirror here

      --
      This is not my opinion. Actually, it's not even an opinion. And I'm nowhere to be seen near it
  3. Heresay and Slander by PeeAitchPee · · Score: 5, Interesting

    Who's to say these guys aren't mixing in IPs of people, who, for example, might have flamed them on message boards? I'm sure their end game is to get a job offer from the RIAA and MPAA . . .

  4. Where's the Mac version??? by Mononoke · · Score: 5, Funny
    Once again, Mac users are left out of all the fun.

    Dang it!

    --
    NetInfo connection failed for server 127.0.0.1/local
  5. Re:which crime? by Anonymous Coward · · Score: 5, Funny

    Out of curiosity, which crime would they be committing?

    The same crime we commit every night, Pinky...

    TRYING TO TAKE OVER THE WORLD!

  6. To me this seems basic... by mobiux · · Score: 5, Insightful

    They say they are tracking software pirates.
    But realy pirates don't use p2p apps for warez.
    That's kiddie crap.
    More like they are tracking 14 year old's with a cable modem.

    try IRC, now if they could track that, it'd probably blow their minds.

  7. Yes, but watch out for hypocrisy... by BenSpinSpace · · Score: 5, Insightful

    I believe most of us feel angry when reading about these vigilantes. I know I do. However, I would encourage all of us to remember that if these vigilantes were, say... tracking down spammers... then we would be extatic.

    Yes, I'm aware that there's a difference between pirates and spammers. But keep in mind that the RIAA probably sees P2P users the same way that we see spammers. Annoying, a growing threat, and obsessed with large penises.

  8. The real problem is... by Anonymous Coward · · Score: 5, Insightful

    I don't much care one way or another about the issue of going after software pirates, as there are some major assholes on both sides of the issue. But the problem with this approach is that if there are bugs in the antipiracy software it could end up screwing up a lot of people's systems and causing major expense and loss of time and effort. Moreover, it looks like people could convert this into intentional malware by renaming it, so that someone looking to download freeware documents on, say, the history of microprocessors, could end up with this crap on his machine. So I object strongly to the means, though I am ambivalent about the intent.

  9. Re:Well, their server *did* update in realtime... by flimnap · · Score: 5, Informative

    Their results page simply lists the following info--

    Average time wasted: 12.888078236572 Seconds
    Total time: 1383.75 Minutes
    Hours: 23.0625 Hours
    Operating for: 928.40555555556 Hours

    Then there's a big table full of entries like this (reformatted to make it easier to view here)--

    ID: 6442
    PID: 3578
    FPID: 1
    Date: Mar 19 2004 07:42:53AM
    IP: xxx.xxx.xxx.xxx     (Well really, let's not pick on one person ;)
    Location: Germany
    Run time: 17
    Filename: Unreal Tournament 2004 ALL VERSIONS KeyGen Crack (1).exe

    The site continues in that vein for some time... fascinating stuff.

    My thoughts: Software piracy is bad, m'kay, but two wrongs don't make a right!

  10. Here's another question... by clifgriffin · · Score: 5, Insightful

    For those of you attempting to probe the moral questions of this project.

    What if my software, downloaded with no warranty from Gnutella, displayed the weather conditions in Kenya?

    I'd have their IP, and I could even safely retrieve the ID with legitimate pretenses.

    However, since my software rebukes the downloader for downloading a file that appeared to be a crack, it is a Trojan and a danger to the peoples of the free world.

    Just a thought.

    --
    clifgriffin > blog
    1. Re:Here's another question... by flewp · · Score: 5, Interesting

      2. The software acts with the confines of its own entity. The program does not compromise their system in any way, shape, or form. Every action it performs it performs soley for the purposes of logging an event. We are not in this to compromise downloader's systems, only to learn a little bit about who they are. It's a social experiment.

      Let me ask you something, if you went to install something, say what you thought was the google search bar for your browser, and instead found out it was giving out information, wouldn't you be a bit pissed? It's doing something other than what was intended. Sure, the software you're replacing might be illegal, but nonetheless, my point still stands.

      --
      WWJD.... for a Klondike bar?
  11. Re:Vigilante by 68K · · Score: 5, Insightful

    It is a Trojan - it doesn't have to do anything malicious, just something that is blatently NOT what its description (filename in this case) suggests. And you're capturing data from the users that run it, so it could be argued that it is in fact malicious.

  12. Re:which crime? by Anonymous Coward · · Score: 5, Informative

    which crime would they be committing?

    Electronic trespassing. Making use of system resources that are not theirs. Stealing electricity, hard drive, memory space and performing unauthorised network communications. Crackers have been put in jail for much, much less than the above.

    If they were disguised as codes for games like Unreal Tournament 2004 - I also imagine Epic games would have something to say about them:

    (1) Distributing what is effectively a virus using the Unreal name.
    (2) Taking the law into their own hands without the permission of the copyright holders.

    Only the copyright holder can determine 100% if distributing such codes are illegal. There are circumstances where wanting a new code is legitimate (loss of the manual, living in a country where the game is not available at retail). However, I'm fairly sure that Epic has the ability to remotely de-activate codes that were being illegally distributed (with the game validating your code with a central server before you're allowed to play online) - they already have a system in place for dealing with people spreading codes.

    Doubtless Epic wouldn't want to piss off potential customers by having a virus associated with them. And you bet your bottom dollar that the cracking groups are going to attempt to fight back and double their efforts to produce working codes now (if they've not done so already).

  13. Re:Vigilante by biobogonics · · Score: 5, Interesting

    As clifgriffin, I speak for myself when I say that "vigilante" is not a word we ever claimed. We aren't raging against internet piracy or p2p. We're just doing a social experiment...to see how a program spreads, who downloads it, etc...

    Just like Robert Morris did in 1988?

  14. Server hosed by yknott · · Score: 5, Informative

    Behold: Walk the Plank and Operation Dust Bunny
    Note: Due to responses by certain detractors, we've updated our legal section (again) to further clarify our stance.

    Apparently, this is becoming more and more newsworthy. Security Focus called today and interviewed me. Here is the resulting article: http://securityfocus.com/news/8279

    At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.

    Results Pages for the Impatient: Walk the Plank Status Page | Dust Bunny Status Page

    Walk the Plank, You Pirates!

    The first version of this was more-or-less a test to see if it would work. We created a program in C# that would pop-up a message scolding the user. When the program closes, it would "phone home" to our servers, giving us the filename, how long the program ran (run time), and their IP address. We entered the information we collected into a database.

    We copied the binary then renamed it to a bunch of warez-like filenames that we found via Jigle.com and searching different P2P networks. We put it up on the Gnutella file sharing network and waited. Within minutes, we had downloads. However, we didn't have entries in the database. The next day we came to the conclusion that people didn't have .NET installed and thus couldn't run the C# binary.

    So we rewrote it in C++. Once finished, we replaced all of the C# binaries with the C++ binary. Again within moments, we had downloads and this time we have entries in the database. Goes to show the penetration of .NET.

    After about two weeks, we noticed something: The file was spreading without our help. We stopped sharing after we realized this and the file kept propagating, and propagating, and propagating. In no time flat, we wasted over 16 hours of pirate time.

    Screenshot: (Top: WTP, Bottom, ODB)

    The Next Step: Operation Dust Bunny

    The original idea we had went beyond simply logging filename and run time. We wanted to track who got what file from who. So a month after WTP, we wrote Dust Bunny. It was a two-binary system that would read the Pirate ID (PID) encoded in itself, send it to a server, then grab a unique PID returned from the server, and rewrite the ID that is encoded in the binary. Using this information, we could see who got what binary from who.

    Written with one person using Visual Studio 2003, another using Dev-C++; one binary in C++, the other in C; and only one person knowing how to code in either language. It was a challenge since the "rabbit" (the GUI program) had to include the "eye" (the program that contacted the server and rewrote the rabbit) for execution. Plus the eye needed an offset that could only be gathered once the rabbit was compiled with eye included. Thanks to TightVNC and a lot of trading of information, we got through it.

    Just to be safe, we added a "kill switch" to the eye. If the server returned a special ID number, the eye would delete the rabbit. This way, in case it got out of control as WTP did, we could stop it. Also, if someone renamed it to a filename we didn't like, we could add that filename to the "evil filename list" on the server.

    After it was completed, we replaced all the binaries with the new version. Once again, they started to be downloaded instantly. The next day, we already had redistributions -- someone downloaded a copy from someone other then us. We could tell since we were logging the PIDs. It didn't take long until we had multi-branch trees of pirates.

    We decided after one month time of sharing Dust Bunny, we'd stop and let it propagate on it's own. That marker was around March 9th, 2004.

    Current Status

    By now, WTP has racked up over 62 hours in wasted pirate time. Dust Bunny is well on its way with 20 hours. Dust Bunny has around 3,500 unique pirates and over 6,200 ex

  15. Let me take the following example by Kjella · · Score: 5, Interesting

    Say an idiot employee downloads & runs this crack/warez/whatever at work. Unauthorized and all that, but that's his ass. Now, this software is reporting home to somewhere. Let's assume the idiot's sysadmin finds out. The employee might get sacked, but who do you think will get charged with hacking (cracking) the corporation's network?

    You got it. Just the costs of verifying that it DIDN'T do anything else, didn't alter or delete any of the data on the computer, didn't transmit any of the potentially sensitive data and (if paranoid enough) rebuild the system is going to rack up to quite a bit.

    If they give them one count of hacking for each machine on their incredibly self-incriminating list, I imagine even the minimum penalties would add up to life. So I would be very worried if I was them...

    Kjella

    --
    Live today, because you never know what tomorrow brings
  16. Re:Illegally distributed software by David+McBride · · Score: 5, Insightful

    You've missed the point of the argument. The argument is that intentionally distributing trojan code for installation on machines you don't own or control is a crime; in the UK it would fall under the Computer Misuse Act. That's bad, and you can be charged by the state and put in jail for commiting that crime.

    Whether or not the end-user is doing something legally / morally wrong by downloading what they believe to be material under copyright to which they have no permission to use is a completely independent discussion.

  17. Hah, this is funny. by Ketnar · · Score: 5, Insightful

    Can you spot the shoot-self-in-foot-notes?

    1. No data is collected by our software that isn't already collected when our software is downloaded. The only personally identifiable information that we have would be the executer's IP address. However this information is freely available at time of download and is completly public information.

    Uhm, wait, but collecting IP addys is data. And you also collect what file they were trying to download, and where/who they got it from? I'd say building a track list of a 'social' network of where a file goes and by how/whom is plenty of data.

    I'm sorry,but thats a load. Get a better legal advisor, next!

    3. We dissagree with the notion that this is a "Trojan".
    A trojan horse gains access to a system through deviant methods. Not through user initiated downloads on a P2P network. Secondly, a trojan horse by definition has a payload or attempts to give the author access by working from the inside. Our program is aboslutely dormant unless specifically and purposefully executed by the downloader. And the program is riddled with cues to what the contents might be. For instance, the company name is "C.R.A.P. Citizens Raging Against Pirates". Not what you'd expect from a "legitimate" crack or keygen.

    Okay, lets see, its not a trojan, yet its a trojan. It's not a trojan because it comes from a p2p network, and not ..what, outlook? Got it! Thanks for clearing that up!

    Okay, great idea, really, very funny! But WTF are these guys going to do with all this when, say, MS steps in with a great big legal order of doom saying 'we want to know everybody who thought they were downloading the windows source code'? Are these people even thinking that far ahead?

    And I love the broad thinking that anybody downloading a keygen is a pirate, What, these guys never lost a Cd key before? Yesh. Get a grip kids.

    Points for some very crative programing, but they lost points for not finding something better to do and not thinking ahead a few more feet of them.

    --
    My new top secret key -> C>N|KB