Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Has the RIAA Wormed 95% of P2P Networks?

Comments Filter:
  • Remember (Score:5, Insightful)

    by lifechooser (446921) on Tuesday January 14, 2003 @09:24AM (#5079937)
    95% of networks is not 95% of files.
    • Re:Remember (Score:5, Informative)

      by Tim C (15259) on Tuesday January 14, 2003 @09:28AM (#5079961)
      Ah, but it's not "95% of networks", it's "95% of computers participating in p2p networks".

      That said, I really doubt the veracity of this. To me, it's more likely to either be a hoax by someone trying to get noticed, or scare tactics to get people to stop using p2p and delete their mp3s. It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed.
      • Re:Remember (Score:5, Informative)

        by dohcvtec (461026) on Tuesday January 14, 2003 @10:22AM (#5080354)
        It seems to me very unlikely that anything with such a high rate of infestation would have gone completely unnoticed

        I wish I could agree, but from reading the article and the Bugtraq post, it seems that for now, all this thing really does is sends the RIAA a list of what MP3 files you have on your system. It apparently doesn't destroy anything, and the post vaguely describes the method of contacting the RIAA as "specially crafted requests over the p2p networks." For both of these reasons, it may very well go unnoticed on many systems. It is unclear, however, what happens on machines with infected MP3s, but no P2P software.

        However, the post also goes on to mention that the OpenBSD release song MP3s on the ftp.openbsd.org server are/were supposedly infected with this worm, and that Theo De Raadt was none the wiser to this fact. This is not surprising, since it's clear that Gobbles does not like Theo, but it is significant if it is true.
      • Re:Remember (Score:4, Funny)

        by Markus Landgren (50350) on Tuesday January 14, 2003 @11:01AM (#5080670) Homepage
        Maybe it's "the equivalent of 95%" (about 20 real percent).
        • by dallask (320655)
          Lets not forget who were dealing with here.... these are the same people who claimed confiscation of thousands of cdroms in a raid, when in fact it was just several fast cd burners.... their justifaction of the false numbers... These burners were really fast, thus they were equivalent to thousands of "Normal" cd burners...

          they probably just got it to run on a couple of systems and then multiplied that by the number of users on the p2p net.
      • by Nevermore-Spoon (610798) on Tuesday January 14, 2003 @11:54AM (#5081260)
        I download many mp3s via p2p, easily putting me in the 95%, I ahve zone alarm running on my P2P, and have never had any hits attempting to go outbound, with the latest versions of zone alarm, they can't merely mimic application names to get through, wouldn't this BS be provable by someone out there monitoring outbound network traffic....I'm calling HS hoax

  • by pgrote (68235) on Tuesday January 14, 2003 @09:26AM (#5079946) Homepage
    No mention of whether this affectes Windows clients/hosts or not. Any idea?
    • by Anonymous Coward on Tuesday January 14, 2003 @09:32AM (#5079982)
      Read the advisory written by Gobbles:



      Introduction:
      Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
      to invent, create, and finally deploy the future of antipiracy tools. We
      focused on creating virii/worm hybrids to infect and spread over p2p nets.
      Until we became RIAA contracters, the best they could do was to passively
      monitor traffic. Our contributions to the RIAA have given them the power
      to actively control the majority of hosts using these networks.

      We focused our research on vulnerabilities in audio and video players.
      The idea was to come up with holes in various programs, so that we could
      spread malicious media through the p2p networks, and gain access to the
      host when the media was viewed.

      During our research, we auditted and developed our hydra for the following
      media tools:
      mplayer (www.mplayerhq.org)
      WinAMP (www.winamp.com)
      Windows Media Player (www.microsoft.com)
      xine (xine.sourceforge.net)
      mpg123 (www.mpg123.de)
      xmms (www.xmms.org)

      After developing robust exploits for each, we presented this first part of
      our research to the RIAA. They were pleased, and approved us to continue
      to phase two of the project -- development of the mechanism by which the
      infection will spread.

      It took us about a month to develop the complex hydra, and another month to
      bring it up to the standards of excellence that the RIAA demanded of us. In
      the end, we submitted them what is perhaps the most sophisticated tool for
      compromising millions of computers in moments.

      Our system works by first infecting a single host. It then fingerprints a
      connecting host on the p2p network via passive traffic analysis, and
      determines what the best possible method of infection for that host would
      be. Then, the proper search results are sent back to the "victim" (not the
      hard-working artists who p2p technology rapes, and the RIAA protects). The
      user will then (hopefully) download the infected media file off the RIAA
      server, and later play it on their own machine.

      When the player is exploited, a few things happen. First, all p2p-serving
      software on the machine is infected, which will allow it to infect other
      hosts on the p2p network. Next, all media on the machine is cataloged, and
      the full list is sent back to the RIAA headquarters (through specially
      crafted requests over the p2p networks), where it is added to their records
      and stored until a later time, when it can be used as evidence in criminal
      proceedings against those criminals who think it's OK to break the law.

      Our software worked better than even we hoped, and current reports indicate
      that nearly 95% of all p2p-participating hosts are now infected with the
      software that we developed for the RIAA.

      Things to keep in mind:
      1) If you participate in illegal file-sharing networks, your
      computer now belongs to the RIAA.
      2) Your BlackIce Defender(tm) firewall will not help you.
      3) Snort, RealSecure, Dragon, NFR, and all that other crap
      cannot detect this attack, or this type of attack.
      4) Don't fuck with the RIAA again, scriptkids.
      5) We have our own private version of this hydra actively
      infecting p2p users, and building one giant ddosnet.

      Due to our NDA with the RIAA, we are unable to give out any other details
      concerning the technology that we developed for them, or the details on any
      of the bugs that are exploited in our hydra.

      However, as a demonstration of how this system works, we're providing the
      academic security community with a single example exploit, for a mpg123 bug
      that was found independantly of our work for the RIAA, and is not covered
      under our agreement with the establishment.

      Affected Software:
      mpg123 (pre0.59s)
      http://www.mpg123.de

      Problem Type:
      Local && Remote

      Vendor Notification Status:
      The professional staff of GOBBLES Security believe that by releasing our
      advisories without vendor notification of any sort is cute and humorous, so
      this is also the first time the vendor has been made aware of this problem.
      We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

      Exploit Available:
      Yes, attached below.

      Technical Description of Problem:
      Read the source.

      Credits:
      Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
      • by Xner (96363) on Tuesday January 14, 2003 @09:49AM (#5080099) Homepage
        5) We have our own private version of this hydra actively infecting p2p users, and building one giant ddosnet.

        Can you say "sue us please"?
        No business financed with actual money of actual shareholders will ever open itself up for litigation in such a manner. The due-diligence folks would grill them.

      • by i.r.id10t (595143) on Tuesday January 14, 2003 @10:03AM (#5080201)
        If this is the case and they are distributing a binary based on GPL code from xmms/mpg123/etc. then don't they have to release the source as well?
      • by taviso (566920) on Tuesday January 14, 2003 @10:28AM (#5080403) Homepage
        oh please, this comes from the same guy that bought you Hewlett Packard 48 Series Calculators advisory [attrition.org].

        its funny, laugh.
      • by Technician (215283) on Tuesday January 14, 2003 @10:32AM (#5080428)
        Doesn't anybody lock down critical program files by checksum checking anymore? At that infection rate, it should have tripped someone's altered file monitor. Then they would have been in the major A/V signature files long ago. That infection rate could not have been a secret very long. I have a bunch of program files that are always checksum'ed at startup. If they change, and I didn't change it, bootup is halted for system repair. Signature files are no longer enough. Virus like activity needs to be watched.
      • by ManUMan (571203) on Tuesday January 14, 2003 @10:59AM (#5080642)
        How does their software know what media is illeagal? If I have ripped my own collection of CD's so that I can listen to them when I want to using my PC, how does the RIAA know? Further, if I am not sharing those files, download a song just to listen to it then delete the file, why does the RIAA get to infect my PC with a virus? --JS
      • >3) Snort, RealSecure, Dragon, NFR, and all that other crap
        >cannot detect this attack, or this type of attack.

        But if it has infected "95% of all P2P participating hosts" then a few of us should be able to slap on a sniffer and simply look for the unauthorized traffic to prove if this is real or not. I personally don't trade over P2P so it wont do me much good, but there should be a bunch of you out there that could take this test.

        If the exploit really is sending out the volume of data it claims, it should be fairly easy to spot. I know he "specially crafted" the traffic to make this more difficult, but how sneaky can it be when a catalog contains a few thousand MP3s? If "all media on the machine" is cataloged but you're only sharing out a subset of that media then a delta in the traffic would be pretty apparent.

        The only thing I could think of that would make this really difficult is if the program sent the catalogs and then just stopped doing much until it was contacted or until a predetermined time. Solution: Attach a clean host with an infectable P2P client to your network with the suspected infected one. Make sure it has a HUGE catalog of music that isn't being shared to the P2P network. Then look for corresponding traffic.

        Sounds like a lot of work, I know, but as my dad always said, "it builds character." Or, I suppose, we could just sit around and say "I think it's true" or "I think it's phony" all day.

        TW
    • by Geertn (526524) on Tuesday January 14, 2003 @09:33AM (#5079994)
      On bugtraq, this was mentioned by gobbles, who also did the Apache and OpenSSH exploit. The signed message verify at hushmail says it is signed correctly, so I guess it's the real Gobbles. The scary thing is, GOBBLES always mentions something really unrealistic, but suddenly he proves it...... like the apache and openssh exploits... scary
    • by t0shstah (629986) on Tuesday January 14, 2003 @09:38AM (#5080027)
      Apparently the "hydra" uses exploits/overflows on a number of popular media players - including xmms, which is a Linux mp3 player and WinAMP, which is a Windows mp3 player. Therefore that would suggest it can infect multiple operating systems.

      More details including the original post can be found here [securityfocus.com].

      I still doubt the possible risk/effectiveness - or even that its true though.
  • by mcbridematt (544099) on Tuesday January 14, 2003 @09:26AM (#5079947) Homepage Journal
    I wonder, If the RIAA sends a worm through P2P networks and shut's the networks down, can the RIAA representatives be charged with hacking?. Besides, not all files on P2P networks are illegal.
  • by Anonymous Coward on Tuesday January 14, 2003 @09:28AM (#5079960)
    why all my porn has been changed to Hillary Rosen with a strap-on.
  • by Max Romantschuk (132276) <max@romantschuk.fi> on Tuesday January 14, 2003 @09:29AM (#5079964) Homepage
    Well a worm is a form of a virus, and it is a crime to create one... One would presume that the RIIA would not be stupid enough to try and play a vigilante.
  • by Etrigan_696 (192479) on Tuesday January 14, 2003 @09:31AM (#5079974)
    But there's definitely some sort of maliciousness out there. Grab a gnutella client and search for something - ANYTHING - and it'll likely show up as an mpeg of about 1.5MB. Typically it's one of three or four porn movies. Search for "Smoke Marijuana on the International Space Station" and you'll end up downloading a blonde chick dancing around in a red towel.
  • by dj28 (212815) on Tuesday January 14, 2003 @09:31AM (#5079979)
    The actual exploit was posted on buqtraaq yesterday. You can find it here. [securityfocus.com] That link has the original post from the group explaining what the exploit is, how the RIAA is supposedly involved, and it has the exploit as an attachment. Check it out and decide for yourself if it's a hoax.
    • by EricWright (16803) on Tuesday January 14, 2003 @09:47AM (#5080086) Journal
      The scary thing behind what was posted to Bugtraq is that it explicitly states that all digital media on the system is cataloged, and the list is sent to the RIAA. This assumes all digital media on a system is an illegal copy.

      Sure, if the worm comes into your system over a P2P network, there's a good chance that at least *some* of your mp3s are pirated, but there's no way to differentiate pirated mp3s and those you ripped/encoded from your own CD collection.

      I could easily see someone downloading a public domain work via P2P network, getting infected, and having their 40GB mp3 (ripped/encoded from legally obtained sources) library listed to the RIAA "for future prosecution."

      I love the whole guilty until proven innocent attitude here. Sounds like a bad "In Soviet Russia..." joke.
      • Correct me if I am missing something here, but isn't it a no-no to put your legally ripped-from-cd tracks into your "share" directory for others to copy? So if this worm goes cruising through your shared directories and finds copyright material, you're still in breach of copyright since you're basically giving away copies of these songs.
        • by Hellkitten (574820) on Tuesday January 14, 2003 @10:35AM (#5080454)

          isn't it a no-no to put your legally ripped-from-cd tracks into your "share" directory for others to copy?

          all digital media on the system is cataloged, and the list is sent to the RIAA.

          So what exactly makes you think it'll only search your shared folder?

        • It might be able to claim your P2P shares are for that purpose, but it's perfectly legal to put your MP3s on a server within your own house and then have all of your other devices access from a share on that server. It's being shared in a tech sense, but in reality its transfering from one computer of yours to another computer of yours, so it's you-to-you and no copyright violation can happen there.
      • by FreeUser (11483) on Tuesday January 14, 2003 @10:49AM (#5080568)
        The scary thing behind what was posted to Bugtraq is that it explicitly states that all digital media on the system is cataloged, and the list is sent to the RIAA. This assumes all digital media on a system is an illegal copy.

        Yes, it does. And it shows what criminal, despicable, disgusting excuses for human beings work for, or with, the RIAA.

        Sure, if the worm comes into your system over a P2P network, there's a good chance that at least *some* of your mp3s are pirated, but there's no way to differentiate pirated mp3s and those you ripped/encoded from your own CD collection.

        All of my mp3 and ogg files are ripped from my own rather large, but no longer growing CD and Vinyl collection (because now I do not buy CDs, ever, nor will I, ever again). All of my avi's are recorded from my own television, my own animations, or my own media, and are not traded, ever. Indeed, none of my stuff is traded, ever.

        However, I did install gtk-gnutella in order to download the hiliarious fan fiction Star Trek episode "Savage Empire", because the web site distributing the files had been slashdoted. A perfectly legal download, for which, if this story is true, these unlawful thugs have infected my machine.

        I have enough money, and the will, to persue a very harsh lawsuit against these fucks if this story has any veracity, and if I am infected, and I will not hesitate to do so.

        "In Corporate Fascist America You and Your Data Belong to the Copyright and Media Cartels. Bend Over and Enjoy the Ride, Consumer."
  • by sboyko (537649) on Tuesday January 14, 2003 @09:32AM (#5079980) Homepage

    This is the original posting [securityfocus.com].

    Reading the posting, it seems unlikely.

  • by MImeKillEr (445828) on Tuesday January 14, 2003 @09:32AM (#5079981) Homepage Journal
    This [securityfocus.com] article may have more info that the one linked in the article.
  • worm code (Score:5, Funny)

    by macrophage (198249) on Tuesday January 14, 2003 @09:32AM (#5079983)
    Hey, I found a copy of the worm's code:

    RIAA - 0wn3d by.... ;p
    oooh riaa want's to hack Filesharing Users / Servers ? - better lern to secure your own server...
    Sorry Admin - had to deactivate ur accounts - they'll be reactivated after 2 hours

    greetz : Rage_X, BRAiNBUG, SyzL0rd, BSJ, PsychoD + all the others who want to stay anonymous :]
    wanna contact ? mailto:h4x0r0815@mail.ru

    Oh, wait, that was the RIAA's web page. Never mind!
  • Legally (Score:5, Insightful)

    by Hasie (316698) on Tuesday January 14, 2003 @09:35AM (#5080001)
    Where does this leave the RIAA legally? The bill mentioned in the article that would allow the RIAA and other copyright holders to crack computers to prevent piracy is not law yet. Does that mean that this would be regarded as just another worm with the authors being thrown in jail (like the authors of Love Bug and others)?
  • Nah. (Score:5, Funny)

    by llamalicious (448215) on Tuesday January 14, 2003 @09:35AM (#5080002) Journal
    I've got at least 7 mp3 downloads running right now and none of them appear to be infe($!$%. .AF0ERIAA.`/2#..-
  • Hoax (Score:5, Informative)

    by evilviper (135110) on Tuesday January 14, 2003 @09:36AM (#5080012) Journal
    I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

    In addition, I find it had to believe that all the antivirus companies are sitting on their collective asses, and completely missed an infection that is supposedly on 95% of computers that participate in P2P.

    Further, if anyone was to do something such as this, they would most certainly get in serious trouble for, what is essentially a widespread, illegial, interstate, wiretap.

    In addition, I'd just like to say that there is no reason to put much faith in Gobles... As Theo said, he's more or less the next ``fluffy bunny". If anyone can be said to have a severe ego problem, it is him...
    • Re:Hoax (Score:5, Insightful)

      by Zayin (91850) on Tuesday January 14, 2003 @09:46AM (#5080077)

      I sincerely doubt that this is true for a number of reasons. First of all, if they were hired to write the software for RIAA, don't you thing secrecy would both, be part of the agreement, and be completely necessary?

      Have you considered the possibility that they were hired by the RIAA to *claim* that they wrote the software, to scare people away from p2p networks?

      • Re:Hoax (Score:5, Insightful)

        by Zigg (64962) on Tuesday January 14, 2003 @10:15AM (#5080293)

        Have you considered the possibility that they were hired by a group who wants to make the RIAA look more evil (or perhaps are acting on their own), and the RIAA actually has nothing to do with it?

    • This would be a lot easier to swallow if the RIAA.org wasn't so blatently easy to hack, then you could reasonably assume that the RIAA even knows a decent hacker let alone contracts them.

      But seriously, let's say this isn't a hoax. Big Effing Deal. So the RIAA gets one day to make the P2P networks all DDOS themselves to hell. Yippie. That's just one day of interupted service. Within hours of this hyrda going off there will be virus definitions and patches from all the anti-virus vendors to fix the issue. And all of the software that is being exploited would also recieve patches.

      Does anyone seriously believe that any significant percentage of P2P users are going to suddenly say "wow the RIAA has been right all along I better start paying for things" because they get exploited by Hilary & Friends?

      I mean seriously here, the dilema is: a) Don't pay for anything and risk getting hacked by the RIAA *maybe* once. b) Pay for everything.
      Wow that's sure gonna be a tough choice for the P2P crowd. What an insane waste of money for the RIAA to even bother with this nonsense.

    • Antivirus (Score:3, Interesting)

      by artemis67 (93453)
      That was my first thought. If this is on the level, then anti-virus software should be catching it.

      After all the anti-virus attacks of the last few years, consumers and businesses alike have dumped a ton of money into anti-virus software. I find it hard to believe that a worm could get 95% penetration in this group.

      These hackers are just looking for some recognition, that's all.
  • 95%? Not likely. (Score:3, Interesting)

    by achurch (201270) on Tuesday January 14, 2003 @09:38AM (#5080024) Homepage

    I doubt you could get 95% of people on the Internet to agree on anything, much less taste in music, and even if this worm/virus infected every MP3 on a computer, 95% infestation seems really, really unlikely.

    On the other hand, this (worming P2P clients) has been talked about a lot in the past--and there are already viruses spreading via P2P, though the community seems to detect them pretty quickly--so I wouldn't put it past the RIAA to do something like this. Much less this Gobbles character; he's pretty infamous on the Bugtraq mailing list for trying to make fun of / piss off as many people as he can. (Incidentally, Gobbles is also known for overstatement, and as he was the one who stated the 95% figure in the article . . . well, you decide.) And it would of course be trivial to "phone home" to the RIAA with information about shared files on the computer.

    So while I could believe the existence of the worm, I seriously doubt the 95% infestation figure.

  • not sure (Score:5, Interesting)

    by Tom (822) on Tuesday January 14, 2003 @09:38AM (#5080032) Homepage Journal
    Forget the RIAA bashing, the Gobbles guys know what they do. That said, this is very un-gobbles from what I've seen from them in the past. Not the technology, but the comments in the source, for example. Then again, they're supposedly a large group.

    From the little info that is available, I'd give them a 50-50 chance that it's true. That would be interesting.
  • If It's True... (Score:5, Insightful)

    by E-Rock-23 (470500) <lostprophyt.gmail@com> on Tuesday January 14, 2003 @09:43AM (#5080055) Homepage Journal
    ...then it's an illegal act, period. Unless the Berman Bill is retroactive to a date prior to this supposed worm launch, it occoured before the bill is ever passed, and is illegal no matter what.

    This supposed worm disables functions of a computer. Therefore, it is malicious, as is anything that modifies system performance without the user's knowledge and consent.

    If this is true (95% infection rate? Doubt it), then we have one heck of a piece of ammo to use against the RIAA, if indeed they contracted this worm. The Price Fixing settlement, in that case, is just the beginning.
  • Dubious Legality (Score:5, Insightful)

    by Mr Guy (547690) on Tuesday January 14, 2003 @09:43AM (#5080061) Journal
    An exploit of this nature is of dubious legality

    Dubious? How is there any doubt? Assuming this passes the farmer test (it's not just bullshit in a bag), how can there be doubts it's illegal. At best, it's invasion of privacy. At worst, it's cyber terrorism as defined by the Patriot Act.

    The existance of a P2P client doesn't a criminal make, especially since the example given in the article by the l33t hacker is a perfectly legal file: the public MP3s (written to celebrate each OpenBSD release).

    It's junk, like the quad-browser yesterday.

    The biggest thing to fear is that the RIAA will use this to make up more numbers [guidance.net.nz].
    • by John Hasler (414242)
      > Assuming this passes the farmer test (it's not
      > just bullshit in a bag), how can there be doubts
      > it's illegal.

      There can also be no doubt that there would never be a criminal prosecution. The best we could hope for would be that the ISPs would file a lawsuit and get an injunction ordering them to stop.

      > The existance of a P2P client doesn't a criminal
      > make, especially since the example given in the
      > article by the l33t hacker is a perfectly legal
      > file: the public MP3s (written to celebrate each
      > OpenBSD release).

      The RIAA objects to the existence of such music: they make no money from it. Their goal is more ambitious than just stopping unauthorized copying. They want to make distribution of music outside their control impossible.

      > It's junk, like the quad-browser yesterday.

      Very likely.
      • by Sycraft-fu (314770)
        Oh you bet there would be criminal prosecution if this were real. See this isn't just something that deals with illegality on a federal level, but state and local too. YOu don't think there' at least one DA that would take the case? OR fine, assume that all the US prosecutors are unwilling to go after this (I find that higly unlikely) such a thing would have affected international computesr as well. I can gaurentee you other countries would go after this.

        No if this BS were true, everyone invloved would be in deep, deep shit.
    • by nolife (233813)
      Another thing..

      Retrieving a list of file names from someone should not be enough to prosecute them. I believe in order to prove you had a copyrighted file, the RIAA would have to download the entire file from that person and then listen to it to ensure it is what they thought it was. Nothing prevents me from creating thousands of fake files and giving them arbitrary names like "Metallica - Ride the Lightning.mp3". Having a file with this name is NOT illegal. I would also have to assume that the RIAA would have to provide some logs above and beyond what a P2P client has that shows where they got the file from and what time, maybe traceroutes and and traffic logging?. There are already tons of bogus files out there, wether they were planted or there by accident there is a chance you have a file name that is not what you think it is. I find it odd they have the power to mail abuse@your.isp and getting anything accomplished with that. You need solid evidence, you will not get arrested for having a file named i_tape_little_girls.mpg (although it may raise questions), but somehow you have less rights by having popular_song.mp3. It is obviously the corporate intrests involved that this is heading where it is. You need solid evidence to support a violation of the law for everything else in the world except for proving copyright violations.
  • by evilviper (135110) on Tuesday January 14, 2003 @09:47AM (#5080081) Journal
    Currently, systrace is available for OpenBSD and NetBSD, but work is going on to make it available for Linux as well.

    So, any program you have that opens untrusted content (xmms, mplayer, mozilla, etc) can be run with systrace, and you can selectively enable certain types of activity all the time... disallow certain activities allways, and be prompted for selective approval or denial of everything else.

    Even though I believe this to be a hoax, it's certainly true that it could be done, and something like systrace is needed to guarantee a bug in a program you run can't be used to take over your system.
    • Systrace is a nice toy, but unfortunately a flawed concept. There's a whitepaper from the NSA about the why, look on their selinux site (www.nsa.gov/selinux)
  • by tbspit (460062) on Tuesday January 14, 2003 @09:48AM (#5080090) Homepage
    to publish an mpg123 exploit.

    LOL
  • by altgrr (593057) on Tuesday January 14, 2003 @09:48AM (#5080093)
    ...they are breaching copyright law by distributing a copyrighted work, regardless of whether or not the exploit is included.

    The suggestion that the RIAA might be releasing files with exploits in is worrying on several counts. Firstly, it is an invasion of privacy for such a worm to be reporting back to the RIAA. Secondly, the RIAA, in taking the law into its own hands, does not deserve a hearing based on any evidence it so collects. Thirdly, the RIAA incriminates itself by being the illegal distributor of copyrighted works. Fourthly, the second and third points are likely to be ignored by the law.

    I'd certainly hope that this is a hoax - there is a far simpler way for the RIAA to get information on who's downloading files - put a bogus file out with a name conveniently misspelt, a few extra characters in or something in the ID3 tag. Do a search for this file, then View User's Other Files. Instantly, you have a list of what that person's sharing, you can download the file and get the IP address, find their ISP and deal with them. If that doesn't provide sufficient information to the RIAA in a non-incriminating way (you're agreeing to disclose the files you're sharing, right?), I don't know what does.
  • Hoax (Score:3, Interesting)

    by phreaknb (611492) <phreakinbNO@SPAMcomcast.net> on Tuesday January 14, 2003 @09:49AM (#5080103) Homepage
    This is a hoax. If you check the PGP signature, you can see that it isnt valid.
  • by anthony_dipierro (543308) on Tuesday January 14, 2003 @09:52AM (#5080122) Journal
    I'm sure if you are only sending/receiving legal mp3 files you won't run across this worm. And we all know that slashdotters never download illegal files.
  • by dmaxwell (43234) on Tuesday January 14, 2003 @09:53AM (#5080135)
    Assuming that the RIAA has created a p2p worm wouldn't it be the height of stupidity to announce it's existence? On the one hand they can generate some fear among p2p users and get a slight decrease in trading. On the other hand, if it really exists it is going to be found in very short order. If it's found by the wrong people (to them) then this is going to backfire in very short order. Once the details are known, I don't imagine it would be very hard to inject loads of spurious info into their violator database.

    The SecurityFocus posting has lots of bragging about how network security tools won't find their exploit. I beg to differ. They aren't going to dodge tcpdump running on a machine that is a gateway for an infected machine. The way gnutella is supposed to work is known. To a trained eye, their "cleverly crafted" network requests are going to stick out like a sore thumb. In any case, just knowing a thing exists greatly simplifies finding it. We'll know in short order if they're hoaxing or not.
  • More commentary (Score:3, Interesting)

    by sheriff_p (138609) on Tuesday January 14, 2003 @10:01AM (#5080187)
    More commentary including thoughts on some of the implications here:

    http://www.virusbtn.com/news/latest_news/gobbles.x ml [virusbtn.com]
  • Bugtraq Source (Score:5, Insightful)

    by BadBlood (134525) on Tuesday January 14, 2003 @10:04AM (#5080211)
    So, has anyone downloaded the source example from bugtraq, compiled it, and seen what happens?
  • MD5 Hash (Score:3, Interesting)

    by Inda (580031) <slash.20.inda@spamgourmet.com> on Tuesday January 14, 2003 @10:06AM (#5080228) Journal

    Over at SourceForge eMule is one of the largest downloaded clients on the list...

    Change one byte of any file and the MD5 hash for said file changes. This is nothing new or even that clever but it does stop bad files from spreading around the network.

    As I understand it, Kazza is still number one when it comes to P2P file sharing. When I last opened Kazza it reported 4 million users. Kazza also uses a file hash to allow segmented downloads as do most P2P clients these days.

    These **AA infected files would be a drop in the ocean and they would not spread far. If this is a hoax then it's not even a very clever one.

  • by Loonacy (459630) on Tuesday January 14, 2003 @10:08AM (#5080239)
    Only 10% of the computers were really infected. But they were FAST computers, so they count as 95%.
  • I'm pissed off (Score:5, Interesting)

    by Sandman1971 (516283) on Tuesday January 14, 2003 @10:28AM (#5080393) Homepage Journal
    Ya know what pisses me off? If this is true, then users like myself have been illegitamately hit.

    I have a copy of Metallica's Kill Em All on tape. My tape is pretty worn out. So I hit the Fastrack network to download the songs. Now under Canadian law, this is perfectly legal as I own an original copy of the album.

    But now my PC is infected by a worm/trojan because a cartel ^H^H^H^H^H some 'company' believes that everyone who downloads MP3s are doing so illegally. Nice when a company thinks that everyone is a criminal. Congress really needs to wake up and start protecting the people again, and not mega corporations. And other countries need to shove back when the US tries to push it's own laws onto them.
  • by essdodson (466448) on Tuesday January 14, 2003 @10:30AM (#5080419) Homepage
    To anyone who's read their advisories in the past this comes as no surprise. Gobbles's sole motivator here is to draw attention. From their security advisories that sound as if they're written by a third grader, to their advisories posted in comic form on their highly deceptive website www.bugtraq.org [bugtraq.org] I've seen little from them that demands respect.

    Besides, if they were working with RIAA, wouldn't the RIAA also have paid them a few bucks to secure their site? If they have, wow, bang up job so far.
  • Joke (Score:4, Insightful)

    by dissy (172727) on Tuesday January 14, 2003 @10:34AM (#5080445)
    This is so obviously a joke its not even funny.

    > Things to keep in mind:
    > 1) If you participate in illegal file-sharing
    > networks, your computer now belongs to the RIAA.

    Im sure glad there are no illegal file-sharing networks yet!

    > 2) Your BlackIce Defender(tm) firewall will not
    > help you.
    > 3) Snort, RealSecure, Dragon, NFR, and all that
    > other crap cannot detect this attack, or this
    > type of attack.

    Admitting its an attack, and admitting you are purposly designing it to avoid current defences, that will look good to a judge.

    > 4) Don't fuck with the RIAA again, scriptkids.

    Oh, your 13 years old?

    > 5) We have our own private version of this hydra
    > actively infecting p2p users, and building one
    > giant ddosnet.

    So any future DDoS we now can blame on these people who openly admitted to it.

    GO get em yahoo and ebay!

    > Due to our NDA with the RIAA, we are unable to
    > give out any other details concerning the
    > technology that we developed for them, or the
    > details on any of the bugs that are exploited in
    > our hydra.

    An NDA is a legal document which cannot in any way override existing laws.
    They admit to breaking numerous laws, and yet think a legal document will protect them?
    I guess they really must all be under 13.

    As a matter of fact, if my PC acts strange in any way shape or form, they now have opened themselfs up to a lawsuit.

    They also claim the RIAA now has an illegally gained list of the perfectly legal files on my harddrive. This would be the perfect time for a large company to sue and request discovery, which would allow someone (generally feds, but still) to collect evedence (IE take any/all of their servers on the public network which ever have/had connections to a p2p network) which will cost them time and resources and frustrations. Then hopefully some evedence will be found as well.

    My only wish is that alot of companys able to afford the legal fees open petty lawsuits aginst them for admitting all the crimes they have commited, if for nothing else than to cause them grief. Can also be used to harass the RIAA a little (Would be much better if the RIAA admitted this was true, but that will never happen.)
    Turn the stupidity of the system aginst the enemy for a change.

  • People Lack Humor (Score:5, Informative)

    by Col. Panic (90528) on Tuesday January 14, 2003 @10:39AM (#5080481) Homepage Journal
    Gobbles is very tongue-in-cheek. Their posts, while they contain actual, working exploits, are meant to be funny. They deride or praise the list moderator, poke fun at script kiddies (shout outz duudz), and are generally pretty damn funny.

    This is no different.
  • by Windcatcher (566458) on Tuesday January 14, 2003 @10:45AM (#5080520)
    force the makers of MP3 players to recheck their source code to ensure that such holes DON'T exist, this would be a way to do it. Publish an exploit, link it to all major players, invoke the RIAA demon, and watch the coders scramble. Right now:

    - Coders are, I'm sure, crawling through their code to look for and fix any security holes,

    - Users are running firewalls and packet analyzers to check for any worm-like behavior,

    - Some P2P users are taking a second look at checksums.

    If such vunerabilities exist, I'm sure they won't for much longer. If the Berman bill ever becomes law, there won't be much to hack.
  • by ndnet (3243) on Tuesday January 14, 2003 @10:53AM (#5080597)
    Where to begin.... I'll only deconstruct the SecurityFocus message.

    First, the fact that these programs have exploits is no surprise, but one media clip (probably MPEG (maybe MP3)), since while Windows Media Player and WinAMP offer universal playback, do ALL of them? Could one file even hit exploits in all these programs?

    Second, since each is likely to have a different vulnerability, the amount of worm data in a file would be a decent chunk. Wouldn't it be noticed?

    Third, an NDA would state that there can be no mention of it until it is ACTIVATED and USED. Now, Ad-aware-style programs will pop up to clean it if it exists.

    Fourth, how many files would this have to be to get 95% of P2P users? The only way it could is by infecting every file you share, but SOMEBODY would have to notice that, whether the file size changes or some A/V data is thrown out.

    Also, the idea of "specially formatted P2P requests" to inform RIAA is laughable. Even if the P2P software itself were compromised, a firewall user could notice it. Furthermore, consider the average media collection - hundreds of MP3s. Considering it would have to send artist name and song name, the amount of data would be well over 1MB unless compressed, and even then on dialup users it would have to be staggered.

    Also, what kind of backend would this take? Multiple servers, a huge internet connection. Considering how big the P2P networks are, wouldn't this have to be a massive monitoring system? There aren't that many locations with these resources INSTALLED, so finding the facility would not be hard.

    And why mention you have a IDENTICAL worm that you use to build a DDOS NET? Simple. Get those who don't care about privacy too much kicked up about that.

    Finally, this sounds very strangely like RIAA-induced hypnosis - here are a few lines which show that they probably are lying and not even working with RIAA, just agree with RIAA's ideas.

    "victim" (not the hard-working artists who p2p technology rapes, and the RIAA protects)

    4) Don't fuck with the RIAA again, scriptkids.

    Until we became RIAA contracters, the best they could do was to passively monitor traffic. Our contributions to the RIAA have given them the power to actively control the majority of hosts using these networks.

    There are some spelling mistakes. There are factual holes that they cover with the claim of an NDA. In short, the probability of a hoax is about 98%.
  • by Mordant (138460) on Tuesday January 14, 2003 @10:53AM (#5080599)
    Jeez.

    He's trying to make a point - that running all this P2P crap blindly on your systems, -especially- Windows boxes, is a security nightmare.

    Think about it; he's managed to get thousands upon thousands of people worldwide nervous and antsy about whether or not their boxes are in a semi-0wned condition. Why?

    Because it's within the realm of possibility that something like this could be done. Not by the stupid RIAA, who can't even secure their own Web site, but by somebody a) more skilled and b) motivated to do something Really Bad, like build (and use) a gigantic DDoS network, or steal any kind of account/password info it can find, or any kind of documents which might contain proprietary information, etc.

    The intellectual property aspect of filesharing aside, I personally think that anyone who runs a P2P app is asking to get burned. There simply hasn't been the kind of scrutiny turned on these things that we see on other types of apps and utilities (and we already know that the concept Gobbles is preaching about is valid due to the earlier KaZAa worm, etc.).
  • by melonman (608440) on Tuesday January 14, 2003 @11:07AM (#5080761) Journal

    I don't pretend to know much about the gory details of how it works, but P2P has never struck me as the best way ever invented to ensure the integrity of your system.

    Last week a client asked to bring his PC into the cybercafe to download some files using eDonkey. After a couple of days, my observations were that

    • It was going to take him another month to get a whole video of anything (cf 90 minutes for a whole Redhat CD over the same connection)
    • The only downloads that worked were XXX
    • His software opened 200 connections through my firewall, compared with about 20 for the rest of the cybercafe (our machines are thin clients, he was on a different subnet)
    • He was receiving from 100 or so different ports, some of which are also used by well-known worms and trojans

    So I told him to take his eDonkey elsewhere... is there any way to know what you are really connected to with this sort of system?

    • by Inda (580031) <slash.20.inda@spamgourmet.com> on Tuesday January 14, 2003 @01:27PM (#5081923) Journal

      It is normally for a 700MB ISO to take 2-3 days on the eDonkey [eMule] network. Remember that you are not downloading from an FTP site or web server; you are downloading from peers with a finite amount of bandwidth. Most people, like me, have a capped upload speed which is 25% of my download speed. The quality of files on this network is the main reason people use it - not the speed.

      200 connections is normal too. I currently have 90 connections because of the limitations with Windows 98. You are constantly asking other peers for files at the end of the day.

      100 used ports is wrong though and I would be worried about this too. I only use two...

  • by ProtonMotiveForce (267027) on Tuesday January 14, 2003 @11:36AM (#5081066)
    Come on, this is about as realistic as the computer jargon you hear on TV.

    "My Subnetwork ping redistributer is down! I need to reboot my LAN before the virus infects my ethernet cable and gets everywhere!!!"

    And yet I see people saying "this is probably not true" or "this may be a hoax", or "if they're doing this it should be illegal!". Come on. For Christ's Sake, this is totally idiotic and anyone with an iota of computer knowledge should immediately dismiss it.

    I don't care if Linus Torvalds himself came out and said he'd done it, I'd laugh and point.
  • by phorm (591458) on Tuesday January 14, 2003 @12:15PM (#5081443) Journal
    40% of this probably counts all the copies of Brittney Spears and Backstreet Boys songs squirming across P2P, often masquerading as different files. Personally, I'd rather take a real virus than these - an Antivirus can find trojans but none of them seem to have a feature to detect boy/girl-band of the moment type audio files.
  • by iamabot (165551) on Tuesday January 14, 2003 @01:19PM (#5081874)
    If they have the same people securing their web servers as "infesting" peer to peer networks I don't think we have much to worry about.

    Please view some screen shots from the last 96 hours.

    http://iworktoomuch.com/images/riaa.com-download.j pg [iworktoomuch.com]
    http://iworktoomuch.com/images/riaa.org.jpg [iworktoomuch.com]
    http://iworktoomuch.com/images/riaa_tooled_again.j pg [iworktoomuch.com]

Receiving a million dollars tax free will make you feel better than being flat broke and having a stomach ache. -- Dolph Sharp, "I'm O.K., You're Not So Hot"

Working...