hoax or not? a coworker sent the below email to me (he is all worried...) and asked my opinion. i think the RIAA is in for a rude awakening if they are admitting to infecting millions of pc's with intrusive virus/trojans, etc.
----------------------------------------------
-----Original Message-----
From: gobbles@hushmail.com [mailto:gobbles@hushmail.com]
Sent: Monday, January 13, 2003 12:23 PM
To: bugtraq@securityfocus.com
Subject: Local/remote mpg123 exploit
-----BEGIN PGP SIGNED MESSAGE-----
___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."
Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.
We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.
During our research, we auditted and developed our hydra for the following
media tools:
mplayer (http://www.mplayerhq.org)
WinAMP (http://www.winamp.com)
Windows Media Player (http://www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (http://www.mpg123.de)
xmms (http://www.xmms.org)
After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.
It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.
Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.
When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.
Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.
Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.
Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.
However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.
Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de
Problem Type:
Local && Remote
Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP
Exploit Available:
Yes, attached below.
Technical Description of Problem:
Read the source.
Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJsFFhywKWzMoiT/Qiy4FV+r1inukA==
=OjMp
-----END PGP SIGNATURE-----
RIAA vs. the world....more P2P stuff
It's quite possible.
However, nothing at securityfocus about this...yet. Couldn't find squat thru Google, so it's (probably) not a known hoax...yet. And one needs to question the RIAA's ethics in supposedly "hiring" Gobbles in the first place...it's like contracting out to the mob to get certain laws changed. They could have picked a more legit "security" company.
{edit: wrote something incorrect here, simply brainfart} We know the RIAA and MPAA lobbied the government to allow placing a worm in P2P networks in order to destroy copyrighted material, but they met a TON of resistance...not the least of which is that this would go beyond U.S. borders, and create a massive legal fiasco with a potential to dim relationships between countries. To continue a relationship with Gobbles would show lack of good faith at the least, lack of judgement at the worst, and potentially put the mere existence of the entertainment industry at risk.
Consider it a hoax for now.
However, nothing at securityfocus about this...yet. Couldn't find squat thru Google, so it's (probably) not a known hoax...yet. And one needs to question the RIAA's ethics in supposedly "hiring" Gobbles in the first place...it's like contracting out to the mob to get certain laws changed. They could have picked a more legit "security" company.
{edit: wrote something incorrect here, simply brainfart} We know the RIAA and MPAA lobbied the government to allow placing a worm in P2P networks in order to destroy copyrighted material, but they met a TON of resistance...not the least of which is that this would go beyond U.S. borders, and create a massive legal fiasco with a potential to dim relationships between countries. To continue a relationship with Gobbles would show lack of good faith at the least, lack of judgement at the worst, and potentially put the mere existence of the entertainment industry at risk.
Consider it a hoax for now.
Agreed...but it isn't the RIAA that (supposedly) unleased this worm, it's Gobbles. Whether or not the RIAA instructed them to unleash the worm is unknown. If the worm is true, this sudden strike could be Gobbles trying to screw the RIAA ("You hired the wrong hackers, you morons! Let the lawsuits begin!"), or the RIAA is ready to deny all knowledge, and let Gobbles take the fall.
If it's true...I personally believe (at the moment) that it's a hoax. Basically because it's more than just invasion of privacy...it's destruction of data. And if one shred of evidence can be supplied to say that the RIAA is behind it, God help them, cuz no one else will...
If it's true...I personally believe (at the moment) that it's a hoax. Basically because it's more than just invasion of privacy...it's destruction of data. And if one shred of evidence can be supplied to say that the RIAA is behind it, God help them, cuz no one else will...
i hope it is real!!! this will be a good thing for us "computer users". in the end... WE win! not only can we sue the companys responisble but we will make money fixing everybody elses computer.
I so hope its real! just to watch the whole intire internet die! cause if people find out about this they will be too scared to connect to the net. so not only are they gonna end up killing them selves, the whole intire industry will go down too.
What the RIAA is (suposedly) doing is like... hmm... what to compare this to... ... ... ... ... ... ... like what the satalite companys did to get rid of all the H cards (black sunday). not only did they destroy all the hackes on the network, they also fried about 75% of the legit customers. (each ... is about 2 mins of me trying to compare this to somthing)
I so hope its real! just to watch the whole intire internet die! cause if people find out about this they will be too scared to connect to the net. so not only are they gonna end up killing them selves, the whole intire industry will go down too.
What the RIAA is (suposedly) doing is like... hmm... what to compare this to... ... ... ... ... ... ... like what the satalite companys did to get rid of all the H cards (black sunday). not only did they destroy all the hackes on the network, they also fried about 75% of the legit customers. (each ... is about 2 mins of me trying to compare this to somthing)
[align=center]A self-aware artificial intelligence would suffer from a divide by zero error if it were programmed to be Amish[/align]
Well, it's getting more attention now. Securityfocus.com posted this email last night, the Register picked up the story today.
Still no word if it's a hoax or not. We should know by tomorrow.
Still no word if it's a hoax or not. We should know by tomorrow.
-
TheSovereign
- Posts: 2957
- Joined: Mon Apr 15, 2002 4:03 am
- Location: chicago
- Contact:
something is wrong with this
most people of hack interest i know wouldnt sell out for cash
and prolly would pretend to work for the riaa while stabbing them in the back
in other words how do u know this worm wont attack innocent networks then the riaa takes the blame for launching such a massive DOS attack against people who have nothing to do with file sharing and again we hear about the lawsuits but this time...its the riaa's fault
most people of hack interest i know wouldnt sell out for cash
and prolly would pretend to work for the riaa while stabbing them in the back
in other words how do u know this worm wont attack innocent networks then the riaa takes the blame for launching such a massive DOS attack against people who have nothing to do with file sharing and again we hear about the lawsuits but this time...its the riaa's fault
<a href="http://www.youtube.com/watch?v=67rc96joOz8#t=0m58s">YodelRoll!</a>
<a href="http://www.halfinchbullet.com/">Goto HalfInchBullet.com!</a>
<a href="http://www.halfinchbullet.com/">Goto HalfInchBullet.com!</a>
-
Absolut Talent
- Almighty Member
- Posts: 2868
- Joined: Mon Jan 07, 2002 12:30 pm
The RIAA said this email from Gobbles is "total fabrication". Read this at eWeek.
eWeek goes on to say, "Although the existence of the worm and the RIAA's involvement are clearly a hoax...", but they did not disclose how they know the worm doesn't exist.
Just the same, there's talk around the web that, once you consider everything that Gobbles claims this worm is capable of doing, their description falls apart.
In other words, it's a hoax.
eWeek goes on to say, "Although the existence of the worm and the RIAA's involvement are clearly a hoax...", but they did not disclose how they know the worm doesn't exist.
Just the same, there's talk around the web that, once you consider everything that Gobbles claims this worm is capable of doing, their description falls apart.
In other words, it's a hoax.