Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: gobbles?? p2p virus??? wha

  1. #1
    Senior Member
    Join Date
    Dec 2001

    gobbles?? p2p virus??? wha

    Apparently theyre either trying too hard, or gobbles is full of ****... nevertheless the source for this thing looks quiiiite real and well...

    yeah... heh, I myself dont partake in p2p, but do tend to think that this form of attack/protection is treading on that fine line between morals and law... it's important to keep in mind that some people use P2P to share completely legal and privately owned files, it is also a bit important to note that without the spread of music and videos in digital formats such as this... I wouldnt have purchased half of the cd's and dvd's I own (I do tend to sample a few songs from new bands to decide whether an album is worth buying).

    anywhoo... ejoy

    As taken from my vulnwatch message (exploits not included-- sorry)

    It seems the exploit was not included in the first vulnwatch e-mail. Here you go.

    - - ----- Forwarded Message from gobbles@hushmail.com -----

    ___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
    / __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
    | (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
    \___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
    "Putting the honey in honeynet since '98."

    Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
    to invent, create, and finally deploy the future of antipiracy tools. We
    focused on creating virii/worm hybrids to infect and spread over p2p nets.
    Until we became RIAA contracters, the best they could do was to passively
    monitor traffic. Our contributions to the RIAA have given them the power
    to actively control the majority of hosts using these networks.

    We focused our research on vulnerabilities in audio and video players.
    The idea was to come up with holes in various programs, so that we could
    spread malicious media through the p2p networks, and gain access to the
    host when the media was viewed.

    During our research, we auditted and developed our hydra for the following
    media tools:
    mplayer (www.mplayerhq.org)
    WinAMP (www.winamp.com)
    Windows Media Player (www.microsoft.com)
    xine (xine.sourceforge.net)
    mpg123 (www.mpg123.de)
    xmms (www.xmms.org)

    After developing robust exploits for each, we presented this first part of
    our research to the RIAA. They were pleased, and approved us to continue
    to phase two of the project -- development of the mechanism by which the
    infection will spread.

    It took us about a month to develop the complex hydra, and another month to
    bring it up to the standards of excellence that the RIAA demanded of us. In
    the end, we submitted them what is perhaps the most sophisticated tool for
    compromising millions of computers in moments.

    Our system works by first infecting a single host. It then fingerprints a
    connecting host on the p2p network via passive traffic analysis, and
    determines what the best possible method of infection for that host would
    be. Then, the proper search results are sent back to the "victim" (not the
    hard-working artists who p2p technology rapes, and the RIAA protects). The
    user will then (hopefully) download the infected media file off the RIAA
    server, and later play it on their own machine.

    When the player is exploited, a few things happen. First, all p2p-serving
    software on the machine is infected, which will allow it to infect other
    hosts on the p2p network. Next, all media on the machine is cataloged, and
    the full list is sent back to the RIAA headquarters (through specially
    crafted requests over the p2p networks), where it is added to their records
    and stored until a later time, when it can be used as evidence in criminal
    proceedings against those criminals who think it's OK to break the law.

    Our software worked better than even we hoped, and current reports indicate
    that nearly 95% of all p2p-participating hosts are now infected with the
    software that we developed for the RIAA.

    Things to keep in mind:
    1) If you participate in illegal file-sharing networks, your
    computer now belongs to the RIAA.
    2) Your BlackIce Defender(tm) firewall will not help you.
    3) Snort, RealSecure, Dragon, NFR, and all that other crap
    cannot detect this attack, or this type of attack.
    4) Don't **** with the RIAA again, scriptkids.
    5) We have our own private version of this hydra actively
    infecting p2p users, and building one giant ddosnet.

    Due to our NDA with the RIAA, we are unable to give out any other details
    concerning the technology that we developed for them, or the details on any
    of the bugs that are exploited in our hydra.

    However, as a demonstration of how this system works, we're providing the
    academic security community with a single example exploit, for a mpg123 bug
    that was found independantly of our work for the RIAA, and is not covered
    under our agreement with the establishment.

    Affected Software:
    mpg123 (pre0.59s)

    Problem Type:
    Local && Remote

    Vendor Notification Status:
    The professional staff of GOBBLES Security believe that by releasing our
    advisories without vendor notification of any sort is cute and humorous, so
    this is also the first time the vendor has been made aware of this problem.
    We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

    Exploit Available:
    Yes, attached below.

    Technical Description of Problem:
    Read the source.

    Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  2. #2
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    nearly 95% of all p2p-participating hosts are now infected with the
    software that we developed for the RIAA. um no
    My BS sense is tingling. Some one please show me where a virus has had a 95% infection rate.

    An exploit of this nature is of dubious legality, right now, but language in Howard Berman's "P2P Piracy Prevention" bill last year legitimizing such exploits was backed by RIAA chief Hilary Rosen:-
    I hope the RIAA keeps in mind that a self replicating virus would not be confided to any peculiar country and that infecting computers out side the US would put them on the same page as the writers of Code Red or Melissa.

    My question is will Norton, MacAfee, avg scan for crap like this. In fact why don't they just build some stuff in to the p2p programs them selves check for it.
    Its not software piracy. Iím just making multiple off site backups.

  3. #3
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    South Florida
    Well, This seems like a blatant breach of security to users of P2P for legitimate reasons, like myself. I use kazza and other P2P programs to transfer original music by my band to others. If this "worm" does infect P2P clients, and media players, then that means it will infect uncopyrighted material also. I just don't believe that the RIAA has a complete list of every files name, including varients, to keep track of whats infected and whats not. I sincerely hope that they infect my machine, and when they do, I will take their ass strait to court. This action, if true, is no better than a DoSing s'kiddie. If this is true they just signed their own death.


  4. #4
    Purveyor of Lather Syini666's Avatar
    Join Date
    Aug 2001
    I have to agree that its probably BS to beign with, but even if it is true, they have to be lying about the stats. Nature isint even that perfect, considering Ebola has a 90% mortality rating. cwk9 si right, no one but the characters in books are crazy enough to release a virus like that, because it would eventually get capture by another virii writer, then modified to be even more malicious, probably seeking out RIAA machines and such on its own. I dont know which seems more messed up, electronic virus work, or the real stuff carried out at AMRID and the CDC.
    You're not your post count, You're not your avatar or sig, You're not how fast your internet connection is, You are not your processor, hard drive, or graphics card. You're the all-singing, all-dancing crap of AO
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

  5. #5
    Senior Member
    Join Date
    Mar 2002
    Yeah, I agree as well. The only thing you can tell from the author of this story is he writes entertaining BS stories if a virus like this did come out, though, it would hurt. But not 95 percent of systems connected to each other via P2P networks, such as KaZaA and Imish.

    -{[ Joe ]}- (Joe@nitesecurity.com)

    [shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]

  6. #6

    Lightbulb Yep, it's a hoax

    Yep, it is a hoax, this whole thing. Here is a quote from the CNET article :

    In an advisory posted to security mailing lists, a group called Gobbles Security delivered its latest vulnerability--a real one found in a relatively unknown MP3 player--wrapped in an apparent joke aimed at the Recording Industry Association of America. The main part of the advisory consisted of Gobbles' claims that its programmers had created a "hydra"--a worm capable of spreading in a variety of ways--that infects all major music software.
    The RIAA, the organization that represents major music publishers, wasn't amused. "It's a complete hoax," said an RIAA spokesman, who asked that his name not be used. "It's not true."

  7. #7
    Junior Member
    Join Date
    Oct 2002
    yeah, thats all total bs, and if the virus is infecting "95 percent" of p2p users, well, thats alot of law suits on your hand right there

  8. #8
    Senior Member
    Join Date
    Dec 2001
    interestingly enough, if it werent a hoax do you think the RIAA would admit it?? riiiiiight

    I have no doubts that corporate giants such as the RIAA or even our established M$ may one day engineer an attack against a competitor or idea, but just as corporations are better at crime and espionage than our government, the coverup would likely be just as good. We may hear 10 years from now about how next year something like this came into play... we may not. who knows...

    I had my suspicions upon reading this thing that it was pure BS... and well... apparently it is, but the idea makes you wonder.... I've noticed a desparate market swing in the technical field, what was based around cutting edge engineering 4 years ago, has recently, and will probably continue to be based around litigation.

    business through litigation is a sad sad means to make a dollar, and I think it's a bit unfortunate, what once was a spilled cup of coffe is now a burned lap. The worst part about it is that it's spreading like wildfire and theres not too many ways out. I'm willing to bet the RIAA itself tries to pull some income out of this by seeking damages for the already dissheveled name.

    Just another s$$holes opinion, I'm prolly wrong... heh
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  9. #9
    Senior Member
    Join Date
    Dec 2001
    and of course, vulwatch received an update (clipped directly) showing that the exploit was in fact real but the RIAA and the gobbles contract claim is most likely a hoax but purely unconfirmed....

    notice as follows :

    Some of you have written in wondering if the Gobbles post was a hoax or

    Skipping past all the RIAA stuff (I can't exactly confirm any of that),
    there is still the issue of a buffer overflow in mpg123 version 0.59s.
    That *is* real, and so is the exploit that is attached (which, if
    successful in exploitation, will run 'rm -rf ~').

    So yes, there is a mpg123 vulnerability in the latest development version
    (which some linux distros ship). The latest stable version (0.59r) seems
    to be OK for the moment.

    As for the 'hydra' (Swordfish, anyone?), RIAA involvement, and massive P2P
    neworking compromises, well, that's for you to determine.

    Your loving VulnWatchdog,
    - - rain forest puppy
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  10. #10
    Senior Member
    Join Date
    Aug 2001
    well here is an update on Gobbles, it seems his claim was a Hoax.... but the article is an interesting read on what the RIAA and the IPFI are really doing to stop P2P.

    El Diablo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts