General discussion


Maybe not appropriate - but IMPORTANT

By mrafrohead ·
I honestly don't know if this is the place to post this type of thing, but I feel that all involved in the computer world should read this. I am refraining from making any personal opinion on this one as I feel that the message speaks for itself. This is a letter I got from Bugtraq in it's entirety.

_____ Begin message below _____


___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."

Several months ago, GOBBLES Security was recruited by the RIAA (
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to comeup with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (
WinAMP (
Windows Media Player (
xine (
mpg123 (
xmms (

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Part 2

by mrafrohead In reply to Maybe not appropriate - b ...

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't **** with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Collapse -

Part 3 of 3

by mrafrohead In reply to Maybe not appropriate - b ...

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.

Affected Software:
mpg123 (pre0.59s)

Problem Type:
Local && Remote

Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP

Exploit Available:
Yes, attached below.

Technical Description of Problem:
Readthe source.

Special thanks to for the ethnic-cleansing shellcode.
Version: Hush 2.2 (Java)
Note: This signature can be verified at


Collapse -

Here's the missing paragraph.

by mrafrohead In reply to Maybe not appropriate - b ...

Somehow, my cut and paste abilities just suck;\

Where section one ends and section two begins, this paragraph below should have been there. I apologize for any inconvenience.

_____ Missing Paragraph Start _____

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

_____ End Missing Paragraph _____

Collapse -

I'll Never buy another CD

by TheChas In reply to Here's the missing paragr ...

Assuming this is true, and I have no reason to doubt it is, I will stop all support of the recording industry.

I am not an active P2P file sharer. My son does download some music and other files on one of the networks.

That said, it is Fascist tactics and philosophies such as those pointed out that are at the root of the recording industries problems.

While I have no doubt that the P2P networks have cut into profits, the RIAA needs to understand that they are now near the bottom of the entertainment dollar spending list. Without file sharing, the average teen will just stop listening to a lot of music.

If the RIAA succeeds in it's quest to stop MP3's and file sharing, all they will do is hasten the end of the recording industry.

Since the dawn of the cassette recorder, teens have been recording and sharing some of their music. Not to rip-off the industry, but because they could not afford all the music they desired. If and when they have extra money, many teenswent ahead and bought the records they liked. Without the ability to share the music, untold numbers of records may not have been sold.

By shutting down the file sharing systems, the RIAA will not be protecting profits, but will instead be shutting down a form of FREE advertising.

Further, by using the fascist draconian measures outlined, the RIAA will draw the ire of it's consumer base.

The RIAA has to be shown that every blank tape or blank CD is NOT a lost sale.

I have no sympathy for the RIAA or the recording industry. They have been ripping off the artists and the public since the 1930's.

If the RIAA genuinely wants to stop file sharing, they need to reduce the industry overhead and reduce the cost of CD's to a reasonable level. If the average CD had a retail price of $5, file sharing would all but cease.


Collapse -

No kidding.

by mrafrohead In reply to I'll Never buy another CD

I can definately agree with that. I normally will only purchase a CD of quality from an artist that is good. Most of the garbage that is released from the music industry is lame premixed crap. I can not rationalize spending more money on a CD than on a DVD for nothing but total CRAP! Hence my MP3 collection. But I will say this. If the price for the disks were five bucks each. I would honestly rather have the CD's then. As you can't be that with a bat

That's the reason I bought the new Korn CD when it was released. It was eight bucks. I feel that that was a fair price for a cd. And the group it came from has talent, versus these boy bands and hot chicks with crappy voices.


Collapse -

Me too

by Vawns In reply to I'll Never buy another CD
Collapse -

I completely agree and...

by FandV In reply to I'll Never buy another CD

I can say that this seems to me very similar to what nowadays excellent people name "terrorist attack".

With a bad new.

Under attack are our sons.

Collapse -

The honey defence

by Grail In reply to Maybe not appropriate - b ...

As I read this through, a point occurred to me relating to this group's slogan ("putting the honey in the honeynet since '98").

If the hydra gains access to the host when the media are viewed, it does rather suggest that you can neutralise it entirely using a separate machine. For example, I have two Macs and a PC at home; if I were to use the PC for filesharing with Kazaa, and to preview the files, then I can be certain whether or not they're infected before copying them to the Mac (even assuming the hydra can infect Macs, which seems unlikely). If your downloading box gets poisoned, therefore, toast it. People with one machine can use multiple installations on one hard drive.

The main point of that explanation, however, is this: what one person can lock, another can unlock. Banning or attacking something drives it underground; it doesn't tackle the root causes of a problem. That's what the RIAA and this group ought to be doing; otherwise, they'll never succeed. New media players and filesharing networks will pop up, and the hydra gets defanged again. Yawn. Give us a real initiative so we can use something that is both legal and of value.

Collapse -

The satellite pirate proxy...

by admin In reply to The honey defence

is quite similar to this. A box that is disposible and takes the fall for the real destination.

Also you could check file sizes etc. for before\after infection and find out what it's putting in and develop and distribute a scanner\cleaner. Someone here wanted to get started in the industry.... well if you do this first you will get some attention.


Collapse -


by madroxxx In reply to Maybe not appropriate - b ...

Isn't this illegal? I am pretty sure that unauthorized use of a private computer is considered hacking. Even more the suggestion that they are building a slew of zombie hosts for a DOS attack. I suggest you forward this to the FBI.

Related Discussions

Related Forums