I got this e-mail today from Bugtraq. For those of you that do not subscribe to this service I wanted to make sure that I was able to share this. The e-mail I am posting it in it's entirety with the security information so you can verify the validity of the below message. I will also be attempting to attach the enclosed code that is refered to in the e-mail, although I don't know what to do with it, so I can't help you there... Please send this to anyone you know that uses P2P software or that is concerned with the RIAA's actions. I have heard rumors of this type of thing, but no real "proof".

Thanks for your time, the e-mail will begin below...

_____Begin Message_____



-----BEGIN PGP SIGNED MESSAGE-----

___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.


Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de


Problem Type:
Local && Remote


Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP


Exploit Available:
Yes, attached below.


Technical Description of Problem:
Read the source.


Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJsFFhywKWzMoiT/Qiy4FV+r1inukA==
=OjMp
-----END PGP SIGNATURE-----

I forgot to add the files to the original post, so they are in here.

Sorry about that.

Mrafrohead

Sounds like BS to me. Why? No dates, just vague time periods. The use of profanity. And the only proof "a mpg123 bug that was found independantly of our work for the RIAA" - ie someone else's work.
This is not to say it isn't possible, but if someone had done this, why talk about it?
And who would be dumb enough to download music from RIAA servers?

Riiiight.. 95% of P2P users. Like all of the network techs out there & computer techs wouldn't notice outbound traffic to a rogue server on their firewall/router logs.. I doubt the validity of this claim.

Not to mention the massive liability and possible jail time if the RIAA had been shown to be a willing party in spreading a destructive P2P virus.

While they have asked for legislation that would imdemnify them for things like this it has not been passed, and likely won't.

But it would certainly be nice to be able to prove they did. ;)

- Tom

I think whoever wrote that had watched the film swordfish and had somehow taken it even remotely seriously ;)

-Nic

I hope y'all are right. I posted this in a couple of forums and everyone as of now has posted the same responses as above. Personally, I think that there is some truth in it. Which was why I posted it here and at the other sites. As a just in case. The source I got this from doesn't deal with this type of topic which was why I feel that there's some truth to it.

Mrafrohead

I really hope that you guys are right and that what I read is not.

It's no wonder they get hacked (http://www.cdfreaks.com/news2.php3?ID=5501) on a monthly basis. Alot of people have a grudge against the RIAA. I aggree with Tom's points.

Edge

just use winMX and hope you dont download a renamed mp3 ROFLMAO

Maybe there is a bit of truth to this post.:eek:

w*w.theregister.co.uk/content/6/28842.html

Also
w*w.tech-critic.com/comments.php?id=1782&catid=1


Edge

the riaa is so full of crap.

Good luck hacking my box.

Originally posted by The Edge
Maybe there is a bit of truth to this post.:eek:

w*w.theregister.co.uk/content/6/28842.html

Also
w*w.tech-critic.com/comments.php?id=1782&catid=1


Edge
Why the * in www?

@N_F

Sorry. Habbit.

Edge

i have read an exploit about a malformed header in a avi or mp3 file that can run remote code and still runs/sounds fine, but that is it . i think that the above is imposible and lets not forget updates, even if it did exploit a buffer overrun then i different version/update would fix it, i wouldnt think microsoft would be too happy with the RIAA if this was the case !Unless its like FILE.AVI.EXE :D i think some one is pulling your leg , remember if it sounds too good to be true (or in this case bad) then it probably is ;)

Cypher, what you say makes a lot of sense.

But just something to consider. If this is true...

If you look at some of the newer virii that now exist. They sound too good to be true. I mean, they can infect your computer, disable your AV/FW software and then start their OWN SMTP server and mail out messages to others and not even make it look like it's coming from your infected machine.

A few years ago, I would have thought that type of thing impossible.

A couple other nice ones. You ONLY had to be connected to the net to get it, that was all. It would take care of everything for you.

Again, I don't know if this truly is credible. I only posted it as a just in case type of thing. I don't want my fellow encoders to have any problems should this really be correct.

Mrafrohead

BTW - I uploaded the code that was sent with the files when I created this thread, but it still has yet to be posted. Hopefully it will be approved so you guys can take a looksey...

One thing is sure. Those people would violate European Union privacy laws. So I thinks it's a gost story.:cool:

Originally posted by Mrafrohead
Cypher, what you say makes a lot of sense.

But just something to consider. If this is true...

If you look at some of the newer virii that now exist. They sound too good to be true. I mean, they can infect your computer, disable your AV/FW software and then start their OWN SMTP server and mail out messages to others and not even make it look like it's coming from your infected machine.

That is hardly impossible. Hardly unlikely. When you look at how much Microsoft ties everything to everything it is like they are downright asking for it. First off these viri do not need to slip past firewall software. It goes in and out via POP3 and SMTP which pretty much every firewall allows. Otherwise you would never recieve email. Also I have never heard of these email viruses disabling AV software. But it is not impossible, nor that hard really. They rely more on mass prolifferation before they are detected. And they don't set up their own SMTP server. Wouldn't it be silly to set up your own SMTP client when you are already inside Microsoft's overly vulnerable SMTP client. And as for sending untracable email. Well that is not that hard really. Within reason. It is honestly pretty much impossible to send 100% untracable e-mail. But I could send you an email from BGates@Microsoft.com or dubbya@whitehouse.gov that you would not be able to trace.

Email is easier to trace than that. Yes, you can fake the sender and reply-to fields, and even give a false name to your email client. But the next server down the line will add header information giving its own identity, and the IP address that it received the email from. That's how I know the machine in the Netherlands that sent out email in my name. Some of it bounced, and came back to me.

It is possible to fake the IP as well.

kinda funny to see old e mail scares still going around, and even more funny to see people that might believe them. that e mail you got is almost as old as p2p its self. in fact a remember a version of it that was geared towards mp3 traders back when we had to trade by ftp, so it maybe even older then p2p really.

-edit added-
kazaa installs software that can be used to use your computer. you agree to let them install this software and to let them use your computer anytime they wish when you install kazaa.

Originally posted by Neo Neko
Also I have never heard of these email viruses disabling AV software. But it is not impossible, nor that hard really. They rely more on mass prolifferation before they are detected. And they don't set up their own SMTP server. Wouldn't it be silly to set up your own SMTP client when you are already inside Microsoft's overly vulnerable SMTP client. And as for sending untracable email. Well that is not that hard really. Within reason. It is honestly pretty much impossible to send 100% untracable e-mail. But I could send you an email from BGates@Microsoft.com or dubbya@whitehouse.gov that you would not be able to trace.


@NeoNeko: Here's a couple of links for you so you know, if you wanted to that is...;)

http://securityresponse.symantec.com/avcenter/venc/data/w32.lirva.a@mm.html This is for Lirva: Disables AV. But uses MS SMTP.

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.k@mm.html This is for Yaha: Disables AV. Uses it's own SMTP.

There are others, but these explain what I was talking about earlier.

And I'm not posting this to be an asshole. It's just so you know, as AV knowledge is the first step to defense in my opinion. Before AV software even begins to take play.

Mrafrohead

Seems all this was a Hoax (http://www.eweek.com/article2/0,3959,827970,00.asp) as suspected (http://slashdot.org/articles/03/01/14/159242.shtml?tid=167) all along..........

Edge

But do you think that the RIAA would admit to it??? What the message states is still very illegal as of yet as no laws have passed to allow this for them.

I just came across this.

Figured for safety measures I should definately post it.

http://www.wired.com/news/infostructure/0,1377,57229,00.html

Seems I wrote all of this for nothing... Sorry to have wasted y'alls time.

Mrafrohead

It really didn't take a rocket scientist to see thru this one, but it does make you think a bit about tightening up security at home.
:angry: