StarDestroyer.Net BBS

Found these links at www.ZeroPaid.com
http://online.securityfocus.com/archive/1/306476
http://www.neowin.net/forum/index.php?a ... 7&t=59561&
A little letter received by http://Online.Securityfocus.com :

GOBBLES Security Fuckheads wrote:

Code: Select all

-----BEGIN PGP SIGNED MESSAGE-----

___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project -- development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the "victim" (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it's OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Due to our NDA with the RIAA, we are unable to give out any other details
concerning the technology that we developed for them, or the details on any
of the bugs that are exploited in our hydra.

However, as a demonstration of how this system works, we're providing the
academic security community with a single example exploit, for a mpg123 bug
that was found independantly of our work for the RIAA, and is not covered
under our agreement with the establishment.


Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de


Problem Type:
Local && Remote


Vendor Notification Status:
The professional staff of GOBBLES Security believe that by releasing our
advisories without vendor notification of any sort is cute and humorous, so
this is also the first time the vendor has been made aware of this problem.
We hope that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP


Exploit Available:
Yes, attached below.


Technical Description of Problem:
Read the source.


Credits:
Special thanks to stran9er@openwall.com for the ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJsFFhywKWzMoiT/Qiy4FV+r1inukA==
=OjMp
-----END PGP SIGNATURE-----



[ attachment: (application/octet-stream) ]

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wj8DBQA+IwO0HNGnlyGZsA8RAuusAJ49gGSCJzKlRpn+7b9vd+GYydWzUQCgjq3Ofe2n
WBnlQNf4GeyaFTit5N0=
=RBjc
-----END PGP SIGNATURE-----

As always, Comments, Suggestions, and Flames Are Welcome!

Sounds like a joke to me.

As much as I'd like to go berzerk on another anti-riaa rant....that sounds a little peculiar to me.

Darth Wong wrote:Sounds like a joke to me.

It probably is, but I'm warning my www.SpywareInfo.com friends just the same. Here's a Google Search: GOBBLES Security link for you to peruse. These asshats seem to be a bunch of severely malicious Black Hats posing as Security White Hats.

Its got to be a joke, RIAA may be the biggest collection of asshats to ever draw breath, but they have been careful to stay within the letter of the law. If they were to do this, it opens up a can of legal worms so vast as to make copyright infringment seem like childs play.......

Its got to be a joke, RIAA may be the biggest collection of asshats to ever draw breath, but they have been careful to stay within the letter of the law. If they were to do this, it opens up a can of legal worms so vast as to make copyright infringment seem like childs play.......

OK, I'm going to go out on a limb and mention that only a complete idiot could get infected with this "hydra." The reason?

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

If you don't do web browsing with Winamp and have blocked it from accessing the Internet with a REAL personal firewall, like Tiny Personal Firewall or... whatever the other one is, this "exploit" cannot access a port on your computer. It's compounded if you have a separate firewall running, like, say, a dedicated Linux firewall/gateway.

Now, on top of that, they can't spread MP3s infected with the virus, for the simple reason that the MPEG Layer 3 standard does not allow for executable code inside the MP3 file. Even if they inserted executable code into the file, it wouldn't run.

Further complicating matters, they claim that this "hydra" works across a broad spectrum of media players. This is bullshit. XMMS works only on *nix systems, specifically those with X. Windows Media Player works only on Windows. Both OSs have completely different structures and vulnerabilities. You cannot develop one single worm that will attack all systems; just try to make a binary that will run on x86, PPC, and RISC platforms. Or a binary that will run under Windows and doesn't require WINE to run under *nix.

Secondly, most p2p clients are also wildly different in structure. KaZaA, while being the most popular, is designed differently from Gnucleus. The two use different networks.

I think I'm going to stop. Needless to say, these guys are just jackasses looking for attention; they even say that attention is ALL they're looking for...

I'll bet that the mpg123 exploit they distributed with their message is actually a trojan.

Sounds like a "Protocols of the Elders of Zion" type hoax. Make people believe the record company is planting viruses on their computer. Besides, how could they tell whichfiles are legal and which aren't? I've got all six Offspring albums on this computer in MP3 format, and I ripped all of them off CDs that I legally own.

RedImperator wrote:Sounds like a "Protocols of the Elders of Zion" type hoax. Make people believe the record company is planting viruses on their computer. Besides, how could they tell whichfiles are legal and which aren't? I've got all six Offspring albums on this computer in MP3 format, and I ripped all of them off CDs that I legally own.

You deserve infection for owning all six Offspring albums in the first place.

Update: The Register is reporting this story.

Einhander Sn0m4n wrote:Update: The Register is reporting this story.

"He's a funny guy," De Raadt told us. "This is a buffer overflow exploit," he confirmed. De Raadt said he was more concerned by social engineering than by external exploits. "We had Fluffy Bunny, now we have Gobbles. They come in waves. "

That about sums it up. Social engineering.

Hoax.
http://www.theregister.co.uk/content/6/28919.html

Pu-239 wrote:Hoax.
http://www.theregister.co.uk/content/6/28919.html

And that means no one will believe this Gobbles asshole again. VICTORY!

I'm sure this is true, because clearly the RIAA is unfamiliar with what is and is not intentionally tortious activity.

And that means no one will believe this Gobbles asshole again.

Um, you did.

I noticed Microshaft's media player in there. I wonder how they are taking this...

Incidental note: there was a price-fixing investigation in progress involving several music distributors and retailers. The fallout from that could hurt the RIAA badly. Even if not, they're slitting their own throats by jacking up the prices of CDs even further (I can't believe when I went to Best Buy the last time: their prices are now up in the $16-17 range where the mall chains USED to be.) They'll price themselves out of existance before long, and wonder what happened.

Idiots.

beyond hope wrote:Incidental note: there was a price-fixing investigation in progress involving several music distributors and retailers. The fallout from that could hurt the RIAA badly. Even if not, they're slitting their own throats by jacking up the prices of CDs even further (I can't believe when I went to Best Buy the last time: their prices are now up in the $16-17 range where the mall chains USED to be.) They'll price themselves out of existance before long, and wonder what happened.

Idiots.

I heard about that BS too. Also, did anyone hear of the civil suite that was sent against them concerning the price of a CD and what content is on it?

Look at the "Get your free 20$ thread"

Frank Hipper wrote:

RedImperator wrote:Sounds like a "Protocols of the Elders of Zion" type hoax. Make people believe the record company is planting viruses on their computer. Besides, how could they tell whichfiles are legal and which aren't? I've got all six Offspring albums on this computer in MP3 format, and I ripped all of them off CDs that I legally own.

You deserve infection for owning all six Offspring albums in the first place.

Hey i like The Offspring. They are a misunderstood band.