RIAA Security Hoax

The RIAA website has been under regular attack by hackers for some time now. There may be some humor in the nature of some of the attacks, but as a method of publicizing displeasure with the organization the attacks are counterproductive, giving the RIAA PR and political ammo against computer enthusiasts in general.

The latest attack is not to the site itself, but against the organization in the form of a hoax security advisory:

Introduction:
Several months ago, GOBBLES Security was recruited by the RIAA (riaa.org)
to invent, create, and finally deploy the future of antipiracy tools. We
focused on creating virii/worm hybrids to infect and spread over p2p nets.
Until we became RIAA contracters, the best they could do was to passively
monitor traffic. Our contributions to the RIAA have given them the power
to actively control the majority of hosts using these networks.

We focused our research on vulnerabilities in audio and video players.
The idea was to come up with holes in various programs, so that we could
spread malicious media through the p2p networks, and gain access to the
host when the media was viewed.

During our research, we auditted and developed our hydra for the following
media tools:
mplayer (www.mplayerhq.org)
WinAMP (www.winamp.com)
Windows Media Player (www.microsoft.com)
xine (xine.sourceforge.net)
mpg123 (www.mpg123.de)
xmms (www.xmms.org)

After developing robust exploits for each, we presented this first part of
our research to the RIAA. They were pleased, and approved us to continue
to phase two of the project — development of the mechanism by which the
infection will spread.

It took us about a month to develop the complex hydra, and another month to
bring it up to the standards of excellence that the RIAA demanded of us. In
the end, we submitted them what is perhaps the most sophisticated tool for
compromising millions of computers in moments.

Our system works by first infecting a single host. It then fingerprints a
connecting host on the p2p network via passive traffic analysis, and
determines what the best possible method of infection for that host would
be. Then, the proper search results are sent back to the “victim” (not the
hard-working artists who p2p technology rapes, and the RIAA protects). The
user will then (hopefully) download the infected media file off the RIAA
server, and later play it on their own machine.

When the player is exploited, a few things happen. First, all p2p-serving
software on the machine is infected, which will allow it to infect other
hosts on the p2p network. Next, all media on the machine is cataloged, and
the full list is sent back to the RIAA headquarters (through specially
crafted requests over the p2p networks), where it is added to their records
and stored until a later time, when it can be used as evidence in criminal
proceedings against those criminals who think it’s OK to break the law.

Our software worked better than even we hoped, and current reports indicate
that nearly 95% of all p2p-participating hosts are now infected with the
software that we developed for the RIAA.

Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don’t fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.

Whoa, scary and highly illegal if true. The RIAA says it isn’t:

A hoax message posted to two security mailing lists Monday suggests that the Recording Industry Association of America has hired a group of hackers who have developed a worm capable of infecting and shutting down peer-to-peer file-sharing software. The hackers claim to have released the worm, on the RIAA’s orders, and that it now controls almost 95 percent of “all P2P participating hosts.”
The RIAA said the message was a total fabrication.

It’s a complete hoax,” said an RIAA spokesman in Washington. “Someone forwarded the message to us and that was the first we heard or read about it.”

Although the existence of the worm and the RIAA’s involvement are clearly a hoax, there is a working exploit for a vulnerability in the Mpg123 media player attached to the message. Several sources verified that the code does in fact exploit a buffer overrun in the player.

The outlandish claims are part of a “security advisory” supposedly written by a group called Gobbles Security. The group is known for publishing humorous advisories on serious software vulnerabilities, many of which are posted with exploit code.

The message says the RIAA hired Gobbles “to invent, create, and finally deploy the future of antipiracy tools. We focused on creating virii/worm hybrids to infect and spread over P2P nets.” [eWeek]

The net result of all this should be a sobering reminder that such sabotage is not unthinkable, is in some form possible, and needs to be guarded against.