Anti-piracy Vigilantes Tracking P2P Users

brevard writes "From SecurityFocus comes news that a pair of coders with a deep hatred of software pirates have gone public with a months-old experiment to trick file sharers into running custom spyware they wrote that scolds users and phones home to a server. They circulated the program disguised as sought-after downloads like Unreal Tournament 2004 and Microsoft source code, and they have a website that updates in real time whever someone executes it. They've logged IP addresses for over 12,000 'pirates' since January. The EFF says the vigilantes may be committing a crime."

Re:Well, their server *did* update in realtime...

[flimnap]

Their results page simply lists the following info--

Average time wasted: 12.888078236572 Seconds
Total time: 1383.75 Minutes
Hours: 23.0625 Hours
Operating for: 928.40555555556 Hours

Then there's a big table full of entries like this (reformatted to make it easier to view here)--

ID: 6442
PID: 3578
FPID: 1
Date: Mar 19 2004 07:42:53AM
IP: xxx.xxx.xxx.xxx (Well really, let's not pick on one person ;)
Location: Germany
Run time: 17
Filename: Unreal Tournament 2004 ALL VERSIONS KeyGen Crack (1).exe

The site continues in that vein for some time... fascinating stuff.

My thoughts: Software piracy is bad, m'kay, but two wrongs don't make a right!

its a dropper as well as a trojan

[Anonymous Coward]

the main exe drops another program called eye.exe that does the phoning home, the strings in the parent exe are decoys, it also it self modifies putting it into the polymorphic category.

Kaspersky classifies it as Trojan.Win32.DusBunn

best these boys put away visualC and pick up a few lawbooks

the whois info:

Griffin, Clifton clifgriffin@jsventures.com
Blogzine
503 Piedmont St.
Reidsville, North Carolina 27320
United States
3364327174

Name: gso31-106-207.triad.rr.com
Address: 24.31.106.207

Re:Just wait.

[clifgriffin]

If the program is altered, it deltes itself.

Re:Vigilante

[WARM3CH]

This can certainly be classified as a torjan. Being malicious or not has nothing to do with classifying a program as torjan. The simple fact that you have a way to spread it, implemented some form of call-home functionality in it is sufficient to classify it as a torjan. About being malicious or not, some may say that sending private information (like IP address) back home can be considered as a malicious act.

Re:which crime?

[Anonymous Coward]

which crime would they be committing?

Electronic trespassing. Making use of system resources that are not theirs. Stealing electricity, hard drive, memory space and performing unauthorised network communications. Crackers have been put in jail for much, much less than the above.

If they were disguised as codes for games like Unreal Tournament 2004 - I also imagine Epic games would have something to say about them:

(1) Distributing what is effectively a virus using the Unreal name.
(2) Taking the law into their own hands without the permission of the copyright holders.

Only the copyright holder can determine 100% if distributing such codes are illegal. There are circumstances where wanting a new code is legitimate (loss of the manual, living in a country where the game is not available at retail). However, I'm fairly sure that Epic has the ability to remotely de-activate codes that were being illegally distributed (with the game validating your code with a central server before you're allowed to play online) - they already have a system in place for dealing with people spreading codes.

Doubtless Epic wouldn't want to piss off potential customers by having a virus associated with them. And you bet your bottom dollar that the cracking groups are going to attempt to fight back and double their efforts to produce working codes now (if they've not done so already).

And the third important point...

[clifgriffin]

We only collect this information if they click the button.

If they use any other means of exiting the program (ie, Alt+F4) it simply exits.

Yet again, it all depends on what they do....we don't collect anything without them making defined, deliberate actions.

It is not my belief that we are required to tell them that we logged the fact that they clicked "I'm Sorry. I Promise Never to Do it Again."

I would also stress that this information is harmless to them as we proved only that they downloaded a file with the same name as a crack...nothing that poses any kind of threat at all to them.

Isn't just advertising these a problem?

[bmf033069]

I can't tell yet since the site seems to be down or crawling, but wouldn't the software companies get involved if your blatently advertising code / keys for download?

Whether they are the files that they say they are is another story (let the downloader beware, I guess). But you would think that companies would go after them (even if they claim to be good guys) with the same rigor that they are going after others?

Re:Vigilante

[flewp]

Okay, I'm next. Why didn't you just log the IP at the time of download instead of having it sent when the program is run? Yeah, yeah, you're going to say you wanted to see how it propogated through other users...... Still, my point still stands when put along the others who have said transmitting info without permission is basically wrong.

Server hosed

[yknott]

Behold: Walk the Plank and Operation Dust Bunny
Note: Due to responses by certain detractors, we've updated our legal section (again) to further clarify our stance.

Apparently, this is becoming more and more newsworthy. Security Focus called today and interviewed me. Here is the resulting article: http://securityfocus.com/news/8279

At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.

Results Pages for the Impatient: Walk the Plank Status Page | Dust Bunny Status Page

Walk the Plank, You Pirates!

The first version of this was more-or-less a test to see if it would work. We created a program in C# that would pop-up a message scolding the user. When the program closes, it would "phone home" to our servers, giving us the filename, how long the program ran (run time), and their IP address. We entered the information we collected into a database.

We copied the binary then renamed it to a bunch of warez-like filenames that we found via Jigle.com and searching different P2P networks. We put it up on the Gnutella file sharing network and waited. Within minutes, we had downloads. However, we didn't have entries in the database. The next day we came to the conclusion that people didn't have .NET installed and thus couldn't run the C# binary.

So we rewrote it in C++. Once finished, we replaced all of the C# binaries with the C++ binary. Again within moments, we had downloads and this time we have entries in the database. Goes to show the penetration of .NET.

After about two weeks, we noticed something: The file was spreading without our help. We stopped sharing after we realized this and the file kept propagating, and propagating, and propagating. In no time flat, we wasted over 16 hours of pirate time.

Screenshot: (Top: WTP, Bottom, ODB)

The Next Step: Operation Dust Bunny

The original idea we had went beyond simply logging filename and run time. We wanted to track who got what file from who. So a month after WTP, we wrote Dust Bunny. It was a two-binary system that would read the Pirate ID (PID) encoded in itself, send it to a server, then grab a unique PID returned from the server, and rewrite the ID that is encoded in the binary. Using this information, we could see who got what binary from who.

Written with one person using Visual Studio 2003, another using Dev-C++; one binary in C++, the other in C; and only one person knowing how to code in either language. It was a challenge since the "rabbit" (the GUI program) had to include the "eye" (the program that contacted the server and rewrote the rabbit) for execution. Plus the eye needed an offset that could only be gathered once the rabbit was compiled with eye included. Thanks to TightVNC and a lot of trading of information, we got through it.

Just to be safe, we added a "kill switch" to the eye. If the server returned a special ID number, the eye would delete the rabbit. This way, in case it got out of control as WTP did, we could stop it. Also, if someone renamed it to a filename we didn't like, we could add that filename to the "evil filename list" on the server.

After it was completed, we replaced all the binaries with the new version. Once again, they started to be downloaded instantly. The next day, we already had redistributions -- someone downloaded a copy from someone other then us. We could tell since we were logging the PIDs. It didn't take long until we had multi-branch trees of pirates.

We decided after one month time of sharing Dust Bunny, we'd stop and let it propagate on it's own. That marker was around March 9th, 2004.

Current Status

By now, WTP has racked up over 62 hours in wasted pirate time. Dust Bunny is well on its way with 20 hours. Dust Bunny has around 3,500 unique pirates and over 6,200 ex

Interesting read

[Anonymous Coward]

Here is a link to a dslreports thread where the authors of this software chime in:
http://www.dslreports.com/forum/remark,9707744 [dslreports.com]

Re:Legal precedent ?

[JBMcB]

-It is akin to a sting operation...

To get caught in a sting, the "stingee" needs to solicit something illegal from the "stinger." Just opening your car door for a prostitue doesn't necessarily constitute an illegal act, unless you solicited sex for money beforehand.

- You can't drop dollar bills on the road & then arrest citizens for stealing when they pick them up.

True, but you also can't sell baking soda to people in dime baggies telling them it's cocaine. Although, technically, p2p isn't really selling anything.

I guess my advice would be caveat clepta.

Note that EFF may want to "phone home" too

[turnstyle]

No doubt trojans are bad. BUT, it is worth noting that the EFF themselves are also considering systems that would "phone home" to a central server to track P2P use -- it's just that in their case, they want to do so to track P2P use so that authors can get paid.

That doesn't appeal to me either (the "getting paid" part is, of course, reasonable, but the "tracking what I do" part isn't)

Possibly accusing the wrong person...

[Anonymous Coward]

So basically they are advertising that someone is downloading what people might term as copyrighted material. They are defining who these people are by there IP address. The legal owner or user of that IP address may not be the person download/uploading that material i.e. they could be using a proxy, using a place of work, public connection (airport wifi,'net cafe,etc).
I dont know if Id like to be falsely accused of being a software pirate.

Re:Legal precedent ?

[Rogerborg]

Dipshit. You can mount sting operations. For a concrete example, you can leave an unlocked car parked and wait for some thieving scum to choose to jump in it, at which point you lock the doors remotely and pick them up at your leisure. Good luck arguing that as entrapment.

Re:Vigilante

[Sklivvz]

this is in no way a trojan as it does nothing even slightly malicious

You are tricking users in sending their personal information to you. This is a serious offense in Italy (where I live) and most of Europe. We take our privacy most seriously.
Furthermore, cracks are legal in Italy (if you own a registered copy), because it is considered wrong for companies who sell you the software to try and restrict your access to it. For example, Playstation mod-chips are perfectly legal (tested in a court of law).
So, you are actually defamating and violating the privacy people who are in fact not pirates or doing anything illegal.

Thank you.

Re:Trojans

[emilng]

The only thing the program does is send a network message, it doesn't actually modify data on the computer other than itself.

Its still illegal

[nurb432]

However, you may loose your ability to countersue in civil court for damaages due to the intent on your part to commit a criminal transaction.

Just like the drug dealer, he's still commiting a crime by selling, regardless of the crime you committed by purchasing..

The Feds could also demand their logs..

First you must have a FireWall

[stecoop]

Zone Alarm (http://www.zonelabs.com/) or Norton Internet Security (http://www.symantec.com/) prompts you if any program wants to access the internet (add more as you see fit but these I have used). Trojan attacks like this hammer the requirement of these products along with a good firewall. And yes Unix and Mac owners are left out. Another Question would be: How would you configure your firewall to prevent leaks like this?

Re:Trojans

[theLOUDroom]

If EULA's are legally binding, then yes, most cracks are, since they perform "unauthorized" modifications of the application binary.

Which in most cases they aren't since you have already been give all the rights you need to run the software thanks to the doctrine of "first sale".

A EULA that says "you can no do this to my software" after you've already bought the box and taken it home is like me selling you a house and then when you show up to move in there's a big piece of tape on the door that says "By breaking this seal you agree to the following terms...."


Even IF the EULA was valid, it would be the modification of the software that was violating the EULA, not downloading and posessing the crack program.

Re:Legal precedent ?

[Dr. Smeegee]

Actually that depends on the state. A guy I went to college with who had a "non-traditional herbal incense" business (sold joints out of his apartment) reportedly asked everyone who came in if they were police. The arresting officers assured him that they were not. :-) Sorry Fat Dan, away to jail with you.

One should look around and see what is fact and what is stoner urban legand before embarking on a life of dipshittery... of course, one tends to preclude the other.

Felonies vs. civil offenses

[FreeUser]

I don't stand up for it installing spyware, but if it just pops up a message with a black pirate flag and says you have been logged...the only thing that is harmed is the privacy of a criminal.
If they start using this information for blackmail...that is illegal!

No, unauthorized modification of a computer is a crime, in both the UK and the US (and probably most other developed nations' jurisdictions).

What we have here are felons (system crackers planting trojans on people's PCs) who are compromising the privacy of individuals who have committed civil offenses (copyright violations). The seriousness of the former crime is much greater than the seriousness of the crimes of their victims.

That having been said, the FBI has protected murderers who were on their payroll (including sending an innocent man to jail for the murder committed by one of their informants), who turned evidence against people guilty of far less. So the alluded to by others remains: given the current political climate the feds are likely to overlook the felonies being committed in the interest of persuing the civil offenses being committed against their primary constituency, namely the copyright cartels.

Re:Whoa, we just Slashdotted a cablemodem!!

[KaSkA101]

Yeah it is, its a road runner connect, I just used ARIN to look up who the IP address is owned by. Their modem must be smoking now.

HAH -- welcome to software firewalls.

[karmaflux]

BastardTrojan is trying to access the internet.
o Permit this application internet access
o Deny this application internet access
[] Always use this policy for this program

It's as simple as that.

Re:Yes, but watch out for hypocrisy...

[StillAnonymous]

Actually, I would not be extatic if they were tracking down spammers for the same reason I hate spews, orbs, etc..

Too many false positives and virtually no accountability for their actions. Innocent folks and entire ISPs have been blacklisted by these people and I'm sure they just shrug and give an uncaring look when it happens.