Anti-piracy Vigilantes Tracking P2P Users 864
brevard writes "From SecurityFocus comes news that a pair of coders with a deep hatred of software pirates have gone public with a months-old experiment to trick file sharers into running custom spyware they wrote that scolds users and phones home to a server. They circulated the program disguised as sought-after downloads like Unreal Tournament 2004 and Microsoft source code, and they have a website that updates in real time whever someone executes it. They've logged IP addresses for over 12,000 'pirates' since January. The EFF says the vigilantes may be committing a crime."
Re:Well, their server *did* update in realtime... (Score:5, Informative)
Their results page simply lists the following info--
Average time wasted: 12.888078236572 Seconds
Total time: 1383.75 Minutes
Hours: 23.0625 Hours
Operating for: 928.40555555556 Hours
Then there's a big table full of entries like this (reformatted to make it easier to view here)--
ID: 6442 ;)
PID: 3578
FPID: 1
Date: Mar 19 2004 07:42:53AM
IP: xxx.xxx.xxx.xxx (Well really, let's not pick on one person
Location: Germany
Run time: 17
Filename: Unreal Tournament 2004 ALL VERSIONS KeyGen Crack (1).exe
The site continues in that vein for some time... fascinating stuff.
My thoughts: Software piracy is bad, m'kay, but two wrongs don't make a right!
its a dropper as well as a trojan (Score:-1, Informative)
the main exe drops another program called eye.exe that does the phoning home, the strings in the parent exe are decoys, it also it self modifies putting it into the polymorphic category.
Kaspersky classifies it as Trojan.Win32.DusBunn
best these boys put away visualC and pick up a few lawbooks
the whois info:
Griffin, Clifton clifgriffin@jsventures.com
Blogzine
503 Piedmont St.
Reidsville, North Carolina 27320
United States
3364327174
Name: gso31-106-207.triad.rr.com
Address: 24.31.106.207
Re:Just wait. (Score:2, Informative)
Re:Vigilante (Score:5, Informative)
Re:which crime? (Score:5, Informative)
Electronic trespassing. Making use of system resources that are not theirs. Stealing electricity, hard drive, memory space and performing unauthorised network communications. Crackers have been put in jail for much, much less than the above.
If they were disguised as codes for games like Unreal Tournament 2004 - I also imagine Epic games would have something to say about them:
(1) Distributing what is effectively a virus using the Unreal name.
(2) Taking the law into their own hands without the permission of the copyright holders.
Only the copyright holder can determine 100% if distributing such codes are illegal. There are circumstances where wanting a new code is legitimate (loss of the manual, living in a country where the game is not available at retail). However, I'm fairly sure that Epic has the ability to remotely de-activate codes that were being illegally distributed (with the game validating your code with a central server before you're allowed to play online) - they already have a system in place for dealing with people spreading codes.
Doubtless Epic wouldn't want to piss off potential customers by having a virus associated with them. And you bet your bottom dollar that the cracking groups are going to attempt to fight back and double their efforts to produce working codes now (if they've not done so already).
And the third important point... (Score:3, Informative)
If they use any other means of exiting the program (ie, Alt+F4) it simply exits.
Yet again, it all depends on what they do....we don't collect anything without them making defined, deliberate actions.
It is not my belief that we are required to tell them that we logged the fact that they clicked "I'm Sorry. I Promise Never to Do it Again."
I would also stress that this information is harmless to them as we proved only that they downloaded a file with the same name as a crack...nothing that poses any kind of threat at all to them.
Isn't just advertising these a problem? (Score:2, Informative)
Whether they are the files that they say they are is another story (let the downloader beware, I guess). But you would think that companies would go after them (even if they claim to be good guys) with the same rigor that they are going after others?
Re:Vigilante (Score:3, Informative)
Server hosed (Score:5, Informative)
Note: Due to responses by certain detractors, we've updated our legal section (again) to further clarify our stance.
Apparently, this is becoming more and more newsworthy. Security Focus called today and interviewed me. Here is the resulting article: http://securityfocus.com/news/8279
At the start of this year, we (Justin and Clif, Clif and Justin) decided to start a new project. We declared war on illegal file sharing and pirates. The goal was to waste their time and bandwidth while tracking them and how the file moves around.
Results Pages for the Impatient: Walk the Plank Status Page | Dust Bunny Status Page
Walk the Plank, You Pirates!
The first version of this was more-or-less a test to see if it would work. We created a program in C# that would pop-up a message scolding the user. When the program closes, it would "phone home" to our servers, giving us the filename, how long the program ran (run time), and their IP address. We entered the information we collected into a database.
We copied the binary then renamed it to a bunch of warez-like filenames that we found via Jigle.com and searching different P2P networks. We put it up on the Gnutella file sharing network and waited. Within minutes, we had downloads. However, we didn't have entries in the database. The next day we came to the conclusion that people didn't have
So we rewrote it in C++. Once finished, we replaced all of the C# binaries with the C++ binary. Again within moments, we had downloads and this time we have entries in the database. Goes to show the penetration of
After about two weeks, we noticed something: The file was spreading without our help. We stopped sharing after we realized this and the file kept propagating, and propagating, and propagating. In no time flat, we wasted over 16 hours of pirate time.
Screenshot: (Top: WTP, Bottom, ODB)
The Next Step: Operation Dust Bunny
The original idea we had went beyond simply logging filename and run time. We wanted to track who got what file from who. So a month after WTP, we wrote Dust Bunny. It was a two-binary system that would read the Pirate ID (PID) encoded in itself, send it to a server, then grab a unique PID returned from the server, and rewrite the ID that is encoded in the binary. Using this information, we could see who got what binary from who.
Written with one person using Visual Studio 2003, another using Dev-C++; one binary in C++, the other in C; and only one person knowing how to code in either language. It was a challenge since the "rabbit" (the GUI program) had to include the "eye" (the program that contacted the server and rewrote the rabbit) for execution. Plus the eye needed an offset that could only be gathered once the rabbit was compiled with eye included. Thanks to TightVNC and a lot of trading of information, we got through it.
Just to be safe, we added a "kill switch" to the eye. If the server returned a special ID number, the eye would delete the rabbit. This way, in case it got out of control as WTP did, we could stop it. Also, if someone renamed it to a filename we didn't like, we could add that filename to the "evil filename list" on the server.
After it was completed, we replaced all the binaries with the new version. Once again, they started to be downloaded instantly. The next day, we already had redistributions -- someone downloaded a copy from someone other then us. We could tell since we were logging the PIDs. It didn't take long until we had multi-branch trees of pirates.
We decided after one month time of sharing Dust Bunny, we'd stop and let it propagate on it's own. That marker was around March 9th, 2004.
Current Status
By now, WTP has racked up over 62 hours in wasted pirate time. Dust Bunny is well on its way with 20 hours. Dust Bunny has around 3,500 unique pirates and over 6,200 ex
Interesting read (Score:2, Informative)
http://www.dslreports.com/forum/remark,9707744 [dslreports.com]
Re:Legal precedent ? (Score:3, Informative)
To get caught in a sting, the "stingee" needs to solicit something illegal from the "stinger." Just opening your car door for a prostitue doesn't necessarily constitute an illegal act, unless you solicited sex for money beforehand.
- You can't drop dollar bills on the road & then arrest citizens for stealing when they pick them up.
True, but you also can't sell baking soda to people in dime baggies telling them it's cocaine. Although, technically, p2p isn't really selling anything.
I guess my advice would be caveat clepta.
Note that EFF may want to "phone home" too (Score:3, Informative)
That doesn't appeal to me either (the "getting paid" part is, of course, reasonable, but the "tracking what I do" part isn't)
Possibly accusing the wrong person... (Score:1, Informative)
I dont know if Id like to be falsely accused of being a software pirate.
Re:Legal precedent ? (Score:3, Informative)
Re:Vigilante (Score:5, Informative)
You are tricking users in sending their personal information to you. This is a serious offense in Italy (where I live) and most of Europe. We take our privacy most seriously.
Furthermore, cracks are legal in Italy (if you own a registered copy), because it is considered wrong for companies who sell you the software to try and restrict your access to it. For example, Playstation mod-chips are perfectly legal (tested in a court of law).
So, you are actually defamating and violating the privacy people who are in fact not pirates or doing anything illegal.
Thank you.
Re:Trojans (Score:2, Informative)
Its still illegal (Score:4, Informative)
Just like the drug dealer, he's still commiting a crime by selling, regardless of the crime you committed by purchasing..
The Feds could also demand their logs..
First you must have a FireWall (Score:2, Informative)
Re:Trojans (Score:2, Informative)
Which in most cases they aren't since you have already been give all the rights you need to run the software thanks to the doctrine of "first sale".
A EULA that says "you can no do this to my software" after you've already bought the box and taken it home is like me selling you a house and then when you show up to move in there's a big piece of tape on the door that says "By breaking this seal you agree to the following terms...."
Even IF the EULA was valid, it would be the modification of the software that was violating the EULA, not downloading and posessing the crack program.
Re:Legal precedent ? (Score:3, Informative)
Actually that depends on the state. A guy I went to college with who had a "non-traditional herbal incense" business (sold joints out of his apartment) reportedly asked everyone who came in if they were police. The arresting officers assured him that they were not. :-) Sorry Fat Dan, away to jail with you.
One should look around and see what is fact and what is stoner urban legand before embarking on a life of dipshittery... of course, one tends to preclude the other.
Felonies vs. civil offenses (Score:4, Informative)
If they start using this information for blackmail...that is illegal!
No, unauthorized modification of a computer is a crime, in both the UK and the US (and probably most other developed nations' jurisdictions).
What we have here are felons (system crackers planting trojans on people's PCs) who are compromising the privacy of individuals who have committed civil offenses (copyright violations). The seriousness of the former crime is much greater than the seriousness of the crimes of their victims.
That having been said, the FBI has protected murderers who were on their payroll (including sending an innocent man to jail for the murder committed by one of their informants), who turned evidence against people guilty of far less. So the alluded to by others remains: given the current political climate the feds are likely to overlook the felonies being committed in the interest of persuing the civil offenses being committed against their primary constituency, namely the copyright cartels.
Re:Whoa, we just Slashdotted a cablemodem!! (Score:2, Informative)
HAH -- welcome to software firewalls. (Score:2, Informative)
Re:Yes, but watch out for hypocrisy... (Score:2, Informative)
Too many false positives and virtually no accountability for their actions. Innocent folks and entire ISPs have been blacklisted by these people and I'm sure they just shrug and give an uncaring look when it happens.