http://www.wired.com/news/infostructure/0,1377,57229,00.html By Brian McWilliams Jan. 16, 2003 A wisecracking group of hackers confirmed its claim this week that it spread an antipiracy virus was nothing but a hoax aimed at garnering fame. But members of the group, known as Gobbles Security, conceded that a program it released to demonstrate the problem was a Trojan horse capable of destroying files on the computers of unwary Unix users. Experts said the bizarre incident, which caused a brief frenzy among some security firms and fans of music file sharing, follows a grand tradition of pranks by the playful hacking group. "I think that the latest Gobbles advisory is genius," said Dave Aitel, head of Immunity Security, a security software and services provider. "Gobbles takes the piss out of all of us, and we need to respect and appreciate that." Gobbles' advisory said the Recording Association of America had contracted the hacking group to develop a hydra-like computer worm that has already spread widely by exploiting security vulnerabilities in several popular music programs. Gobbles claimed the antipiracy tool enabled the RIAA to create infected MP3 music files and distribute them through file-sharing networks, compromising and cataloging the infected systems. In an e-mail interview, Gobbles representatives admitted that they fabricated the RIAA claim to get attention. "The only excuse we can offer for our immaturity is that we like the fame," they said. An RIAA spokesperson also said Gobbles' claim that it's working for the trade association was a hoax, but the representative declined to comment on RIAA's technology-based antipiracy efforts. However, a security flaw described in the Gobbles warning was very real, according to Michael Hipp, developer of mpg123, a Unix-based MP3 player cited in the advisory. Included with the Gobbles advisory was source code to a hacking program that exploits the security bug. The use of mpg123 to play special MP3 files created by the hacking program will delete files on the user's computer with the Unix command "rm -rf," Gobbles acknowledged. "If anyone was dumb enough to lose data because of this, they deserved it," wrote Gobbles representatives in an e-mail, which also noted that the program warned users before deleting their files. Dan Ingevaldson, an R&D manager at Internet Security Systems said Gobbles is "kind of an enigma" and is known to distribute both serious and frivolous advisories. But Ingevaldson said he always enjoys reading the group's bulletins, even though they sometimes poke fun at ISS. But to some in the security business, Gobbles' pranks and long-winded advisories -- often written in faux broken-English and containing diatribes about the industry -- have become tiring. "It's just a big waste of everyone's time.... It's about as useful as a bag of flaming dog doo on your doorstep," said Ryan Russell, author and former moderator of the Vuln-Dev security mailing list. Indeed, Gobbles' haughty attitude has made the group the target of recent attacks, especially after a Gobbles leader, who uses the alias Nwonknu, ridiculed members of the security industry in a rambling keynote address in August at the annual Defcon hacker convention in Las Vegas. The following month, a computer allegedly owned by Nwonknu was hacked, and some of its contents were anonymously posted to Full-Disclosure, a security mailing list, from the e-mail account bastedturkeyat_private Then in October, someone forged hundreds of nonsensical messages to the list with the subject line "Poot ze-a cheekee in de-a oofee!" from Gobbles' e-mail address. The incident caused some list participants to call for a blockade of e-mails from the group. But some security experts said Gobbles' technical prowess gives the group a platform as the voice of conscience for the security industry. Mark Litchfield, co-founder of NGSSoftware, said he put up $275 in response to a public request last August by Gobbles for help with airfare to Defcon. According to Litchfield, Gobbles "knows (its) stuff" and shares its findings with the security community "instead of keeping all (its) advisories/exploits and sharing them privately with the black-hat community, which I would feel is a greater threat." In a jab at SecurityFocus, the Symantec-owned security firm that operates the popular Bugtraq mailing list, Gobbles registered the domain Bugtraq.org in 2001. Due to an apparent spate of attacks on the site (archived here), Gobbles' advisories have been mirrored at a site hosted by Aitel. According to Aitel, who said he has no other involvement with the group, Gobbles helps to keep the security industry's "huge egos" in check. "Gobbles teaches everyone the valuable lesson that no matter how elite we are, how rich we are, how many three letter agencies we have contracts with, how much of the Fortune 500 relies on us to keep their systems secure, someone out there is giggling at us," said Aitel. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Jan 17 2003 - 00:52:41 PST