A Guide To Internet Piracy

1. 2600 Hacker Quarterly Summer 2004
2.  
3.  
4. A Guide To Internet Piracy
5. --------------------------
6.  
7. by b-bstf
8. charmss5@hotmail.com
9.  
10. I've written this article after reading a few
11. letter which show that some readers seem to
12. know little about piracy on the Internet. I don't
13. know everything about piracy on the net, but I
14. would go so far to say that I know a fair bit
15. about it.
16.  
17. First off, piracy isn't just a few guys who
18. work at cinemas and software stores taking the
19. odd film or game home and sharing it on their
20. home FTP servers or KaZaA.
21.  
22. Piracy on the Internet, or "the warez scene"
23. (as those into it like to call it) is suprisingly
24. organized. Pirated software/games/movies/
25. anything are called warez and will referred
26. to as that from now on.
27.  
28. The Piracy "Food Chain"
29.  
30. Top
31.  
32. Warez/Release Groups - People who release
33. the warez to the warez community. Often
34. linked with Site Traders.
35.  
36. Site Traders - People who trade the releases
37. from the above groups on fast servers.
38.  
39. FXP Boards - Skript Kiddies who
40. scan/hack/fill vulnerable computers with
41. warez.
42.  
43. IRC Kiddies - Users of IRC (Internet Relay
44. Chat) who download from "XDCC Bots" or
45. "Fserves."
46.  
47. KaZaA Kiddies - Users of KaZaA and other
48. p2p (peer to peer) programs.
49.  
50. We'll start at the bottom.
51.  
52. KaZaA Kiddies
53.  
54. At the bottom of the piracy food chain we
55. have the KaZaA Kiddies. There appear to be
56. two groups of these KaZaA Kiddies. First, the
57. 13 year old kids with broadband downloading
58. the odd mp3 here and there because they can't
59. afford outrageously overpriced CDs from
60. stores. Harmless kids, costing no one any real
61. money, pursuing their musical interest. Also,
62. these are the people being labeled "pirates."
63. These are the ones "Killing the Music Indus-
64. try." These are the ones who are being sued by
65. the RIAA for thousands of dollars. Sigh.
66.  
67. Second are the older, p2p veterans who use
68. other p2p networks (Gnutella, BitTorrent,
69. EMule) and programs as well as KaZaA. In ad-
70. dition to using p2p for music the may also
71. download games, programs, movies, etc.
72.  
73. IRC Kiddies
74.  
75. Not far up from KaZaA Kiddies we
76. have the pople who go to IRC for their warez
77. fix. These folks can be more knowledgeable
78. about computers and the Internet but tend to be
79. just as irritating as the KaZaA Kiddies. Warez
80. Channels are often run by people who have ac-
81. cess to a fair amount of pirated materieal (more
82. about them later). There are generally two types
83. of these Warez Channels:
84.  
85. Fserve Chans. These can often be run by
86. the same KaZaA or IRC kiddies. They don't re-
87. ally have a reason to run them; they just like to
88. feel important. They mainly use the mIRC
89. client's File Server function and some "133t
90. skript" to share their warez direct from their
91. hard drives.
92.  
93. XDCC Chans. These are usually run by
94. people into FXP Boards and Sitetrading. They
95. have access to fast, new warez. They "employ"
96. people to "hack" into computers with fast In-
97. ternet connections and install XDCC Clients
98. (usually iroffer - www.iroffer.org) which are
99. used to share out pirated goods. From what I've
100. seen, the people running these channels must
101. primarily do it because they like to have power
102. over a lot of people (being a chan op), but also
103. they will often be given free shell accounts to
104. run BNCs, Eggdrops, etc. by shell companies
105. in exchange for an advert in the topic of the
106. channel.
107.  
108. IRC Kiddies can be found on EFnet
109. (irc.efnet.net) or Rizon (irc.rizon.net). Other
110. servers and channels can be found through
111. www.packetnews.org.
112.  
113. FXP Boards
114.  
115. FXP is the File eXchange Protocol. It isn't
116. an actual protocol, just a method of transfer
117. making use of a vulnerability in FTP. It allows
118. the transfer of files between two FTP servers.
119. Rather than client to server, the tranfer be-
120. comes server to server. FXP usually allows
121. faster transfer speeds altthough it is generally
122. not enabled on commercial servers as it is also
123. a vulnerability known as the "FTP Bounce
124. Attack."
125.  
126. The Boards. FXP Boards usually run Vbul-
127. letion (from software from www.vbulletin.org) and
128. its members consist of Scanners, Hackers, and
129. Fillers. There are also usually a few odd mem-
130. bers such as Graphics People or Administra-
131. tors but they don't do much.
132.  
133. The Scanner. The Scanner's job is to scan IP
134. ranges where fast Internet connection are
135. knwon to lie (usually university, etc.) for com-
136. puters with remote-root vulnerabilities. We're
137. talking brute forcing MS SQL and Netbios
138. passwords, sacnning for servers with the IIS
139. Unicode bug (yes that three-year-old one). Oh
140. yes, FXP Boards are where the lowest of the
141. low Script Kiddies lurk. The Scanner will of-
142. ten use already "hacked" computers for his
143. scanning (known as scanstro's), using "remote
144. scan" programs such as SQLHF, XScan, Fs-
145. can, and HScan alsong with a nice programs to
146. hide them (hiderun.exe) from the user of the
147. computer. Once the Scanner has gotten his re-
148. sults, he'll run off to his FXP Board and post it.
149. This is where the "Hacker" comes into play.
150.  
151. The "Hacker"/Script Kiddie/dot-slash Kid-
152. die. Now I think it's fairly obvious what the
153. "Hackers" do. (They actually call themselves
154. hackers!) Yes, they break into computers.
155. Their OS of choice (for breaking into) is usu-
156. ally Windows. There are many easy to exploit
157. vulnerabilities and *nix scares these people.
158. The Hacker's job is to run his application and
159. "root" the scanned server. The program he uses
160. (of course) depends upon the vulnerability the
161. Scanner has scanned for. For example, if it's
162. Netbios Password he will often either use
163. psexec (www.sysinternals.com) or DameWare
164. NT Utilities. There are various other vulnera-
165. bilities and programs used - too many to list
166. here. Once he has "rooted" the computer (this
167. usually means getting a remote shell with ad-
168. min rights), he will use a technique known as
169. "the tftp method" or "the echo methods" (tftp -i
170. IP get file.exe) to upload and install an FTPD
171. (this is almost always Serv-U) on his target. (In
172. the case of the IRC Kiddies this would also be
173. iroffer.) Once the FTPD is installed and work-
174. ing he'll post the "admin" logins to the FTP
175. server on his FXP Board. Depending on the
176. speed of the compromised computer's (or
177. "pubstro"/"stro") Internet connection and the
178. hard drive space, it will be "taken" either by a
179. Filler or a Scanner.
180.  
181.  
182. The Filler. Now if the "pubstro" is fast
183. enough and has enough hard drive space, it's
184. the Filler's job to get to work filling it with the
185. latest warez (the Filler usually has another
186. source for his warez such as Site Trading).
187. Once he's done FXPing his warez, the Filler
188. goes back to the board and posts "leech logins"
189. (read only logins) for one and all to use. What
190. a great community!
191.  
192. FXP Boards are mostly full of Script Kid-
193. dies and people with too much time on their
194. hands. They like to think the FBI are after them
195. and get very paranoid, but in reality no one re-
196. ally gives a damn what they're up to except the
197. unlucky sysops who get all their bandwidth
198. eaten up because they forgot to patch a three
199. year-old vulnerability. The true "n00b" FXP
200. Boards can be found on wondernet (irc.won-
201. dernet.nu) so, if you like, go sign up on one
202. and see what it's all about. Tip: Pretend to be
203. female. This will almost guarantee you a place
204. on a board. Say you can scan/hack dcom, net-
205. bios, sql, apache, and have a 10mbit.eu 0hour
206. source.
207.  
208. Site Trading
209.  
210. Next on the list and pretty much at the top
211. or near the top (as far as I've seen) are the Site
212. Traders. These are generally just people with
213. too much time on their hands who have possi-
214. bly workrd their way up through FXP Boards.
215. Site Trading is basically theraing of pirated
216. material between sites.
217.  
218. The Sites. These sites have very fast Inter-
219. net connections (10mbit is considered the min-
220. imum, 100mbit good, and anything higher
221. pretty damn good) and huge hard disk drives
222. (200GB would probably be the minimum).
223. These sites are often hosted at schools, univer-
224. sities, people's work,, and in Sweden (10mbit
225. lines are damn cheap in .se). These sites are re-
226. ferred to as being "legit." This means that the
227. owner of the computer knowns that they are
228. there and being run. Fast connections mean a
229. lot to some people. If you have access to a
230. 100mbit line (and are wiling to run a warez
231. server there), there are people who would quite
232. happily pay for and have a computer shipped
233. to you just for hosting a site that they will
234. make absolutely no profit from (you can meet
235. them on EFnet). Unfortunately, this is where
236. credit card fraud can come into Site Trading.
237. This is frowned upon by pretty much everyone
238. (there is already enough paranoia and risk in
239. Site Trading) but some people do use stolen
240. credit card information to buy hard drives and
241. such. To be fair, Site Traders aren't a bad bunch
242. - the majority don't even beleieve in making any
243. money out of it and insist they are just do-
244. ing it for fun. Anyways, back to the sites.
245. GLFTPD is considered to be the FTPD to use
246. (in fact, a lot of Site Traders and warez groups
247. will not join a site unless it is running
248. GLFTPD). This also means that *nix is the OS
249. of choice (as there is no GLFTPD win port).
250. As well as running FTPD, the sites run an
251. eggdrop bot with various scripts installed. The
252. bot will amke an annoucement on an IRC
253. channel a directory is made or up-
254. load completed. It will also give race informa-
255. tiopn.
256.  
257. The People. There are basically two ranks
258. in sitetrading: "SiteOps" and "Racers."
259.  
260. SiteOps, as you will have guessed are the
261. administrators. There are usually between two
262. and five SiteOps. One is often the supplier of
263. the site, another the person who found the sup-
264. plier and guided them through the installation
265. of the FTPD. The other will be friends and
266. people involved in the arez scene. One or
267. more of the SiteOps will be the "nuker." IT is
268. his job to "nuke" any releases that are old or
269. fake (more about releases shorly).
270.  
271. Racers are the folks who will "race" re-
272. leases between sites. Usually they will have
273. access to a number of sites and will FXP re-
274. lease as soon as they're released. FXPing a re-
275. lease will gain credits. The ratio is usually 1:3,
276. so FXPing 100MB will get them 300MB cred-
277. its on the site, allowing them to FXP 300MB of
278. data from that site, which will gain them
279. 900mb where they FXP that, etc., etc. "Rac-
280. ing" of releases occurs when two or more rac-
281. ers are uploading the same file. The "race" is to
282. upload the most of the release at the fastest
283. speed. Racing happends shortly after a release
284. is... released.
285.  
286. Warez/Release Groups/"grps"
287.  
288. These are the ones basically supplying
289. everyone with the warez. These are the ones
290. the MPAA and RIAA don't seem to be too wor-
291. ried about, or at least aren't making a big pub-
292. lic fuss about. However, these groups are
293. known to the FBI and they know that the FBI
294. and whatever other authorities are watching
295. them and collecting evidence. They know that
296. one day these authorities will strike as they
297. have done in the past. A lot of these people are
298. just hoping that they won't be caught when it
299. happens. As a result of this, anyone "high up"
300. is extremely paranoid. Most users will use
301. multiple BNCs (BouNCer, an IRC proxy) be-
302. fore even going near an IRC network. A lot of
303. large groups will own their own IRC Networks
304. and SSL is used at every opportunity (FTP,
305. IRC, etc.) It's hard to understand why these
306. people actually do it when there is such a risk.
307. The main reasons are, in my opinion, boredom.
308. At the end of the day, if you're sitting in front
309. of your computer for most of your life you may
310. as well be doung something other than flaming
311. AOLers on IRC, and this sort of thing keeps
312. you busy. Another reason is geekiness. Know-
313. ing that you were one of the first people on the
314. Internet to see that film, or that's because of
315. you that thousands of people are now playing
316. that leaked Halflife 2 alpha and there are news
317. articles everywhere about this "anonymous
318. leaker" - it feels good, in a geeky kind of way.
319. A lot of these people (not all, not all) may have
320. rather uneventful lives and to know that, al-
321. though at schol, college, or work they're con-
322. sidered a loser, they can go home at night and
323. be looked upon as some kind of god within
324. their group of online friends would feel good.
325.  
326. I do not believe that profit is a factor. These
327. groups insist that they don't do this soft of
328. thing for money, and I believe them.
329.  
330. There's a quote from a DEViANCE.nfo file:
331. We do this just for FUN. We are against any
332. profit or commercialisation of piracy. We do
333. not spread any release, others do that. In fact,
334. we BUY all our hames with our own hard
335. earned and worked for efforts. Which is from
336. our own real life non-scene jobs. As we love
337. game originals. Nother beats a quality origi-
338. nal. "If you like this game, BUY it. We did!"
339.  
340. A quote from Team Razor .nfo file: SUP-
341. PORT THE COMPANIES THAT PRODUCE
342. QUALITY SOFTWARE! IF YOU ENJOYED
343. THIS PRODUCT, BUY IT! SOFTARE AU-
344. THORS DESERVE SUPPORT!!
345.  
346. Releases
347.  
348. A release is a piece of pirated material
349. packaged and released by a warez group. The
350. format of the release varies, but in the case of
351. games or programs the release is usually in
352. bin/cue, compressed with RAR, and split into
353. 15,000,000 bite files. The naming of the re-
354. lease will usually by something along the lines
355. of "New.Game.3-ReLEASEGROUP".
356.  
357. The types of releases vary. In games there
358. are mainly either CD Images (bin/cue format)
359. or Rips. Movies are either DivX/Xivds (two or
360. three bin/cue files). There are many different
361. types of movie releases. A great list of these
362. can be found at www.vcdquality.com. Releases
363. will almost always be accompanied by a .nfo
364. file. This will provide information about the re-
365. lease and the group.
366.  
367. Additional Info
368.  
369. The following information is not from first
370. hand experience, like the past information has
371. been. This has been obtained from text files,
372. told to me by people, and assumed. It will be
373. mostly accurate, but there may well be errors.
374.  
375. The main members of any release group
376. are:
377.  
378. The Supplier. This is the guy working at the
379. local cinema or games store, the guy with the
380. digital camera happy to sneak into the cin-
381. ema , etc. Generally these people have to have
382. access to new material, usually before anyone
383. else gets to it. Often they will also have to have
384. a fairly decent upload speed.
385.  
386. The Cracker. (only in games/apps groups)
387. This wlll vary between groups. For example, a
388. VCD/SVCD group would not require a
389. cracker. But the cracker plays an important
390. role. He will have to crack the game's protec-
391. tion that stops the game from being pleyed
392. without the official CD. This guy usually has a
393. fair bit of programming experience and can be
394. quite smart.
395.  
396. Site Supplier. Similar to Site Trading, how-
397. ever warez groups are often more picky about
398. the sites they choose. The minimum speed is
399. usually 100Mbit and often groups will only
400. accept site that are being supplied by the ac-
401. tual System Ops/Admins themselves.
402.  
403. Courier. This guy's role is basically Site
404. Trading. He has to distribute the group's re-
405. lease to other sites.
406.  
407. Terms you may have hard and their mean-
408. ings:
409.  
410. PRE/PRE'd. When a release is released an-
411. nouncements will be made across many IRC
412. channels called "PRE Chans." This is called
413. the "PRE Time" and is the official time of re-
414. lease. PRE Time is used mainly in site trading.
415.  
416. 0*. This is reference to how new the re-
417. lease is.
418.  
419. 0sec. This is a dream - n00b IRC Chans of-
420. then use this term but they are lying.
421.  
422. 0hour. Mean the release was PRE'd under
423. an hour ago.
424.  
425. 0day. Mean the release was PRE'd under a day
426. ago. (Typo-error in article, was "an hour ago".)
427.  
428. And so on...
429.  
430. Nuked. If a release is Nuked, the uplaoder
431. of the release will lose credits on the site he is
432. Nuked on. A release is Nuked when it is break-
433. ing site rules (like eight hours of PRE or ear-
434. lier).
435.  
436. Pubstro/Stro. This is a computer that has
437. been compromised and has an FTPD running
438. on it. It will be used to share warez, mainly to
439. the FXP Community.
440.  
441. ScanStro. Similar to the above, but is used
442. to scan for other vulneralbe computers.
443.  
444. Pub/Pubbing. Pubs are dard. These are
445. from the old days when many university and
446. business FTP servers had write access enabled
447. on anonymous accounts. So instead of break-
448. ing into a computer, the warez kiddies would
449. just upload their warez and give the IP address
450. to their friends. This war very popular but died
451. out for obvious reasons.
452.  
453. Tagging. Once found a Pub would be
454. "tagged" (a folder with the name
455. "tagged.by.lamepubkiddie" or something simi-
456. lar would be made). The idea was that if a Pub
457. war already "tagged" other Pubbers would
458. leave it alone. This apparently worked for a
459. while, with people respecting other people's
460. tags and leaving the Pubs alone. But it cer-
461. tainly hasn't worked for a very long time.
462.  
463. Dir Locking. This war used in Pubbing to
464. stop people other that your warez group find-
465. ing and downloading your warez (and slowing
466. the server down). You would hide it, using di-
467. rectory names such as "com1" and "." These
468. directory names would also be hard to delete or
469. even open, so it could take some time before
470. the warez were found by the server admin.
471.  
472. Raping. The act of Raping an FTP server is
473. when someone downloads pretty much every-
474. thing then can from it at a very fast speed. It's
475. frowned upon.
476.  
477. Leeching. Downlaoding a lot without up-
478. loading.
479.  
480. PubStealing/Rehacking. Back "in the day"
481. this would have been referring to as uploading
482. to an already tagged Pub. Now it means replac-
483. ing someone else's Serv-U with yours- Pub-
484. Stealing is frowned upon and people will often
485. be banned from FXP Boards if they are found
486. to be doing it.
487.  
488. Securing. The act of Securing a pubstro
489. would involve deleting key files such as
490. ftp.exe, tftp.exe, cmd.exe, etc. or changing the
491. username/password. Securing methods depend
492. upon the vulnerability.
493.  
494. Some warez related links:
495.  
496. www.nforce.nl - a site that archive .nfos and
497. releases. This site is frowned upon by people
498. in "the scene".
499.  
500. www.isonews.com - a site seized by the federal
501. government.
502.  
503. www.vcdquality.com - for movies specifically.
504.  
505. www.fxp.nl - fxp stuff
506.  
507. www.jtpfxp.net - rather large archive of
508. fxp/script kiddie tutorials.
509.  
510. www.packetnews.org - XDCC search engine.
511.  
512. www.downhillbattle.org - not related, but fuck
513. the RIAA!
514.  
515. If I've mentioned a program and not give a
516. link it's because it can be easily found through
517. Google.
518.  
519. That's all. I hope this has give someone a
520. better view of piracy.
521.  
522. ---------------------------------------------------
523. ASCII CONVERSION BY DALEK
524. ----------------------------------------------