'Revolutionary' file-sharing software Earthstation 5 contains malicious code

Can you still remember the 'revolutionary' file-sharing software Earth Station 5 we reported about several times? In short this new file-sharing software promised to be the most secure peer-to-peer software with complete stealth & cloaking technologies on board. At the time we posted the news, roughly six months ago, it already sounded too good to be true. Now, thanks to dj_is_da_man we can read on Slashdot that this is indeed the case. According to this message, the ES5 software contains malicious code that allows anyone to delete any file on your computer:

Malicious code

There exists malicious code in ES5.exe's "Search Service" packet handler. By sending packet 0Ch, sub-function 07h to the "Search Service"'s IP: Port, a remote attacker could delete any file the user is sharing. If the remote attacker uses "filenames" with a relative path in them (eg. "......WINDOWSNOTEPAD.EXE"), the remote attacker could also delete files in eg. the windows and windowssystem32 folders, or any other folder on the same partition as any of the shared folders. Since most users using Windows are in the Administrators group, a remote attacker could also delete the C: BOOT.INI file which is a required boot file used by ntldr.

IMPORTANT: This is not a bug! They intentionally added this code to ES5.

Vulnerabilities

There also exists a lot of other vulnerabilities in
ES5 (eg. DoS attacks, buffer overflow bugs, and so on), but these all seem
to be unintentional. Another advisory may have more info on these
vulnerabilities, but I'm not their beta tester so don't hold your breath.

Conclusion

The people behind ES5 have intentionally added malicious code to ES5. If you have followed the ES5 discussions on message boards and read what the ES5 people have said and done (eg. DoS attacking BitTorrent sites), this comes as no surprise. The question then is "why did they do it?" I'm sure they won't tell us, but here's a theory: They could be working for the RIAA, MPAA, or a similar organization. Once they have enough users on their ES5 network, they would start deleting all copyrighted files they own which their users are sharing. The users wouldn't know what hit them.

Please be warned if you have installed the Earth Station 5 software! Via this link you can read more on the malicious code that is found in the software. The tested builds include build 1266 and build 2180 (latest version).


Update:


Thanks to damiandimitri we
can read more on this subject over at Neowin.net. The authors of the software acknowledge the code but they claim it's
used for automatic remote upgrade of the ES5 software. The authors
add:


"Random Nut, AKA Shaun Garriok, the Author of
Kazaalite, has been a vocal critic of Earthstation5 because of a continual
online insult war between himself and some roudy Earthstation5 fans. This has
motivated him to be extremely critical of Earthstation5. We at Earthstation5
desire and request criticism at any time in fact we demand it as we believe that
is the only way to make software truly superior.
"

Source: Slashdot

No posts to display