2600 Hacker Quarterly Summer 2004
A Guide To Internet Piracy
Ive written this article after reading a few
letter which show that some readers seem to
know little about piracy on the Internet. I dont
know everything about piracy on the net, but I
would go so far to say that I know a fair bit
First off, piracy isnt just a few guys who
work at cinemas and software stores taking the
odd film or game home and sharing it on their
home FTP servers or KaZaA.
Piracy on the Internet, or the warez scene
(as those into it like to call it) is suprisingly
organized. Pirated software/games/movies/
anything are called warez and will referred
to as that from now on.
The Piracy Food Chain
Warez/Release Groups - People who release
the warez to the warez community. Often
linked with Site Traders.
Site Traders - People who trade the releases
from the above groups on fast servers.
FXP Boards - Skript Kiddies who
scan/hack/fill vulnerable computers with
IRC Kiddies - Users of IRC (Internet Relay
Chat) who download from XDCC Bots or
KaZaA Kiddies - Users of KaZaA and other
p2p (peer to peer) programs.
Well start at the bottom.
At the bottom of the piracy food chain we
have the KaZaA Kiddies. There appear to be
two groups of these KaZaA Kiddies. First, the
13 year old kids with broadband downloading
the odd mp3 here and there because they cant
afford outrageously overpriced CDs from
stores. Harmless kids, costing no one any real
money, pursuing their musical interest. Also,
these are the people being labeled pirates.
These are the ones Killing the Music Indus-
try. These are the ones who are being sued by
the RIAA for thousands of dollars. Sigh.
Second are the older, p2p veterans who use
other p2p networks (Gnutella, BitTorrent,
EMule) and programs as well as KaZaA. In ad-
dition to using p2p for music the may also
download games, programs, movies, etc.
Not far up from KaZaA Kiddies we
have the pople who go to IRC for their warez
fix. These folks can be more knowledgeable
about computers and the Internet but tend to be
just as irritating as the KaZaA Kiddies. Warez
Channels are often run by people who have ac-
cess to a fair amount of pirated materieal (more
about them later). There are generally two types
of these Warez Channels:
Fserve Chans. These can often be run by
the same KaZaA or IRC kiddies. They dont re-
ally have a reason to run them; they just like to
feel important. They mainly use the mIRC
clients File Server function and some 133t
skript to share their warez direct from their
XDCC Chans. These are usually run by
people into FXP Boards and Sitetrading. They
have access to fast, new warez. They employ
people to hack into computers with fast In-
ternet connections and install XDCC Clients
(usually iroffer - www.iroffer.org) which are
used to share out pirated goods. From what Ive
seen, the people running these channels must
primarily do it because they like to have power
over a lot of people (being a chan op), but also
they will often be given free shell accounts to
run BNCs, Eggdrops, etc. by shell companies
in exchange for an advert in the topic of the
IRC Kiddies can be found on EFnet
(irc.efnet.net) or Rizon (irc.rizon.net). Other
servers and channels can be found through
FXP is the File eXchange Protocol. It isnt
an actual protocol, just a method of transfer
making use of a vulnerability in FTP. It allows
the transfer of files between two FTP servers.
Rather than client to server, the tranfer be-
comes server to server. FXP usually allows
faster transfer speeds altthough it is generally
not enabled on commercial servers as it is also
a vulnerability known as the FTP Bounce
The Boards. FXP Boards usually run Vbul-
letion (from software from www.vbulletin.org) and
its members consist of Scanners, Hackers, and
Fillers. There are also usually a few odd mem-
bers such as Graphics People or Administra-
tors but they dont do much.
The Scanner. The Scanners job is to scan IP
ranges where fast Internet connection are
knwon to lie (usually university, etc.) for com-
puters with remote-root vulnerabilities. Were
talking brute forcing MS SQL and Netbios
passwords, sacnning for servers with the IIS
Unicode bug (yes that three-year-old one). Oh
yes, FXP Boards are where the lowest of the
low Script Kiddies lurk. The Scanner will of-
ten use already hacked computers for his
scanning (known as scanstros), using remote
scan programs such as SQLHF, XScan, Fs-
can, and HScan alsong with a nice programs to
hide them (hiderun.exe) from the user of the
computer. Once the Scanner has gotten his re-
sults, hell run off to his FXP Board and post it.
This is where the Hacker comes into play.
The Hacker/Script Kiddie/dot-slash Kid-
die. Now I think its fairly obvious what the
Hackers do. (They actually call themselves
hackers!) Yes, they break into computers.
Their OS of choice (for breaking into) is usu-
ally Windows. There are many easy to exploit
vulnerabilities and *nix scares these people.
The Hackers job is to run his application and
root the scanned server. The program he uses
(of course) depends upon the vulnerability the
Scanner has scanned for. For example, if its
Netbios Password he will often either use
psexec (www.sysinternals.com) or DameWare
NT Utilities. There are various other vulnera-
bilities and programs used - too many to list
here. Once he has rooted the computer (this
usually means getting a remote shell with ad-
min rights), he will use a technique known as
the tftp method or the echo methods (tftp -i
IP get file.exe) to upload and install an FTPD
(this is almost always Serv-U) on his target. (In
the case of the IRC Kiddies this would also be
iroffer.) Once the FTPD is installed and work-
ing hell post the admin logins to the FTP
server on his FXP Board. Depending on the
speed of the compromised computers (or
pubstro/stro) Internet connection and the
hard drive space, it will be taken either by a
Filler or a Scanner.
The Filler. Now if the pubstro is fast
enough and has enough hard drive space, its
the Fillers job to get to work filling it with the
latest warez (the Filler usually has another
source for his warez such as Site Trading).
Once hes done FXPing his warez, the Filler
goes back to the board and posts leech logins
(read only logins) for one and all to use. What
a great community!
FXP Boards are mostly full of Script Kid-
dies and people with too much time on their
hands. They like to think the FBI are after them
and get very paranoid, but in reality no one re-
ally gives a damn what theyre up to except the
unlucky sysops who get all their bandwidth
eaten up because they forgot to patch a three
year-old vulnerability. The true n00b FXP
Boards can be found on wondernet (irc.won-
dernet.nu) so, if you like, go sign up on one
and see what its all about. Tip: Pretend to be
female. This will almost guarantee you a place
on a board. Say you can scan/hack dcom, net-
bios, sql, apache, and have a 10mbit.eu 0hour
Next on the list and pretty much at the top
or near the top (as far as Ive seen) are the Site
Traders. These are generally just people with
too much time on their hands who have possi-
bly workrd their way up through FXP Boards.
Site Trading is basically theraing of pirated
material between sites.
The Sites. These sites have very fast Inter-
net connections (10mbit is considered the min-
imum, 100mbit good, and anything higher
pretty damn good) and huge hard disk drives
(200GB would probably be the minimum).
These sites are often hosted at schools, univer-
sities, peoples work,, and in Sweden (10mbit
lines are damn cheap in .se). These sites are re-
ferred to as being legit. This means that the
owner of the computer knowns that they are
there and being run. Fast connections mean a
lot to some people. If you have access to a
100mbit line (and are wiling to run a warez
server there), there are people who would quite
happily pay for and have a computer shipped
to you just for hosting a site that they will
make absolutely no profit from (you can meet
them on EFnet). Unfortunately, this is where
credit card fraud can come into Site Trading.
This is frowned upon by pretty much everyone
(there is already enough paranoia and risk in
Site Trading) but some people do use stolen
credit card information to buy hard drives and
such. To be fair, Site Traders arent a bad bunch
- the majority dont even beleieve in making any
money out of it and insist they are just do-
ing it for fun. Anyways, back to the sites.
GLFTPD is considered to be the FTPD to use
(in fact, a lot of Site Traders and warez groups
will not join a site unless it is running
GLFTPD). This also means that *nix is the OS
of choice (as there is no GLFTPD win port).
As well as running FTPD, the sites run an
eggdrop bot with various scripts installed. The
bot will amke an annoucement on an IRC
channel a directory is made or up-
load completed. It will also give race informa-
The People. There are basically two ranks
in sitetrading: SiteOps and Racers.
SiteOps, as you will have guessed are the
administrators. There are usually between two
and five SiteOps. One is often the supplier of
the site, another the person who found the sup-
plier and guided them through the installation
of the FTPD. The other will be friends and
people involved in the arez scene. One or
more of the SiteOps will be the nuker. IT is
his job to nuke any releases that are old or
fake (more about releases shorly).
Racers are the folks who will race re-
leases between sites. Usually they will have
access to a number of sites and will FXP re-
lease as soon as theyre released. FXPing a re-
lease will gain credits. The ratio is usually 1:3,
so FXPing 100MB will get them 300MB cred-
its on the site, allowing them to FXP 300MB of
data from that site, which will gain them
900mb where they FXP that, etc., etc. Rac-
ing of releases occurs when two or more rac-
ers are uploading the same file. The race is to
upload the most of the release at the fastest
speed. Racing happends shortly after a release
These are the ones basically supplying
everyone with the warez. These are the ones
the MPAA and RIAA dont seem to be too wor-
ried about, or at least arent making a big pub-
lic fuss about. However, these groups are
known to the FBI and they know that the FBI
and whatever other authorities are watching
them and collecting evidence. They know that
one day these authorities will strike as they
have done in the past. A lot of these people are
just hoping that they wont be caught when it
happens. As a result of this, anyone high up
is extremely paranoid. Most users will use
multiple BNCs (BouNCer, an IRC proxy) be-
fore even going near an IRC network. A lot of
large groups will own their own IRC Networks
and SSL is used at every opportunity (FTP,
IRC, etc.) Its hard to understand why these
people actually do it when there is such a risk.
The main reasons are, in my opinion, boredom.
At the end of the day, if youre sitting in front
of your computer for most of your life you may
as well be doung something other than flaming
AOLers on IRC, and this sort of thing keeps
you busy. Another reason is geekiness. Know-
ing that you were one of the first people on the
Internet to see that film, or thats because of
you that thousands of people are now playing
that leaked Halflife 2 alpha and there are news
articles everywhere about this anonymous
leaker - it feels good, in a geeky kind of way.
A lot of these people (not all, not all) may have
rather uneventful lives and to know that, al-
though at schol, college, or work theyre con-
sidered a loser, they can go home at night and
be looked upon as some kind of god within
their group of online friends would feel good.
I do not believe that profit is a factor. These
groups insist that they dont do this soft of
thing for money, and I believe them.
Theres a quote from a DEViANCE.nfo file:
We do this just for FUN. We are against any
profit or commercialisation of piracy. We do
not spread any release, others do that. In fact,
we BUY all our hames with our own hard
earned and worked for efforts. Which is from
our own real life non-scene jobs. As we love
game originals. Nother beats a quality origi-
nal. If you like this game, BUY it. We did!
A quote from Team Razor .nfo file: SUP-
PORT THE COMPANIES THAT PRODUCE
QUALITY SOFTWARE! IF YOU ENJOYED
THIS PRODUCT, BUY IT! SOFTARE AU-
THORS DESERVE SUPPORT!!
A release is a piece of pirated material
packaged and released by a warez group. The
format of the release varies, but in the case of
games or programs the release is usually in
bin/cue, compressed with RAR, and split into
15,000,000 bite files. The naming of the re-
lease will usually by something along the lines
The types of releases vary. In games there
are mainly either CD Images (bin/cue format)
or Rips. Movies are either DivX/Xivds (two or
three bin/cue files). There are many different
types of movie releases. A great list of these
can be found at www.vcdquality.com. Releases
will almost always be accompanied by a .nfo
file. This will provide information about the re-
lease and the group.
The following information is not from first
hand experience, like the past information has
been. This has been obtained from text files,
told to me by people, and assumed. It will be
mostly accurate, but there may well be errors.
The main members of any release group
The Supplier. This is the guy working at the
local cinema or games store, the guy with the
digital camera happy to sneak into the cin-
ema , etc. Generally these people have to have
access to new material, usually before anyone
else gets to it. Often they will also have to have
a fairly decent upload speed.
The Cracker. (only in games/apps groups)
This wlll vary between groups. For example, a
VCD/SVCD group would not require a
cracker. But the cracker plays an important
role. He will have to crack the games protec-
tion that stops the game from being pleyed
without the official CD. This guy usually has a
fair bit of programming experience and can be
Site Supplier. Similar to Site Trading, how-
ever warez groups are often more picky about
the sites they choose. The minimum speed is
usually 100Mbit and often groups will only
accept site that are being supplied by the ac-
tual System Ops/Admins themselves.
Courier. This guys role is basically Site
Trading. He has to distribute the groups re-
lease to other sites.
Terms you may have hard and their mean-
PRE/PREd. When a release is released an-
nouncements will be made across many IRC
channels called PRE Chans. This is called
the PRE Time and is the official time of re-
lease. PRE Time is used mainly in site trading.
0*. This is reference to how new the re-
0sec. This is a dream - n00b IRC Chans of-
then use this term but they are lying.
0hour. Mean the release was PREd under
an hour ago.
0day. Mean the release was PREd under a day
ago. (Typo-error in article, was an hour ago.)
And so on...
Nuked. If a release is Nuked, the uplaoder
of the release will lose credits on the site he is
Nuked on. A release is Nuked when it is break-
ing site rules (like eight hours of PRE or ear-
Pubstro/Stro. This is a computer that has
been compromised and has an FTPD running
on it. It will be used to share warez, mainly to
the FXP Community.
ScanStro. Similar to the above, but is used
to scan for other vulneralbe computers.
Pub/Pubbing. Pubs are dard. These are
from the old days when many university and
business FTP servers had write access enabled
on anonymous accounts. So instead of break-
ing into a computer, the warez kiddies would
just upload their warez and give the IP address
to their friends. This war very popular but died
out for obvious reasons.
Tagging. Once found a Pub would be
tagged (a folder with the name
tagged.by.lamepubkiddie or something simi-
lar would be made). The idea was that if a Pub
war already tagged other Pubbers would
leave it alone. This apparently worked for a
while, with people respecting other peoples
tags and leaving the Pubs alone. But it cer-
tainly hasnt worked for a very long time.
Dir Locking. This war used in Pubbing to
stop people other that your warez group find-
ing and downloading your warez (and slowing
the server down). You would hide it, using di-
rectory names such as com1 and . These
directory names would also be hard to delete or
even open, so it could take some time before
the warez were found by the server admin.
Raping. The act of Raping an FTP server is
when someone downloads pretty much every-
thing then can from it at a very fast speed. Its
Leeching. Downlaoding a lot without up-
PubStealing/Rehacking. Back in the day
this would have been referring to as uploading
to an already tagged Pub. Now it means replac-
ing someone elses Serv-U with yours- Pub-
Stealing is frowned upon and people will often
be banned from FXP Boards if they are found
to be doing it.
Securing. The act of Securing a pubstro
would involve deleting key files such as
ftp.exe, tftp.exe, cmd.exe, etc. or changing the
username/password. Securing methods depend
upon the vulnerability.
Some warez related links:
www.nforce.nl - a site that archive .nfos and
releases. This site is frowned upon by people
in the scene.
www.isonews.com - a site seized by the federal
www.vcdquality.com - for movies specifically.
www.fxp.nl - fxp stuff
www.jtpfxp.net - rather large archive of
fxp/script kiddie tutorials.
www.packetnews.org - XDCC search engine.
www.downhillbattle.org - not related, but fuck
If Ive mentioned a program and not give a
link its because it can be easily found through
Thats all. I hope this has give someone a
better view of piracy.
ASCII CONVERSION BY DALEK