Napster - Security Hole

11-JUL-00 Popular music [sharing | stealing] service opens up your network and offers its contents to the world.





[ UPDATE - 18-Jul-00 - This one is more difficult to execute than was originally implied by a security analyst. Wrapster must already be on the victim's computer, and a "buffer overflow" exploit needs to be executed. The upshot is: if you get that much control of the victim's computer, why bother using Napster? You can just use Outlook to e-mail the stuff out. ]


Napster is a wildly popular service allowing free sharing of MP3 compressed music files over the Internet. Napster itself is supposed to be supported by advertising. The Napster concept has, of course, been imitated, so it is no longer the only service of this type.

Napster works like this: Jane signs up and downloads the Napster client. The client registers all the MP3 music files on Jane's computer with Napster's server. When Jane tells Napster she wants to download Icky Sticky Vibes by the group Left Nuts, Napster offers her a list of computers that have that title on them and how fast their Internet connections are. Jane then downloads the title directly from the computer with the fastest connection, without any involvement by the owner of that computer. Similarly, if someone wants a title on Jane's computer, they can download it without Jane even knowing that is happening.

Jane calls this "sharing", and a lot of musicians, and the RIAA (Recording Industry Association of America), call this "stealing", but that's for the courts to decide (in litigation now). The company Jane works for calls it "bandwidth hogging", and has tried to stamp out Napster use, but they're old fuddy duddys who just don't understand how important music is to Jane and her co-workers.

So what's the security problem here?

Wrapster, That's What

Wrapster is a freely downloaded program that tricks Napster into handling non-music files. It is currently being used by computer enthusiasts as an alternative to "Warez" sites to distribute software (generally in violation of license and copyright), but can be put to work doing even less legitimate work.

Wrapster can be "Trojanized" to operate without the knowledge or permission of the computer owner. For more on Trojans, see our articles on Viruses and Cult of the Dead Cow's Back Orifice. Wrapster can be propagated to computers by the same means any other virus or Trojan is distributed.

What Wrapster can do is find certain files or types of files on Jane's network. In the uniform Microsoft environment, it knows just where to look and what to look for. It can then makes copies of interesting files, nicely wrap them up to look like MP3 music files, title them, and see that they are registered on Napster's server.

Wrapster's perpetrator simply asks Napster for those titles, and they are downloaded to the perpetrator's computer, while Jane remains blissfully unaware that her most confidential information is being downloaded for the amusement and enjoyment of others, along with her company's marketing plans, contracts and other useful information.


  • Make it very clear to all employees that anyone found with Napster (or any variant) client software on their computer will be severely disciplined and why.
  • Keep your anti-virus software updated. This will not protect you from new and improved versions of Wrapster, but may protect you from older ones as anti-virus publishers add them.

©:Andrew Grygus - Automation Access - -
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners