While this isn't a malware related post, and a bit self-indulgent, I'm posting it here anyways. Enjoy!
I'll remember Defcon 18 for a long time. It was the first Defcon I spoke at (which I did twice), it had some excellent parties, and was overall just a great experience. But if I had to pick one thing that I did this weekend that I'll remember the most, it has to be how I interacted with the Ninja Badge from Ninja Networks - with Zigbee.
The Ninja Badge this year was a slick Game Boy like device, with a 4 button D-pad, 2 buttons on the other side, and an LCD screen. It came loaded with a game that allowed you to attack other badge holders to gain levels, get loot, and through bonuses gained by doing quests, become increasingly more popular.
The game and the intended use was interesting, but I wanted to see what was really going on here, so I began reading and collecting information. By way of the Wired article and talking with some friends, I gathered enough intelligence that it was using the Freescale mc1322x MCU, a chip I was very familiar with.
Back in April 2010, I helped organize a hacker conference in Rhode Island called QuahogCon. Aside from being the first hacker con ever in Rhode Island, we had electronic badges that in fact used the mc1322x MCU. With our badge, we used the Zigbee capabilities of the Freescale chip to implement a "Zombies versus Humans" game, where attendees would either be a zombie or a human and attempt to attack the other side. In the short span of 3 weeks, myself and one other coder built this firmware, and turned a neat electronic badge into a somewhat compelling game for the attendees to enjoy.
All of the attacking was done wirelessly, and people had a blast attacking their friends and other con-goers. We collected over 30 megs of logs from this game, and this became the centerpiece of one of my Defcon presentations this year, titled "How Hackers Won the Zombie Apocalypse", with the slides available here.
During QuahogCon, several people attacked the badges over Zigbee, which enabled people to severely impact the game. Some enterprising hackers even gained "God Mode", where they were able to change all badges in their vicinity into anything they wanted. Perfect for amassing a zombie army. They did this by using provided sample code to create network sniffers out of the badges, capture packets, decode them and discover the protocol's details and set their own values. It worked wonderfully, and really opened up a new dynamic to the game.
Coming back to Defcon, when I learned the details about the badge, I decided that I had to learn the secrets of the Ninja Badge, or, as many as I could discover while still experiencing Defcon. Fortunately, since I was talking about the QuahogCon badge at Defcon, I had several in my possession. But how would I sniff the packets?
In anticipation of my talk, Dragorn, the creator of Kismet and one of the firmware developers for the QuahogCon badge, wrote some (very alpha) code that turned the QuahogCon badge into a Kismet-compatible Zigbee sniffer. This code is available in the Kismet SVN repository, and is implemented as the dot15d4 plugin, and should work on any device using the mc1322x chip. While I could have used some available sample code to log the packets, using Kismet provided several capabilities that proved very useful when dealing with an unknown device, such as Channel Hopping. After a few seconds of use, Kismet identified that the packets were all on Channel 11, which allowed me to narrow things down and capture every packet my badge was sending.
On Friday, the day Defcon began, I acquired a Ninja Badge, and immediately got to work. I fired up my QuahogCon Zigbee Sniffer and Kismet, and watched the packets coming in. It didn't take long before I made a few discoveries about the packets. Namely, the player names were broadcast in cleartext. Now it was time to have some fun!
I loaded the rftext-tx.c sample that is a part of the mc1322 development tools, and simply copied the data I was seeing into the packet array in the sample. The player name portion of the packet was obvious, so I replaced it with a different name, "Your Mom" to see if the badge had any safeguards against this type of packet injection. After compiling and loading the new firmware onto a QuahogCon badge, my Ninja badge informed me that it was seeing a new player: Your Mom.
Your Mom was not too impressive, as it looked just like any other player. I wanted it to have some special properties, so I decided to see if I could affect anything else that the Ninja badge would display about it. At this point, I began playing with different values in the packet. There were a few values that looked to be somewhat static, or changing only between a few values, so I assumed these denoted different modes like beaconing a player or initiating an attack. I ignored those to start, and after playing around for a bit, I found a result that pleased me - changing the players level.
The Ninja Networks guys were gracious enough to provide an instruction manual about the game, giving details such as how to play the game and ways you could improve your character. There was one bit of data that they provided that I zeroed in on, where the maximum level for any player was level 10.
After playing with the level value for a short amount of time, I discovered that the maximum level value that the game would accept is 15. The odd part was that the same value appeared to influence how many characters in the players name it would display. After trying out a few things, I found the correct value to display the entire name for "Your Mom", and after another compilation and flashing, Your Mom was now level 15. Success! The best part that it was being beaconed from an unassuming QuahogCon badge, so no one would ever actually find who Your Mom was. Ninja badge indeed!
I've put this code on Pastebin in its original form, which contains some terrible commented out code and general sloppiness. I think its a perfect example of what code written by someone partying at Defcon should look like! It's available at http://pastebin.com/tG1upFwK
I continued collecting packets hoping to find out the right value to change my icon from a ninja to something more exciting like a pirate of pool2girl, and gathered over 300k of Zigbee packets to go through. Although time and the nature of Defcon kept me from adding more to Your Mom, I have put these packets online for anyone to download and explore, which is available here.
Overall, messing with the Ninja badge was a lot of fun. When I heard people mentioning Your Mom in passing, or in some cases, unknowingly mentioning it to me, it made all the time I spent working on it (and not drinking) worthwhile. It also served as a good test for the Zigbee Kismet module, which worked flawlessly in discovering the secrets of the Ninja badge - not bad for extremely alpha code! Walking around with 3 badges around my neck all weekend (Defcon, Ninja and QuahogCon) may have weighted me down a bit, but it was all definitely worth it - even if I stayed a little more sober than I should have!
I haven't unlocked all its secrets yet though, so I have more fun ahead of me!
Monday, August 2, 2010
Friday, May 14, 2010
TweBot 2.0
This week, a new bot appeared which uses Twitter as its Command and Control channel. This isn't a new development in itself, but the author of this bot software, Korrupted, freely gave the bot away to script kiddies everywhere. Equally as amusing was the fact that all the commands the bot would respond to were hard-coded, and easily searchable on Twitter.
Spurred on by the excitement of skids everywhere being able to "DDoS from your cellphone", the media attention, or some combination of it all, Korrupted has released version 2 of his bot builder today.
As the screenshot shows, this version allows for custom commands, which should make it a bit less fun for people simply trying to search for bots with Twitter's search functionality. They're no more hidden than any other user on Twitter, however. You just have to know who you're looking for. Or, how they talk to their bots!
One other feature this version has is a hilarious disclaimer "absolving" the author from any wrongdoing:
Clearly, this is entirely original content! Find/Replace FAIL!
Spurred on by the excitement of skids everywhere being able to "DDoS from your cellphone", the media attention, or some combination of it all, Korrupted has released version 2 of his bot builder today.
As the screenshot shows, this version allows for custom commands, which should make it a bit less fun for people simply trying to search for bots with Twitter's search functionality. They're no more hidden than any other user on Twitter, however. You just have to know who you're looking for. Or, how they talk to their bots!
One other feature this version has is a hilarious disclaimer "absolving" the author from any wrongdoing:
Clearly, this is entirely original content! Find/Replace FAIL!
Sunday, March 21, 2010
Terrible U-Eye
Script Kiddie tools are infamous for their terrible user interfaces, but this one just makes me feel a bit uncomfortable. We can thank the creatively named "Remote Webcam v1.0" by Wolf for this one.
Apparently that's the default image while waiting for a webcam to eavesdrop on. Perhaps its some sort of psychological motivator to spread your malware faster to make the eye disappear.
Either way, its awfully creepy, and it can be yours for just $20! Yeah, I don't think so.
Apparently that's the default image while waiting for a webcam to eavesdrop on. Perhaps its some sort of psychological motivator to spread your malware faster to make the eye disappear.
Either way, its awfully creepy, and it can be yours for just $20! Yeah, I don't think so.
Thursday, March 18, 2010
Crimepack - How Not to Redact
The Crimepack exploit kit is rather new, and is beginning generate some interest on various forums and mailing lists. They appear to have a decent advertising campaign as well, with ads written clearly in both English and Russian.
On one Russian forum, someone who is presumably the author of Crimepack or very familiar with how it works went into great deal as to how to its obfuscation and other components work. I was happy to see that he was using a tool I know and love, Malzilla, to demonstrate how well its made. Unfortunately, I don't think this guy understands the tool that well, or at the very least, how to read hex:
Its apparent that this guy is trying to hide a URL. I don't think he understands that he missed all but one character in the url in his redaction. At 0x280 in the hex, with a lookup table, you'll see "ilon5.ru". Other images revealed the first character to be a "p".
Sure enough, there's a exploit kit installed right where the image said it would be!
A whois lookup for this site comes up as:
domain: PILON 5.RU
nserver: ns1.hostlife.net.
nserver: ns2.hostlife.net.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
phone: +375296543210
e-mail: ch1t3r@gmail.com
registrar: NAUNET-REG-RIPN
created: 2010.02.02
paid-till: 2011.02.02
source: TCI
ch1t3r has a history with exploit packs too it seems.
Here's hoping that this kind of redaction becomes a trend in with these guys!
On one Russian forum, someone who is presumably the author of Crimepack or very familiar with how it works went into great deal as to how to its obfuscation and other components work. I was happy to see that he was using a tool I know and love, Malzilla, to demonstrate how well its made. Unfortunately, I don't think this guy understands the tool that well, or at the very least, how to read hex:
Its apparent that this guy is trying to hide a URL. I don't think he understands that he missed all but one character in the url in his redaction. At 0x280 in the hex, with a lookup table, you'll see "ilon5.ru". Other images revealed the first character to be a "p".
Sure enough, there's a exploit kit installed right where the image said it would be!
A whois lookup for this site comes up as:
domain: PILON 5.RU
nserver: ns1.hostlife.net.
nserver: ns2.hostlife.net.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
phone: +375296543210
e-mail: ch1t3r@gmail.com
registrar: NAUNET-REG-RIPN
created: 2010.02.02
paid-till: 2011.02.02
source: TCI
ch1t3r has a history with exploit packs too it seems.
Here's hoping that this kind of redaction becomes a trend in with these guys!
Subscribe to:
Posts (Atom)