robohara.com

A few months ago I spun up a new website, SpriteCastle.com. There’s no real content there yet — it’s more of a proof of concept site at this point. Last night after finishing up the latest episode of You Don’t Know Flack I decided to do some tweaking to the Sprite Castle. When I opened the site in Google Chrome, I got the following message:

Crap. I know WordPress has been under attack lately, so my first assumption was that the site had been compromised. Bypassing Chrome’s warning, I opened the site and searched for any sign of malware. I couldn’t find any. I then clicked “View Source Code” and quickly found the problem — links to a “posh laptop bag” website. While viewing the page itself I couldn’t see the link, but while viewing the code there it was, plain as day. A quick Google search shows that I’m not the only person running WordPress with the issue.

After a few minutes of research I tracked the problem back to the free WordPress theme I had downloaded. The theme was injecting links to sites hosting malware in the theme’s footer, and the links were encrypted (technically, obfuscated) making them difficult to find while sifting through the code.

There are lots of websites out there like this one that will help you remove encrypted footer links. Even with those removed, I was still seeing links in my source to malware sites. By using Windows’ FINDSTR command (similar to GREP) I was able to find more encrypted sections (hint: search your PHP files for “EVAL”). Each time I tried dinking with the code, the website would stop loading. Someone spent a lot of time putting those encrypted links into this particular theme.

So, I spent a lot of time getting rid of them.

The simplest branching point in any programming language is the IF…THEN clause, which does exactly what it sounds like:

IF (this) THEN (do this)

One baby step beyond that is IF…THEN…ELSE logic. Even if you are not a programmer you can see that this is used in every single program.

IF PASSWORD IS CORRECT
- ALLOW USER TO LOG IN TO E-MAIL
ELSE
- PRINT “Denied!”
END IF

Simple.

This was also, in its simplest form, the basis for most early forms of copy protection. Consider the old paper-based protection schemes that required gamers to enter a code to play a game.

HAVE USER ENTER CODE
IF CODE IS CORRECT
- RUN GAME
ELSE
- DO NOT RUN GAME
END IF

Once you understand this logic you can see that with a minor change, programs could be re-programmed to always load. Or, “cracked.”

HAVE USER ENTER CODE
IF CODE IS CORRECT
- RUN GAME
ELSE
- DO NOT RUN GAME
END IF

Again, simple. No matter what the user enters at the prompt, the game loads. There are other ways to do it, of course. Another simple way would be to tell the program that no matter what the user enters, it’s correct.

HAVE USER ENTER CODE
CODE IS CORRECT
IF CODE IS CORRECT
- RUN GAME
ELSE
- DO NOT RUN GAME
END IF

In this instance, no matter what the player enters, we tell the code that it was correct and the program continues down that path.

This is essentially how I removed the malware from the theme. The theme checks to see if a particular file exists on the computer. If it is, it reads a serial number from the file. If the serial number checks out, the malware links are removed from the footer.

CHECK TO SEE IF LICENSE FILE EXISTS
TELL PROGRAM FILE EXISTS
IF FILE EXISTS
- DO NOT INJECT MALWARE LINKS
ELSE
- INJECT MALWARE LINKS
END IF

A quick check of the theme’s output showed that the technique worked and the malware links had been removed. With that part fixed I began systematically removing all the malware-seeking code. It took a couple of hours, but I think the entire theme is now clean.

Unfortunately, once Google detects malware on a site it removes the URL from its search engine (SpriteCastle.com no longer shows up in Google searches) and Google Chrome still flags the site as one that hosts malware, even though the links have been removed. To get re-added, a request has to be submitted to Google and a scan of the site has to be performed. That ball’s already started rolling, so hopefully in the next day or two I’ll be back in business.

Another week, another episode.

Episode 119 of You Don’t Know Flack is about Hohocon — specifically Hohocon ’94, the last Hohocon and the only one I attended. Hohocon was a hacker conference that ran for 5 years in a row, from 1990 to 1994. It was put on by dFx, the Cult of the Dead Cow, and Phrack Magazine.

This was a tough episode to complete. During the time slot I set aside to record, my sister inconveniently and inconsiderately had a baby. Don’t you hate it when other people schedule things when you already have plans? Sheesh! All kidding aside, I spent a few hours at the hospital yesterday and a few hours watching the NFL playoffs yesterday, just enough to set me back half a day. On top of that I spent 90 minutes recording and another 3 hours editing my own babble.

Listen to me ramble. I sound like Jodie Foster’s award speech from last night, except I’m not coming out in this post. Unless it’ll increase my number of subscribers.

Link: YDKF Episode 119: Hohocon ’94
Facebook: You Don’t Know Flack

Last week at the 27th annual Chaos Communication Congress (CCC), a group calling themselves “fail0verflow” displayed the single-most important PlayStation 3 hack to date. A few months from now, when everybody who wants one has a modified PS3, you’ll be able to point your finger back to fail0verflow’s CCC presentation and say, “that is where is all began.”

Just like the original Xbox, the PlayStation 3′s defenses didn’t fall to pirates, but to Linux experts. The quickest way to have your security precautions ripped out of your device, run up the flagpole and laughed at is to prevent people from running Linux on it. In fact, the general consensus has been all along that since the PlayStation 3 allowed users to install Linux on an unmodified console, Linux hackers have had no incentive to tinker with the console’s security measures. As a result, the PS3 has remain “unbroken” for over four years, the longest of any modern console. However in the late spring of 2009, Sony removed the OtherOS feature from PlayStation 3′s through a mandatory (if you want to play online and/or new games) BIOS upgrade. While this made a lot of PlayStation 3 owners mad, it apparently made fail0verflow really mad.

The reason your PS3 (or any game console) won’t play a copied disc is because games must be digitally signed. As with any encryption, this digital handshake requires a private key and a public key. A PlayStation 3, using its private key, examines public keys and, based on its findings, determines whether or not to execute the code. This is why games you buy off the shelf will run on your PS3, but a copy of that same game will not.

(Old mod chips for the original PlayStation used to trick consoles by returning the right answer, regardless of what the question was. The PS1 was looking for region codes instead of digitally encrypted signatures, but the concept was the same. When a backup copy was inserted into the original PlayStation, the console would ask, “should I play this game?” The console checked for the region code and, when it could not be found, would reply with “no.” That response was sent back through the modchip, who slyly changed it to “yes!”)

While digging through the PlayStation 3, fail0verflow didn’t just find a private key — they found the private key. The master root encryption key. Using this key, hackers can generate working public keys. With valid public keys, hackers can boot anything they want on the PS3. There are two important things to note here. One, is that this key is included in the PlayStation 3′s hardware. It does not appear that a BIOS upgrade can change the master key. And two, changing the key could cause all PlayStation 3 games to stop working — so that’s not very likely. fail0verflow went looking for this key in the name of Linux. Other folks may not be so kind.

You know how there’s that one guy that takes things to another level? In the hacking world, that guy is GeoHot. GeoHot perfected the iPhone jailbreak; if your iPhone is jailbroken, you owe it to GeoHot. The PlayStation 3 has been a thorn in GeoHot’s side for quite some time now. He’s picked at it, poked at it, and even released a couple of hacks that were eventually closed up by Sony. fail0verflow announced that within the next month, they plan on releasing some tools that will allow the homebrew and hacking communities to start looking at the PS3. GeoHot said to hell with that, and posted the master key on his website.

Click to Enlarge

Right now, this kid’s house is probably surrounded by lawyers. Or assassins. Or both.

Now, I don’t know what to do with that number, and chances are you don’t either, but you can get your booty there are people that do, people that have been waiting four long years for those numbers. The PS3′s homebrew and hacking scenes are about to light up. I can’t wait to see what happens next.