Hackers Use DIY Botnets To DDoS Xbox Gamers

| | Comments (2)
xboxlv5.gif
Click to Enlarge

In the past few weeks, we've noticed a steady increase in posts like this and this. Everywhere you look, people are suddenly curious as to how you "boot" someone from online videogames. They're not entering this rather famous joypad combination to do it - rather, they're dabbling in somewhat more sinister methods of tampering with gamers playing on XBox Live.

Namely - Botnets. In a big way too, from the looks of things.

What is XBox Live?


Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft Corporation. Pay for a Live account, and you can shoot other gamers online all day long on Halo 3, or maybe download some premium content such as movies, trailers etc.

Live has long been the subject of social engineers and hackers - fooling people into handing over their logins and making fake Points generators stuffed with Trojans and keyloggers to steal login info has been going on seemingly forever. There is another area of Live exploiting that's not been looked into much - that of "booting" other players from games via external means.

How is this done?

Well, typically someone will connect their XBox to their PC via a crossover cable (or via their wireless connection), join a multiplayer game then sniff the traffic (you can see a tiny example of that from the first screenshot at the top of the article). They might use this method to grab ip addresses (though it can be a little over complicated for the wannabe hacker), or they might resort to social engineering tactics away from the gaming environment. However they go about it, they need an ip address if they intend to boom, headshot their victim.

In this case, we have something rather interesting that's quickly becoming mainstream after spending a long time in the underground - combining custom made tools to create Botnet drones, specifically created to knock XBox Live gamers out of whatever game they happen to be playing at the time.

The bundle currently doing the rounds is pretty slick, and combines two tools distributed in a single AIO - it actually sits in the system tray (first icon on the left) until you feel like exploring it further.

xboxlv7.gif

Here's the two applications that work the "Magic" in this particular package, when you get tired of looking at the nice icon in your system tray:

xboxlv6.gif
Click to Enlarge

xboxlv8.gif
Click to Enlarge

Both of these programs pretty much do the same thing - facilitate the ability to DDoS people from the XBox Live network (note the default port for both programs is 3074, which is required to be open for XBox Live to function).

How do they do it?

Well, the bundle comes with two "vanilla" Bots:

xboxb2.png

...although really, the Bots can be anything you like. You don't have to use the supplied files, though of course this is designed to be a DIY-in-minutes kit (humorously, both files point to a pre-existing Botnet so anyone foolish enough to run these EXEs while trying to create their Botnet empire is going to find themselves a drone for the original creator).

After creating a host with a service such as no-ip.info that points to your own ip address, you insert that host into the ready-to-roll code in the Bot file. At that point, all you need to do is send your victims the EXE, convince them to run it on their PC and they'll start reporting back to your Booter program as willing DDoS drones. Here's a (somewhat blurry) screenshot lifted from a popular Youtube video currently in circulation of an attack in progress on an XBox gamer:

xbotrunning.jpg

As you can see, the attacker "only" has four bots, but the instructions that come with the programs tend to advise "between forty and sixty". This is now, as you might imagine, all the rage.

The big incentive here, of course, is money. There seems to be quite a lucrative market for angry gamers looking to get revenge on whoever happened to headshot them the day before - we have some screenshots of sites where these "XBox DDoS Botnets" can be created from scratch for paying customers, along with a nifty price list to get things moving.

As I said earlier, some of these tactics and techniques have been around for some time - but you only need to take a quick look around hacking forums and sites such as Youtube & Yahoo Answers to see this is rapidly becoming more and more interesting to angry 14 year olds with too much time on their hands.

What can you do about it?Well, sadly for now the answer is "not a lot". You can never be sure when playing online just who has their finger on the trigger ready to nuke you from orbit with a Botnet DDoS. The problem will only get worse as money keeps changing hands and suddenly every rage fuelled gamer who had a dream of really getting even suddenly has the power to do so even after the "Game Over" screen has flashed up.

Perhaps the best solution is just to let that annoying fourteen year old claim his headshot and go back to playing chess...

Writeup: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, Sr. Threat Engineer

2 Comments

Requires quite a bit of preplanning, might be effective for cheating in high level online games, but otherwise a lot of work to kick someone out of a single round of a game, especially if they have a dynamic IP (meaning they could easily come back online). Not many 14-year olds are going to have control of any sort of botnet. It's probably harder for most to buy access to a legit botnet than create a virus that would make their own (lots of scammers out there). Finally, not all Xbox Live games are going to establish direct connections to every other player.

Some points after reading the above comment.

1) Lots of people now have fixed IPs for quite some time. You can unplug your router and release as much as you want, but generally a lot of gamers are stuck with the same IP. Many gamers also choose packages where their IP remains static so they can set up hosted matches quickly (depending on platform of course, some services simply switch the host to whoever has the lowest latency and keep switching it).

My IP doesn't change for weeks at a time regardless of what I do to it, and I just have a standard DSL connection.

2) "Not many 14-year olds are going to have control of any sort of botnet."

My first thought on this is that that's PRECISELY why smart hackers are offering up paid-for services to set up and in some cases maintain the nets for the kids. My second thought is that as a security researcher myself, I see kids around that age getting involved in botnet booters all the time. You only need to check some of the vids on youtube out to see proof of that, or hang out on some of the forums where these kinds of tools are promoted.

3) "It's probably harder for most to buy access to a legit botnet than create a virus that would make their own (lots of scammers out there)."

If someone can't summon up $20 to have someone create a full botnet, they're probably not going to be able to work out how to build a bot from scratch, then distribute it, then control the net either. Kids are rolling in money. As far as the scammers are concerned, there's a LOT of sites out there that have been setting these nets up for people for a long time - sure, there's scammers - but anyone who actually wants one of these nets will quickly find out who is a trusted source and who isn't, just like anything else in life.

Finally:

" Finally, not all Xbox Live games are going to establish direct connections to every other player."

Not all, but the majority of games are hosted by one of the players. There's only a handful of games like Left 4 Dead I can think of that run dedicated servers. There's certainly enough player run games out there for people using these to cause some problems.

Sorry, hope I'm not rambling too much :)

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on February 3, 2009 7:19 PM.

How Old? was the previous entry in this blog.

Hi, I'm Jeff. Unfortunately, I'm Also Kevin is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.