Click to Enlarge
In the past few weeks, we've noticed a steady increase in posts like this and this. Everywhere you look, people are suddenly curious as to how you "boot" someone from online videogames. They're not entering this rather famous joypad combination to do it - rather, they're dabbling in somewhat more sinister methods of tampering with gamers playing on XBox Live.
Namely - Botnets. In a big way too, from the looks of things.
What is XBox Live?
Xbox Live is an online multiplayer gaming and digital media delivery service created and operated by Microsoft Corporation. Pay for a Live account, and you can shoot other gamers online all day long on Halo 3, or maybe download some premium content such as movies, trailers etc.
Live has long been the subject of social engineers and hackers - fooling people into handing over their logins and making fake Points generators stuffed with Trojans and keyloggers to steal login info has been going on seemingly forever. There is another area of Live exploiting that's not been looked into much - that of "booting" other players from games via external means.
How is this done?
Well, typically someone will connect their XBox to their PC via a crossover cable (or via their wireless connection), join a multiplayer game then sniff the traffic (you can see a tiny example of that from the first screenshot at the top of the article). They might use this method to grab ip addresses (though it can be a little over complicated for the wannabe hacker), or they might resort to social engineering tactics away from the gaming environment. However they go about it, they need an ip address if they intend to boom, headshot their victim.
In this case, we have something rather interesting that's quickly becoming mainstream after spending a long time in the underground - combining custom made tools to create Botnet drones, specifically created to knock XBox Live gamers out of whatever game they happen to be playing at the time.
The bundle currently doing the rounds is pretty slick, and combines two tools distributed in a single AIO - it actually sits in the system tray (first icon on the left) until you feel like exploring it further.
Here's the two applications that work the "Magic" in this particular package, when you get tired of looking at the nice icon in your system tray:
Click to Enlarge
Click to Enlarge
Both of these programs pretty much do the same thing - facilitate the ability to DDoS people from the XBox Live network (note the default port for both programs is 3074, which is required to be open for XBox Live to function).
How do they do it?
Well, the bundle comes with two "vanilla" Bots:
...although really, the Bots can be anything you like. You don't have to use the supplied files, though of course this is designed to be a DIY-in-minutes kit (humorously, both files point to a pre-existing Botnet so anyone foolish enough to run these EXEs while trying to create their Botnet empire is going to find themselves a drone for the original creator).
After creating a host with a service such as no-ip.info that points to your own ip address, you insert that host into the ready-to-roll code in the Bot file. At that point, all you need to do is send your victims the EXE, convince them to run it on their PC and they'll start reporting back to your Booter program as willing DDoS drones. Here's a (somewhat blurry) screenshot lifted from a popular Youtube video currently in circulation of an attack in progress on an XBox gamer:
As you can see, the attacker "only" has four bots, but the instructions that come with the programs tend to advise "between forty and sixty". This is now, as you might imagine, all the rage.
The big incentive here, of course, is money. There seems to be quite a lucrative market for angry gamers looking to get revenge on whoever happened to headshot them the day before - we have some screenshots of sites where these "XBox DDoS Botnets" can be created from scratch for paying customers, along with a nifty price list to get things moving.
As I said earlier, some of these tactics and techniques have been around for some time - but you only need to take a quick look around hacking forums and sites such as Youtube & Yahoo Answers to see this is rapidly becoming more and more interesting to angry 14 year olds with too much time on their hands.
What can you do about it?Well, sadly for now the answer is "not a lot". You can never be sure when playing online just who has their finger on the trigger ready to nuke you from orbit with a Botnet DDoS. The problem will only get worse as money keeps changing hands and suddenly every rage fuelled gamer who had a dream of really getting even suddenly has the power to do so even after the "Game Over" screen has flashed up.
Perhaps the best solution is just to let that annoying fourteen year old claim his headshot and go back to playing chess...
Writeup: Chris Boyd, Director of Malware Research
Additional Research: Chris Mannon, Sr. Threat Engineer