The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.

1. Task “Infected terminal”
ZeroNights E.0x04 Hackquest
Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky

2. Roman Bazhin
• Security researcher at Digital Security
• Ethical gop-stopper
George Nosenko
• Security researcher at Digital Security
• Nominant of Pwnie awards
Peter Kamensky
• Security researcher at Digital Security
© 2002—2014, Digital Security
#whoami

3. Legend and EULA
On one of Moscow's pos-terminals was found sample of malware of some functioning botnet network...
Warning: Run this file only under virtual machine. And it's not a joke.

4. Game Network Diagram

5. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C

6. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Internal game network
External game network

7. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C

8. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Check every 5 min.

9. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C
Check every 5 min.

10. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3 Check every 5 min.
Post address of C&C
every 15 min.
C&C

11. Game Network Diagram
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
C&C

12. Game Network Diagram / Players
Twitter / FriendFeed
BotMasterTerminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&C

13. Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster
(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)

14. Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster
(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)

15. Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster
(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)

16. Game Network Diagram / Players
Twitter / FriendFeed
BotMasterBotMaster
(Player N)
Terminal 1
Terminal 2
Terminal 3
Player 1
Player N
C&CC&C (Player N)

17. Bot / Components

18. Bot / Components
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA
Social
Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Timer
Init
Loader
Init
Init
Init

19. C&C / Components
Crypt (Spritz)
Request
Key
CMDC
Key
Response
H
Datetime
TGA
C&C Transport
C
Key
C&C Transport

20. Bot / C&C Transport / Container
BC 3A EB 15 11 42 00 03 00 00 00 04 00 04 00 01
00 01 00 02 00 01 00 05 00 00 00 00 00 04 00 05
0A 20 01 00 00 02 00 03 E0 E1 00 02 00 06 FC FF
00 01 00 02 01 00 03 00 00 4E 54 53 00 02 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 0C 00 01
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
00 03 01 ...
PNG, JPG, GIF, PDF
Crypted data
Media footer
Media header
Marker Size of packet Pickled data

21. Bot / Commands
• CMD_MAKE_TOKEN
• CMD_GET_CMD
• CMD_MAKE_NOP
• CMD_MAKE_NETWORK_DISCONNECT
• CMD_GET_CONTRIBUTORS
• CMD_GET_MSGBOX // Show messagebox
• CMD_GET_PLIST // Get list of processes
• CMD_GET_CNAME // Get name of computer
• CMD_MAKE_LOAD // Load shellcode
• CMD_MAKE_INJ // Inject shellcode to process

22. Bot / Protection

23. Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA
Social
Transport
Hashtag
Key
Key
Key
H
C&C addr
Tweet
Timer
Init
Init
Init
Init
Loader

24. Bot / Protection
Crypt (Spritz)
CMD
Social network
C&C
Datetime
C&C Transport
C
C
TGA
Social
Transport
Hashtag
Key
Key
Key
H
C&C addr Tweet
Loader
Timer
Custom Python (py)
Cython (pyx)
InitPyx
InitPyx
InitPyx
InitPyxpy2exe bootloader

25. Bot / Protection / py2exe sections
.text
.data
.rsrc
Overlay (PKZIP)
PYTHON27.DLL
PYTHONSCRIPT BootLoader
Lib with pyx

26. Bot / Protection / Custom Python

27. Custom Python
• Inspired by Dropbox *
• Anti-Decompilation
• Bytecode Encryption
• Bytcode Remapping
• Anti-Dump
• PyCodeObject modification
• Disable marshalling
• Execution Prevention
• Disable PyRun…
* http://www.slideshare.net/extremecoders/reversing-obfuscated-python-applications-dropbox-38138420

28. Custom Python / Anti-Decompilation / Bytecode Encryption
• marchal.c (w_object(), r_object())
• plain-text: PyCodeObject.co_code
• algorithm: xxtea
• key_128bit = f(random, sizeof(co_code))
B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00
00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43
00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01
B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
Bytecode version
Timestamp
Type of data
Marshaled bytecode
Entropy
Size of encrypted bytecode
Encrypted bytecode
Standard marshaled blob
Custom Python marshaled blob

29. Custom Python / Anti-Decompilation / Bytecode Remaping
• opcode.h
• random opcode mixing
#define STOP_CODE 0
#define POP_TOP 1
#define ROT_TWO 2
#define ROT_THREE 3
#define DUP_TOP 4
#define ROT_FOUR 5
#define NOP 9
…
#define BINARY_POWER 0
#define PRINT_ITEM 1
#define INPLACE_OR 2
#define DUP_TOP 3
#define GET_ITER 4
#define BINARY_MULTIPLY 5
#define BINARY_XOR 9
…

30. Custom Python / Anti-Dump / PyCodeObject modification
• code.h
• It prevents the use of other
Python implementation
/* Bytecode object */
typedef struct {
PyObject_HEAD
int co_argcount; /* #arguments, except *args */
int co_nlocals; /* #local variables */
int co_stacksize; /* #entries needed for evaluation stack */
int co_flags; /* CO_..., see below */
…
PyObject *co_consts; /* list (constants used) */
PyObject *co_names; /* list of strings (names used) */
PyObject *co_varnames; /* tuple of strings (local variable names) */
PyObject *co_freevars; /* tuple of strings (free variable names) */
PyObject *co_cellvars; /* tuple of strings (cell variable names) */
PyObject *co_code; /* instruction opcodes */
…
} PyCodeObject;

31. Custom Python / Anti-Dump / Disable Marshalling
• marshal.c : w_object()
• PyMarshal_WriteObjectToFile() --> w_object()

32. Custom Python / Execution Prevention
• pythonrun.c
• Patched to do nothing
• PyRun_FileExFlags
• PyRun_SimpleFileExFlags
• PyRun_AnyFileExFlags
• PyRun_InteractiveLoopFlags
• Unpached
• PyRun_SimpleString

33. Bot / Protection /
Custom Python / Bypass

34. Custom Python / Bypass / Bytecode Encryption
• RE -> write decryptor
OR
• Bypass anti-dump
B3 F2 0D 0A 0D F1 5C 50 63 00 00 00 00 00 00 00
00 06 00 00 00 40 00 00 00 73 16 01 00 00 78 43
00 65 00 00 64 00 00 83 01 00 44 5D 30 00 5A 01
B3 F2 0D 0A 0D F1 5C 50 63 70 F9 79 04 8E 20 00
00 11 06 10 0C 0F 0A 0B 08 02 01 03 00 03 00 02
00 00 00 00 00 04 00 05 0A 20 01 00 00 03 00 01
Standard Python
Custom Python

35. Custom Python / Bypass / Enable Marshalling
• Grab a marshalling from other
(e.g. PyPy)
• Looking for the real offset
co_code of field

36. Custom Python / Bypass / Opcode unmapping
• Differential analysis
• Generating two "pyc" file set
• Finding the opcode mapping
• Opcode unmapping

37. Bot / Protection / Cython

38. Cython (c-api)
def function(a, b):
c = a + b – 0x0A
return c ^ 0x70
PyObject *__pyx_f_4temp_function(PyObject *va,
PyObject *vb){
PyObject * vl1, vl2, vl3;
__Pyx_RefNannySetupContext("function", 0);
vl1 = PyNumber_Add(va, vb);
vl2 = PyNumber_Subtract(vl1, vg_int_10);
vl3 = PyNumber_Xor(vl2, vg_int_112);
__Pyx_RefNannyFinishContext();
return vl3;
}

39. Cython (Pure C)
cdef long function(long a,
long b):
c = a + b – 0x0A
return c ^ 0x70
long __pyx_f_4temp_function(long va, long vb){
long vl1, vl2;
__Pyx_RefNannySetupContext("function", 0);
vl1 = ((va, vb) – 0x0A);
vl2 = (vl1 ^ 0x70);
__Pyx_RefNannyFinishContext();
return vl2;
}

40. Bot / Protection / Cython / Solving

41. Cython / Solving / Localization
Python < 3
• __Pyx_AddTraceback
• __Pyx_MODULE_NAME
• __Pyx_NAMESTR
• ModuleInit
• Py_InitModule4
• PyImport_AddModule to __builtin__
• __Pyx_InitGlobals
• __Pyx_InitStrings -> __Pyx_StringTabEntry
• PyImport_GetModuleDict
• PyDict_SetItemString
Python >= 3
• __Pyx_AddTraceback
• __Pyx_MODULE_NAME
• __Pyx_NAMESTR
• ModuleInit
• PyModule_Create
• PyImport_AddModule to builtins
• __Pyx_InitGlobals
• __Pyx_InitStrings -> __Pyx_StringTabEntry
• PyImport_GetModuleDict
• PyDict_SetItemString

42. PoS terminal

43. PoS terminal in action

44. Service monitor
Re-launch bot and pos-processes every 5 minutes

45. Job restriction
• Restricted token
• Trimmed privileges
• Memory peak limit
• Low integrity
• 2 processes only

46. Shell storage
• Service also grabs all injected shellcodes
• pos_1 / 75 shellcodes
• pos_2 / 59 shellcodes

47. Shellcode first attempt
Trying to download and spawn from C&C meterpreter shell

48. Shellcode of winner
Send to C&C 2gb of DSec VM memory :D

49. Hints (for 4 days)
• Use ntp2d.mcc.ac.uk (UTC+4)
• Dropbox
• PYX
• DGA
• Do not touch C&C !!1
• Good bot-knocking with stable sessions depends from the correct implementation of the protocol
• The flag is NOT in key, .flag, flag.txt, etc.
• Job restrictions, 2 processes only
• Flag format: ZN0x04_{<SHA-256>}
• …

50. Questions?
Roman @nezlooy Bazhin George @intROPy Nosenko Peter @Python0x0 Kamensky