Tuesday, January 12, 2016

Gnome in Your Home Conclusion: Meet the Villain

Pwning each of the SuperGnomes in the 2015 SANS Holiday Hack challenge.

This is the last of a multi-part series describing my approach to solving the 2015 SANS Holiday Hacking Challenge. After reading, try your hand at the challenges at HolidayHackChallenge.com!


Part Five: Sinister Plot and Attribution

  1. Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?

  2. Who is the villain behind the nefarious plot.
Prior to launching the challenge in early December, the website showed a clue: "1957 was only the beginning." This being a Christmas-themed event, something immediately came to mind. Dr. Seuss wrote "How the Grinch Stole Christmas" in 1957, so through the first couple of SuperGnomes, I was pretty sure the villain was The Grinch. Upon cracking SuperGnome 04 though, I busted up laughing when the real villain appeared.

Each of the SuperGnomes contains a filename that looks like a date with a .zip extension (for example, 20141226101055.zip), which contains a packet capture file. Each SuperGnome also contains a file titled Factory_Cam_#.zip, which in turn contains a PNG image file. SuperGnome 01 also contains a second image file, camera_feed_overlap_error.png.

The packet captures are a series of email conversations between "[email protected]" and various other individuals. By opening the pcaps in Wireshark and using the "Follow TCP Stream" feature, we can see the entire email body at once.

[From SuperGnome 01]

From: "c" <[email protected]>
To: <[email protected]>
Subject: GiYH Architecture
Date: Fri, 26 Dec 2014 10:10:55 -0500

JoJo,

As you know, I hired you because you are the best architect in town for a distributed surveillance system to satisfy our rather unique business requirements. We have less than a year from today to get our final plans in place. Our schedule is aggressive, but realistic.

I've sketched out the overall Gnome in Your Home architecture in the diagram attached below. Please add in protocol details and other technical specifications to complete the architectural plans.

Remember: to achieve our goal, we must have the infrastructure scale to upwards of 2 million Gnomes. Once we solidify the architecture, you'll work with the hardware team to create device specs and we'll start procuring hardware in the February 2015 timeframe.

I've also made significant progress on distribution deals with retailers.

Thoughts?

Looking forward to working with you on this project!

------=_NextPart_000_0044_01D020F4.3C7E17B0
Content-Type: image/jpeg;
.name="GiYH_Architecture.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
.filename="GiYH_Architecture.jpg"

/9j/4AAQSkZJRgABAQAASABIAAD/4QOyRXhpZgAATU0AKgAAAAgACQEPAAIAAAAGAAAAegEQAAIAAAAJAAAAgAESAAMAAAABAAEAAAEaAAUAAAABAAAAigEbAAUAAAABAAAAkgEoAAMAAAABAAIAAAExm+lZr/6w/hWkdgJPtDDavB9ahmunIy3frjpUI/13+fSopOv4UzObJjIrHdmkEhD/ACjiqg6irI+6
.
.
.
K2iiGj//2Q==

------=_NextPart_000_0044_01D020F4.3C7E17B0--


The second part of this message is a base64-encoded jpg attachment. Linux has a built-in command to decode base64, so I saved the encoded content to a text file and ran the following command:

base64 -d giyh_architecture.txt > giyh_architecture.jpg

The result is:

The Gnome in Your Home architecture


[From SuperGnome 02]

From: "c" <[email protected]>
To: <[email protected]>
Subject: =?us-ascii?Large_Order_-_Immediate_Attention_Required?=
Date: Wed, 25 Feb 2015 09:30:39 -0500

Maratha,

As a follow-up to our phone conversation, we'd like to proceed with an order of parts for our upcoming product line. We'll need two million of each of the following components:

+ Ambarella S2Lm IP Camera Processor System-on-Chip (with an ARM Cortex A9 CPU and Linux SDK)
+ ON Semiconductor AR0330: 3 MP 1/3" CMOS Digital Image Sensor
+ Atheros AR6233X Wi-Fi adapter
+ Texas Instruments TPS65053 switching power supply
+ Samsung K4B2G16460 2GB SSDR3 SDRAM
+ Samsung K9F1G08U0D 1GB NAND Flash

Given the volume of this purchase, we fully expect the 35% discount you mentioned during our phone discussion. If you cannot agree to this pricing, we'll place our order elsewhere.

We need delivery of components to begin no later than April 1, 2015, with 250,000 units coming each week, with all of them arriving no later than June 1, 2015.

Finally, as you know, this project requires the utmost secrecy. Tell NO ONE about our order, especially any nosy law enforcement authorities.

Regards,

-CW


[From SuperGnome 03]


From: "c" <[email protected]>
To: <[email protected]>
Subject: All Systems Go for Dec 24, 2015
Date: Tue, 1 Dec 2015 11:33:56 -0500

My Burgling Friends,

Our long-running plan is nearly complete, and I'm writing to share the date when your thieving will commence! On the morning of December 24, 2015, each individual burglar on this email list will receive a detailed itinerary of specific houses and an inventory of items to steal from each house, along with still photos of where to locate each item. The message will also include a specific path optimized for you to hit your assigned houses quickly and efficiently the night of December 24, 2015 after dark.

Further, we've selected the items to steal based on a detailed analysis of what commands the highest prices on the hot-items open market. I caution you - steal only the items included on the list. DO NOT waste time grabbing anything else from a house. There's no sense whatsoever grabbing crumbs too small for a mouse!

As to the details of the plan, remember to wear the Santa suit we provided you, and bring the extra large bag for all your stolen goods.

If any children observe you in their houses that night, remember to tell them that you are actually "Santy Claus", and that you need to send the specific items you are taking to your workshop for repair. Describe it in a very friendly manner, get the child a drink of water, pat him or her on the head, and send the little moppet back to bed. Then, finish the deed, and get out of there. It's all quite simple - go to each house, grab the loot, and return it to the designated drop-off area so we can resell it. And, above all, avoid Mount Crumpit!

As we agreed, we'll split the proceeds from our sale 50-50 with each burglar.

Oh, and I've heard that many of you are asking where the name ATNAS comes from. Why, it's reverse SANTA, of course. Instead of bringing presents on Christmas, we'll be stealing them!

Thank you for your partnership in this endeavor.

Signed:
-CLW
President and CEO of ATNAS Corporation


[From SuperGnome 04]

From: "c" <[email protected]>
To: <[email protected]>
Subject: Answer To Your Question
Date: Thu, 3 Dec 2015 13:38:15 -0500

Dr. O'Malley,

In your recent email, you inquired:

> When did you first notice your anxiety about the holiday season?

Anxiety is hardly the word for it. It's a deep-seated hatred, Doctor.

Before I get into details, please allow me to remind you that we operate under the strictest doctor-patient confidentiality agreement in the business. I have some very powerful lawyers whom I'd hate to invoke in the event of some leak on your part. I seek your help because you are the best psychiatrist in all of Who-ville.

To answer your question directly, as a young child (I must have been no more than two), I experienced a life-changing interaction. Very late on Christmas Eve, I was awakened to find a grotesque green Who dressed in a tattered Santa Claus outfit, standing in my barren living room, attempting to shove our holiday tree up the chimney. My senses heightened, I put on my best little-girl innocent voice and asked him what he was doing. He explained that he was "Santy Claus" and needed to send the tree for repair. I instantly knew it was a lie, but I humored the old thief so I could escape to the safety of my bed. That horrifying interaction ruined Christmas for me that year, and I was terrified of the whole holiday season throughout my teen years.

I later learned that the green Who was known as "the Grinch" and had lost his mind in the middle of a crime spree to steal Christmas presents. At the very moment of his criminal triumph, he had a pitiful change of heart and started playing all nicey-nice. What an amateur! When I became an adult, my fear of Christmas boiled into true hatred of the whole holiday season. I knew that I had to stop Christmas from coming. But how?

I vowed to finish what the Grinch had started, but to do it at a far larger scale. Using the latest technology and a distributed channel of burglars, we'd rob 2 million houses, grabbing their most precious gifts, and selling them on the open market. We'll destroy Christmas as two million homes full of people all cry "BOO-HOO", and we'll turn a handy profit on the whole deal.

Is this "wrong"? I simply don't care. I bear the bitter scars of the Grinch's malfeasance, and singing a little "Fahoo Fores" isn't gonna fix that!

What is your advice, doctor?

Signed,

Cindy Lou Who

This was a very fun twist to discover!

In addition to the email threads, the GnomeNET view on each of the SuperGnomes contains a discussion between what appears to be a customer and engineering regarding a flaw in the gnomes' handling of uploaded images:

GnomeNET support conversation

Evidently photos from a camera in the boss' office along with five offline gnomes in the factory all were uploaded with the same name, and were XORed into a single combined image. Camera_feed_overlap_error.png is the result. Since XOR is a logical condition that can be reversed by running the operation again, the solution is to collect each original image and XOR it with the combined image. The remaining image after taking away the five factory images will be that of the boss' office.

A user "Mathematical Coffee" wrote an excellent explanation of how to do a bitwise XOR on images; using that as a basis, the following commands gradually expose the boss:

Garbled image


Subtract SuperGnome 01 image:

convert camera_feed_overlap_error.png factory_cam_1.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" factory_cam_fixed.png

Remove SG01


Subtract SuperGnome 02 image:

convert factory_cam_fixed-1.png factory_cam_2.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" factory_cam_fixed-2.png

Remove SG02


Subtract SuperGnome 03 image:

convert factory_cam_fixed-2.png factory_cam_3.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" factory_cam_fixed-3.png

Remove SG03


Subtract SuperGnome 04 image:

convert factory_cam_fixed-3.png factory_cam_4.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" factory_cam_fixed-4.png

Remove SG04


Subtract SuperGnome 05 image:

convert factory_cam_fixed-4.png factory_cam_5.png -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" factory_cam_fixed-5.png

The cleaned-up image from the boss' office: it's Cindy Lou Who, age Sixty-Two!

And thus the villainess appears!
  1. Based on evidence you recover from the SuperGnomes’ packet capture ZIP files and any staticky images you find, what is the nefarious plot of ATNAS Corporation?

    Email between "[email protected]" and various individuals gradually exposes a plot involving a vast army of burglars. ATNAS Corp (ATNAS being "SANTA" spelled backwards) has deployed the gnomes to spy on homeowners, photographong homes and selecting the most valuable targets. They plan to simultaneously break into two million homes the night of Christmas Eve, and steal the most valuable and sought-after items, in a grand re-enactment of The Grinch's plot many years earlier, all because Cindy Lou was so traumatized by the experience.

  2. Who is the villain behind the nefarious plot.

    The villain is Cindy Lou Who, age Sixty-Two*, as exposed by signing her full name in an email to her psychiatrist and by her own gnome taking a picture of her in her office!
* As an aside, we evidently have entered a time warp when participating in the SANS Holiday Hack: in Dr. Suess' original "How the Grinch Stole Christmas," Cindy Lou Who was "no more than two." That would have made her sixty years old - not sixty two - at Christmas 2015.



Closing remarks


The Holiday Hack challenges were a fun diversion this Christmas, and a diversion I perhaps spent more time on that I should have. Challenges such as this one, as well as many other capture the flag events, are a great way to stretch our skills. Invariably, I learn new skills and techniques every time I participate.

As a "blue teamer" by trade, my expertise is in detection and defense, incident response and malware analysis. Spending a few weeks banging my head against exploitable targets teaches me in ways that a class never would.