Welcome to duststar theory
- random, casual, stray thoughts -
"Only a life lived for others is a life worth while." - Albert Einstein
MapleSEA Ranking Database – 2
Author duststar | 23.01.2010 | Category MapleSEA
A quick update on progress.
The database design for the ranking database is finally done and tested. Right now, I am working on summarising data. To improve SELECT query performance, all data needs to “summarised” before I insert them into the database e.g. aggregate by day, week, month etc
Let’s look at BOOTES dataset for the past 10 hours! (From 0000 hours to 1000 hours, GMT +8)
1. Congrats to all those who level up (A total of 81 players). Below are the top 10 climbers based on level descending sequence.
| IGN | Level | Gain |
| Starstarfied | 194 | 1 |
| PiNkLoLLy | 193 | 1 |
| KabutoJR | 192 | 1 |
| BabySunRise | 192 | 1 |
| ohhyaayaa | 189 | 1 |
| PPTED1 | 189 | 1 |
| PoorLeng | 185 | 1 |
| Periwlnkle | 183 | 1 |
| MageCl3ric | 183 | 1 |
| OmFgiTzOinky | 182 | 1 |
2. Top 10 climbers based on levels gained descending sequence.
| IGN | Level | Gain |
| imaimai | 149 | 3 |
| x3xGuanYu | 147 | 2 |
| xzInfighterz | 138 | 2 |
| Alvinsck | 149 | 2 |
| JoanStarS | 138 | 2 |
| cuti3priest | 142 | 2 |
| AranXruss | 140 | 2 |
| K8510 | 148 | 2 |
| PoPCoRnBoiZ | 149 | 2 |
| 2HoneyBoy2 | 167 | 1 |
Hope you like them and watch out for more coming soon as the project gets nearer to completion!
.duststar
MapleSEA Ranking Database – 1
Author duststar | 22.01.2010 | Category MapleSEA
I have announced the development of this project for MapleSEA few days ago at Asiasoft Forums. The MapleSEA’s ranking website we know of currently only allow us to search for players statistics based on their in-game nickname. Though it allow us to see rankings for various criteria e.g. All, Job, World and Fame, I felt that more could be done.
From data analysis point-of-view, perhaps we could make use of this provided data set to answer some of the following questions:
1. How many level 200 are there in each world? Of which, what are the distribution of level 200 among all jobs?
2. Who are the players that are going to reach level 200 soon?
3. How can we know if a particular player is leveling at a very fast speed?
4. How many 4th jobbers does each world have? And, what are the distribution of 4th jobbers among all jobs? So, which job is the most popular (in terms of 4th jobbers) and which job is the least popular?
Thus this is what the whole project is about.
Yesterday wrote and tested a script to fetch ranking information from MapleSEA’s ranking website. Now looking at database design which is very important because if I need to store the delta difference of all players’ statistics at each poll by the script, the database will be very huge! (A quick check on Bootes tells us that we have about 11,500 players with between level 120 to 200. That would means at every 2 hour poll I would probably have inserted 11,500 entries into my database. 24 hours = over 130,000 entries. 1 month = 3.9 million entries. 1 year = 46.8 million entries. And this is only Bootes! What about other worlds?)
Some fun facts:
1. As of point of writing, Bootes has 1,690 level 120 players. The job distribution are as follows:
| Flame Wizard | 494 |
| Soul Master | 242 |
| Magician | 197 |
| Thief | 191 |
| Night Walker | 141 |
| Warrior | 139 |
| Wind Breaker | 85 |
| Striker | 73 |
| Bowman | 58 |
| Pirate | 38 |
| Aran | 31 |
| Beginner | 1 |
2. That would means for Knight of Cynus. We have (from most popular to least popular):
Flame Wizard, Soul Master, Night Walker, Wind Breaker, Striker.
3. For Adventurer Class, We have (from most popular to least popular):
Magician, Thief, Warrior, Bowman, Pirate
4. That probably explained why Magician and Thief jobs’ items and scrolls are still so expensive. Zzz.
5. The only Beginner at level 120 is … Sattva
Please look out for more cool stuffs coming soon!
.duststar
Analysis on Global Maplestory (GMS) leaked accounts
Author duststar | 20.01.2010 | Category Cyber Security, MapleGlobal
Following this post.
I am posting a short analysis on the leaked accounts.
A total of 139 accounts were leaked. The attackers may have more because the “id”s were in running sequence (which seems to indicate it was “ripped” off from a database or any structured data source).
Findings
1. There were 3 accounts that uses same credentials for both login ID and password.
2. Shortest password length was 6.
Examples:
112991
kablam
dragon
123123
123321
hacker
abc123
123456
……
Examples:
narutoistheb
fataliity225
412173lesche
manquehue199
samsung770k1
4. There were 113 (81.29%) unique passwords and 26 (18.71%) duplicated passwords.
Examples of duplicated passwords used:
pokemon = 2
112991 = 2
kablam = 3
pspds3 = 2
21coryt21 = 2
123123 = 2
annaviv1 = 2
i2345i = 2
pokemaniac = 3
stephanie = 2
google = 2
kiko052500 = 2
5. Passwords used by players are generally WEAK.
Weak = 107 (76.98%) e.g. yonatan
Medium = 32 (23.02%) e.g. samsung770k1
Conclusion
1. People are still using WEAK passwords.
2. If these passwords are stored in anywhere, they should be at least hashed with a industry recognised hashing algorithmn such as MD5, SHA1 etc and salted.
3. You should consider changing your account passwords to at least 12 characters with mixture of alphabets (big and small), and numbers. If possible, include in symbols such as !.$.? etc.
.duststar
Global Maplestory (GMS) leaked accounts
Author duststar | 20.01.2010 | Category Cyber Security, MapleGlobal
I saw this piece of news from: http://forums.asiasoftsea.net/showthread.php?t=753468
Then followed to: http://www.southperry.net/forums/showthread.php?t=22241
It seems like some people had posted a list of global Maplestory (GMS) accounts with password and pin in-clear online. At current point of writing, I can still find this list within 5 seconds on the Internet.
Just read the 20+ pages at southperry forum and someone did “try out” the listof ids and passwords and was able to login. This probably validates that its real data.
Let’s assume it is real.
Here is my ONE and ONLY question. Is the password and pin stored as clear-text in the database?
.duststar
Attack on Google Part 2: An insider coordinated attack?
Author duststar | 19.01.2010 | Category Cyber Security
Continuing from this post.
Google suspects it was an insider leak that provide the attackers their targets
Read more here. http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack
And, we had more revealations on the trojan that was used in the recent attack.
The trojan was named Hydraq by the anti-virus vendors.
Symantec has released a summary and a technical detail on this.
http://www.symantec.com/connect/blogs/hydraq-attack-mythical-proportions
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99&tabid=2
ThreatExpert has analysed the binaries and the report (technical) is provided in 2 parts:
http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html
http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html
Some interesting observations
Part 1 (http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html)
1. It runs as a service through svchost.exe. This method generally “hides” the trojan process from showing up on the tasklist.
Firstly, the trojan registers itself as a system service RaS[4 random characters] by creating registry entries under the newly created key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
The “ImagePath” value of its service registry key is set to start svchost.exe, as shown below:
“ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RaS[4 random characters]
2. It make use of %TEMP% to copy itself to. Common place for malware to reside in because almost any other application also uses this system variable for file processing.
For instance, the trojan can create a copy of itself under a random filename in the %TEMP% directory, or it may create a copy of itself under the name %TEMP%\c_1758.nls.
Part 2 (http://blog.threatexpert.com/2010/01/trojanhydraq-part-ii.html)
1. Hinder reverse engineering efforts by increasing code complexity. Complexity equals more time required for tracing program execution flow.
It is also worth noting that the trojan’s code is very fragmented – it is deliberately split into small chunks with the size of a few instructions each, connected with the calls and jumps into a large maze: the code of Trojan.Hydraq contains 1,748 jumps and 922 calls – tracing it requires quite a bit of a patience.
2. Use of encryption to protect the C&C connection details. To defeat static analysis “String” search.
The trojan carries its C&C connection details (server, name, port, retry delay, etc.) inside the internal resource (name is 100, type is 243). The resource is 344 bytes in size, and it is encrypted.
3. Use of alternative DNS to resolve the C&C server IP addresses. To defeat DNS “sink-hole” defence.
It starts doing so by trying to resolve its host name first. If this attempt fails, the trojan makes a DNS query by crafting a TCP packet on port 53 of an alternative (legitimate) DNS server, also specified in its resource, in order to resolve the same host name. For example, the analysed sample has alternative DNS server 168.95.1.1 – this is dns.hinet.net server located in Taiwan.
4. Evade network detection by encoding its network packet through inverting its bytes.
If the connection to remote host on port 443 succeeds, the malware prepares a packet to send – it is 20 bytes in size:
00 00 00 00 00 00 FF FF 01 00 00 00 00 00 00 00 00 00 77 00
The packet is encoded by inverting its bytes:
FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF
5. Evade network detection by encrypting response network packet from server using XOR. Network transport protection mechanism.
As soon as the packet is submitted to the live C&C server, it receives the response packet that is also 20 bytes in size. It is encrypted with the XOR 0xCC.
6. Self-updating to survive.
It may be assumed that upon successful connection to the remote C&C server (sl1.homelinux.org), the trojan was designed to be able to update itself. A new copy may have a different C&C server specified in its resource (e.g. yahooo.8866.org, 360.homeunix.com or as in the last seen sample – blog1.servebeer.com) in order to survive the shutdown of the old servers.
Recommended protection and detection strategy against such 0-day of similiar “style”
1. Sysem lock-down with minimal user privileges.
2. Deploy Host-based intrusion detection system that monitors for:
- Changes to registry esp. services modification, startup entries etc
- Creation of new services
- Creation of new child process from Internet Explorer, parent process (For this incident, this trojan was installed due to a remote code execution vulnerability in Internet Explorer.)
3. Deploy firewall at network perimeter to prevent out-going DNS access from client networks.
4. Deploy desktop firewall for clients and implement tight control over network access provisioning.
.duststar