Hackinformer Your device needs to transform, we are here to inform
It seems that the first 3DS malware may have been released. After a few users on GBAtemp were trying to unban 3DS systems since Nintendo has brought the ban hammer down on CFW users again. Then this program comes out called UnbanMii and it seems to be stealing vital info from each system its installed on and runs.
According to twitter user @SciresM it steals unique console info from its users here is the tweet.
Wow, looks like someone made the first(?) 3DS malware ("UnbanMii"), steals steal console unique info from users: https://t.co/3BUH7HuXnC
— Michael (@SciresM) July 27, 2017
Also, User astronautlevel on GBAtemp was able to also find what it was taking and sending to the creator of the 3DS malware here is what they said,
So, I got a bit bored at work and decided to try to figure out why UnbanMii 2.0 was closed source.
It used some rather interesting xorpad encryption. Seems like it did a bit more than a xorpad that I didn’t bother figuring out, but I didn’t need to.
After putting a breakpoint on the first HTTP request (one sent to the server in order to get the LFSC_B), a stackdump at that point revealed some… rather interesting things, namely:
There’s an option in UnbanMii to upload your LFSC_B, however, the interesting thing is that even if you don’t select this option it uploads your LFSC_B, as well as some other information (namely moveable.sed).
I would highly recommend not using this software. Even if this is a bug or the creators change this behavior, effectively stealing every uses LFSC_B is such a breach and violation of trust that I would never recommend this software to anyone ever again.
Not only is this unethical, it is illegal in many places around the world, including potentially the United States, where the server seems to be hosted. Also, additional proof: captured the packet sent when requesting to download a LFSC_B with wireshark:
Once again, the seed is being transferred (just in case you didn’t trust my stackdump).
EDIT: Also it uploads your serial and secureinfo_A, which shouldn’t even be necessary for un banning. This is seriously shady as fuck!!!
Bonus points: the malware tries to hide what it's doing by using a creepy-as-hell xorpad: pic.twitter.com/o8pMwc1Ohb
— Michael (@SciresM) July 27, 2017
This is a scary thing for homebrew users and we had some bad stuff in the Vita scene happen like deleting files in os0:, (Brick!!) that’s why we have “safe homebrew” now, which disables access to things homebrew does not need to be touching in order to work.
We hate seeing these type of things in any community and now it seems even console homebrew is not safe from so called malware software. This should be just another warning to all homebrew users please just be careful with what you put on your systems and read about it in the comments, forums.. etc, it could just bite you in the butt if you don’t. Let’s thank the guys in the 3DS scene for checking in to this one as some bad shit could have happened.
Thanks for reading and keep doing it for the love of the game.
