|
hackbunny posted:
a network check for clock accuracy that defaults to true is... weird. v curious about the network check as the in-built one everyone points to just checks if the adapter is up, and optionally checks dns for a fixed domain
|
#
?
Jan 24, 2017 10:03
|
|
|
|
| # ? May 17, 2024 04:43 |
|
|
I wonder if the small hard disk check is born of an outdated idea of how people use virtual machines. If you're using an older VM system and don't have much hard disk space yourself, you may well have very small hard disks on the VMs (especially XP ones) but with technology like differencing disks and dynamically expanding disks coupled with how cheap storage is I very much doubt anyone uses a fixed 50GB hard disk on a VM these days. This seems to support the idea that the developer is an experienced malware developer who's been out of the game for a while.
|
|
#
?
Jan 24, 2017 10:17
|
|
|
Chalks posted:I wonder if the small hard disk check is born of an outdated idea of how people use virtual machines. If you're using an older VM system and don't have much hard disk space yourself, you may well have very small hard disks on the VMs (especially XP ones) but with technology like differencing disks and dynamically expanding disks coupled with how cheap storage is I very much doubt anyone uses a fixed 50GB hard disk on a VM these days. Or this is the nth version of their homebrew malware and they just used their 'myencryption.dll' library and maybe bolted on some more checks but left the old ones there.
|
|
#
?
Jan 24, 2017 10:24
|
|
|
Automated malware analysis sandboxen often used small disks and XP so it sort of makes sense. I'd say the malware author is up on the state of the art of malware analysis from a couple of years ago.
|
|
#
?
Jan 24, 2017 11:56
|
|
|
Bhodi posted:I suspect this is a check to short-circuit similar to RunningInVMAndApplicationOlderThan5Days to prevent 'dev' builds (built after the hard-coded feb 2015 date) executing automatically. It's a way to pin auto-execution to only code that has (presumably) been tested to work in the build-test vm framework and prevent auto-execution for newer code, though it's a really wacky way it do it. I could see doing it this way if you have some sort of framework that you use for both development of new features and testing of the operation of mature ones, and your build system inserts that date into the code based on last tested-good configuration (or you alter it manually). note that the protection code only prevents communication with the c&c and exfiltration hosts. the malware uses a different set of checks at startup, and iirc the build date check isn't among them (ok, I checked, and the only build date check done at startup is IsBuildOlderThan8Days) Munkeymon posted:makes it harder to change the date just to see how the behavior changes or get the date-based behavior you want? but only carrier does this check, hgrghk and tmpwebshell don't. no, it occurs to me it's because of code I haven't shown yet: when a carrier downloads other agents, it performs several freshness checks on their last modified and build dates Munkeymon posted:why the autorun checks? do analysis tools like to just use windows autorun to start the malware in the VM? this: Volmarias posted:Sounds like the opposite; starting it manually to see what it does would result in nothing if "true" was the expected value here. Chalks posted:The use of a paid for library implies for me that more than one person was developing this, and the second less experienced person probably just picked up a library for sending mail that they had used in a previous legitimate project without realising it was tied to their personal details. It seems impossible to believe that someone who was so deep into illegal activity wouldn't simply pirate a copy of the library (or if it was the more experienced developer, I'm sure they would be capable of interacting with the email protocol directly or at least using an open source alternative) don't underestimate MailBee, it seems an incredibly good library. it's not just an smtp client, it does imap too, and even smime. oooh I almost forgot, there's a couple embedded x509 certificates, I really should dump them. it could be interesting Chalks posted:I guess there wasn't any information released about how long ago the license for the mail library was purchased vs when the malware first included it? I expect the dates will be some time apart. I'll have to look for older samples. this thing has been around, under everyone's radar, for almost 6 years!
|
|
#
?
Jan 24, 2017 14:12
|
|
|
huh actually. hm. they're not the kind of certificates I expected. the first is a root authority, Global Systems Comm. CA. is it even legit? supposedly a company in singapore. anyway, this is installed as a trusted ca in the system certificate store the second is an encryption certificate, as I expected (it's used to encrypt messages with s/mime), but it doesn't have any interesting information: it's self-signed and the subject common name is simply "Administrator", clearly a test certificate generated with some wizard on a windows machine. maybe a bit more interesting is the issue date: sept 12th 2011, it's been around for a while. sadly, it's probably not an easily searchable pattern because the byte array is built element by element by compiler generated code. if only I could get my hands on just another sample... the expiration date is a little weird, jan 28th 2039, which doesn't seem a nice round date. maybe it's hardcoded in the wizard, does it ring a bell for anyone? (fake edit nevermind, it is a round date: 10000 days after the issue date)
|
|
#
?
Jan 24, 2017 14:52
|
|
|
hackbunny posted:Global Systems Comm. CA. is it even legit? That you're even asking makes it legit enough for most targets, because... quote:anyway, this is installed as a trusted ca in the system certificate store This will slip right on by since I'm guessing a large number of companies don't audit their trusted roots on a regular basis.
|
|
#
?
Jan 24, 2017 15:04
|
|
|
just want to chime in and say hackbunny you are doing some awesome poo poo
|
|
#
?
Jan 24, 2017 15:16
|
|
|
mailbee feature was probably a client requirement, author was like no that's not secure, then client was like I DEMAND IT, author was like whatever idiot here you go get hosed 
|
|
#
?
Jan 24, 2017 15:37
|
|
|
Volmarias posted:Never stop please, these are always interesting yeah you're real cool and good and i've used your poasts as an example of "cool smart women in tech" when talking to my friends a couple times 
|
|
#
?
Jan 24, 2017 15:40
|
|
|
mod saas posted:test korea best korea Security Fuckup Megathread - v13.2 - test korea best korea mods pdtn
|
|
#
?
Jan 24, 2017 16:19
|
|
|
Migishu posted:Security Fuckup Megathread - v13.2 - test korea best korea
|
|
#
?
Jan 24, 2017 16:25
|
|
|
cheese-cube posted:just want to chime in and say hackbunny you are doing some awesome poo poo QUOTIN'
|
|
#
?
Jan 24, 2017 16:41
|
|
|
All I can find so far is a Romanian company that goes by that name, not a Singaporean one.
|
|
#
?
Jan 24, 2017 16:53
|
|
|
For that autorun check they should have implemented a 'false start' that makes it look like its running but actually wipes or encrypts the payload files to further slow down/halt analysis.
|
|
#
?
Jan 24, 2017 16:56
|
|
|
goddamn hackbunny. I mean goddamn
|
|
#
?
Jan 24, 2017 16:57
|
|
|
spankmeister posted:All I can find so far is a Romanian company that goes by that name, not a Singaporean one. maybe it's these dinguses only without the owners knowledge http://www.globalsystem-sg.com/? their site is either a honey pot or it's already been completely compromised (massive surface area including mysql and VNC, looks like a server 2k3 box exposed completely to the net without fw). also their "mail server" mail.globalsystem-sg.com is equally exposed. funny thing i'm p sure i saw their logo around pioneer shipyard in SG last time i was there
|
|
#
?
Jan 24, 2017 17:11
|
|
|
Keep up the good work hackbunny, these posts are awesome RE: disk size I checked with the current version of vmware workstation, and if you provision an XP machine without changing any of the default settings you get a 45GB disk (and one cpu and 512mb of ram lol)
|
|
#
?
Jan 24, 2017 17:43
|
|
|
COACHS SPORT BAR posted:Keep up the good work hackbunny, these posts are awesome ESXi 6.5 gives you a 1 vCPU with 256MB memory and 8GB disk VM if you select XP Pro 32/65-bit as the guest OS.
|
|
#
?
Jan 24, 2017 18:06
|
|
|
cheese-cube posted:ESXi 6.5 gives you a 1 vCPU with 256MB memory and 8GB disk VM if you select XP Pro 32/65-bit as the guest OS.
|
|
#
?
Jan 24, 2017 18:10
|
|
|
yeah disk size/ram/cpu instruction sets are ye olde anti-vm checks. if you have better means of detection then you should probably use them rather than restrict potential victims though. it doesn't cost the analyst to detect and work around checks but it impacts intel-gathering. on that note is there any integrity checks at all?
|
|
#
?
Jan 24, 2017 18:22
|
|
|
cheese-cube posted:maybe it's these dinguses only without the owners knowledge http://www.globalsystem-sg.com/? their site is either a honey pot or it's already been completely compromised (massive surface area including mysql and VNC, looks like a server 2k3 box exposed completely to the net without fw). also their "mail server" mail.globalsystem-sg.com is equally exposed. Ah yeah maybe! My idea was to look in the singaporean chamber of commerce but their web sight seems broken.
|
|
#
?
Jan 24, 2017 18:53
|
|
|
cool poo poo, hackbunny
|
|
#
?
Jan 24, 2017 21:40
|
|
|
oh my God, furbies have an accessible debug menu and it shows up in their eyes and the future owns http://hackaday.com/2017/01/21/taking-control-of-your-furby/ "[Jeija] is able to add custom audio to the official DLC files and upload them into the Furby. [Jeija] points out the all this was done without taking a Furby apart, only by sniffing the Bluetooth communication between the robot and the controlling app" I can't wait to see furbies get remotely hacked
|
|
#
?
Jan 24, 2017 21:54
|
|
|
Jewel posted:oh my God, furbies have an accessible debug menu and it shows up in their eyes and the future owns This rules but I can't believe this is the fourth furby
|
|
#
?
Jan 24, 2017 22:06
|
|
|
AggressivelyStupid posted:This rules but I can't believe this is the fourth furby I'm impressed it's taken this long. The first one is from 1998.
|
|
#
?
Jan 24, 2017 22:10
|
|
|
Jewel posted:oh my God, furbies have an accessible debug menu and it shows up in their eyes and the future owns owns
|
|
#
?
Jan 24, 2017 22:12
|
|
|
Can't wait to be drafted in the cyberwarfare command, IoT division, elite furby hacking unit 
|
|
#
?
Jan 24, 2017 22:17
|
|
|
Jewel posted:oh my God, furbies have an accessible debug menu and it shows up in their eyes and the future owns do the new furbies have cameras or anything? wondering if this is going to blow up into a "hackers spying on your kids" fiasco.
|
|
#
?
Jan 24, 2017 22:24
|
|
|
|
|
#
?
Jan 24, 2017 22:58
|
|
|
Chalks posted:I wonder if the small hard disk check is born of an outdated idea of how people use virtual machines. If you're using an older VM system and don't have much hard disk space yourself, you may well have very small hard disks on the VMs (especially XP ones) but with technology like differencing disks and dynamically expanding disks coupled with how cheap storage is I very much doubt anyone uses a fixed 50GB hard disk on a VM these days. I am yet to see a way to shink a virtual disk and actually reclaim the space without spending a huge amount of ops doing it. Growing is no problem and can happen on the fly, you're much better setting smaller disks and dealing with people bumping in to the limits and cleaning up at that point before expanding allocations than letting idiocy or a malfunctioning application brim a drive with garbage which then cascades in to your storage replication and backup sets.
|
|
#
?
Jan 24, 2017 23:21
|
|
|
BangersInMyKnickers posted:I am yet to see a way to shink a virtual disk and actually reclaim the space without spending a huge amount of ops doing it. Growing is no problem and can happen on the fly, you're much better setting smaller disks and dealing with people bumping in to the limits and cleaning up at that point before expanding allocations than letting idiocy or a malfunctioning application brim a drive with garbage which then cascades in to your storage replication and backup sets. Oh yeah, I'm not sure if may people use expanding disks in production environments - I'm sure it's got performance overheads too. I just mean that if I'm creating a VM for my own development use I generally just give it an dynamic disk knowing that it'll only be in use for a limited period of time and probably not have all that much junk put on it. I'm assuming that malware analysis is fairly similar to that scenario which would make hard disk size checks pretty trivial to overcome. I wonder whether this sort of check is based on any actual data gathered showing this sort of VM size being commonly used or if it's just a complete guess that people will use the default disk size settings when analysing malware.
|
|
#
?
Jan 24, 2017 23:40
|
|
|
quote:Canadians feel that online voting in federal elections would have a positive effect on voter turnout. They support online voting in principle, but their support is contingent on assurances that online voting would not result in increased security risks. i have no idea how to respond to this other than... "yay"? this was via some study the government is doing on electoral reform
|
|
#
?
Jan 24, 2017 23:50
|
|
|
we're implementing a new product that wants us to disable active scanning on a couple folders, and i put some policies into place that would do that. to test it i thought i'd drop in a file with the eicar test string in it and see what sophos did, and it didn't do anything no matter what folder it was in. active scanning reported eicar but that was useless. so instead of a safe little eicar.txt file i have to copy pskill.exe around to test with. gently caress you sophos
|
|
#
?
Jan 24, 2017 23:52
|
|
|
Probably just a random guess. VMware/Hyper-V defaults the OS disk to 40-50gb and encourages you to split that in to other disks for data vols so they can be tiered differently, apply ssd caching, whatever. It's a pretty good giveaway for a VM and potentially an analysis sandbox, especially if you are checking for the disk size and not the volume size since I don't think you can get anything smaller than 60gb ssd's in a normal desktop these days. As for overhead for thin provisioning, you get a little bit of a write penalty as the virtual disk inflates and writes to new blocks (typically allocated in chunks of a couple MB) but there's not a lot of scenarios where this will have quantifiable impact in most use cases
|
|
#
?
Jan 24, 2017 23:52
|
|
|
serious answer: fw: fw: fw: tier malware design advice peddled in more places than you'd realise
|
|
#
?
Jan 25, 2017 00:03
|
|
|
LeftistMuslimObama posted:do the new furbies have cameras or anything? wondering if this is going to blow up into a "hackers spying on your kids" fiasco. I'm fairly sure no cameras, but they do have a microphone
|
|
#
?
Jan 25, 2017 00:09
|
|
|
Jewel posted:oh my God, furbies have an accessible debug menu and it shows up in their eyes and the future owns did u know?? hackers can turn your furby into a BOMB!!
|
|
#
?
Jan 25, 2017 00:25
|
|
|
anthonypants posted:we're implementing a new product that wants us to disable active scanning on a couple folders, and i put some policies into place that would do that. to test it i thought i'd drop in a file with the eicar test string in it and see what sophos did, and it didn't do anything no matter what folder it was in. active scanning reported eicar but that was useless. so instead of a safe little eicar.txt file i have to copy pskill.exe around to test with. gently caress you sophos Scan: Right-Click Scan Machine: WP-NTBK-0003 File "C:\Users\user\Downloads\eicar.txt" belongs to virus/spyware 'EICAR-AV-Test'. Registry value "HKU\S-1-5-21-2084071808-2144819180-1538882281-4090\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet" belongs to virus/spyware 'EICAR-AV-Test'. Virus/spyware 'EICAR-AV-Test' has been detected.
|
|
#
?
Jan 25, 2017 00:42
|
|
|
|
| # ? May 17, 2024 04:43 |
|
|
Jewel posted:oh my God, furbies have an accessible debug menu and it shows up in their eyes and the future owns The cyber dystopia is now and it's rad as hell
|
|
#
?
Jan 25, 2017 01:37
|
|