|
hackbunny posted:I don't get the point though! it seems completely unrelated to anything the malware does lol malware written by shaggar
|
#
?
Jan 31, 2017 14:43
|
|
|
|
| # ? May 16, 2024 02:45 |
|
|
I never considered character encodings as a way to protect against rainbow tables, but in hindsight it's obvious. who has ebcdic tables?
|
|
#
?
Jan 31, 2017 14:46
|
|
|
it still sounds like stitched together hackforums tutorials
|
|
#
?
Jan 31, 2017 14:47
|
|
|
Wiggly Wayne DDS posted:it still sounds like stitched together hackforums tutorials kinda yeah ate all the Oreos posted:lol malware written by shaggar ... but I'm afraid this is closer. do you know what format these configuration files are in? they are serialized .net objects. specifically, NameValueCollection objects serialized with BinaryFormatter, a ridiculously verbose format for a key-multivalue map that can only contain strings Subjunctive posted:I never considered character encodings as a way to protect against rainbow tables, but in hindsight it's obvious. who has ebcdic tables? there are some really clever and effective ideas in there but I think this one is entirely accidental the way remote files are encrypted, string encodings notwithstanding, is one of the clever and effective ideas, imo. files are encrypted with their filename as the key, and the filename is replaced with its hash before it's written anywhere. only the original code, where the filename is in cleartext, can both locate the files and decrypt them: the two files I could decrypt? I could only do it so quickly because the names (ghkch and hgrch) are in clear text, in the code. it also shows a degree of opsec foresight that not all information is included in all agents: if you catch one, you can only decrypt the files relevant to it. all local files (like caches of remote files, or temporary files) are similarly encrypted, and sometimes padded with random data. it's somewhat well thought out on the other hand the key derivation from the filename is very weak (key = md5(utf16(filename)), iv = sha256(utf16(filename))), the encryption is 3des for some reason (pity it isn't des), and the obfuscation of the filename is a straight unsalted sha1 hash instead of something more expensive, like bcrypt or scrypt (sure, salting the hash means you can't just open the file by its filename hash, you have to list the directory and check the filenames one by one, but since all remote files are on webdav or ftp, you can list directories no problem). the weak hashing of the filename, and the nature of filenames used elsewhere in the code (short, lowercase alpha strings), make me confident that I could probably bruteforce them not to mention the jucier details in the order of custody (that I really really really should read) that show that the siblings communicated operational details on cleartext channels, but that's a story for another day hackbunny fucked around with this message at 15:15 on Jan 31, 2017 |
|
#
?
Jan 31, 2017 15:13
|
|
|
impressive reverse engineering
|
|
#
?
Jan 31, 2017 15:20
|
|
|
Bonfire Lit posted:turns off UAC and "UAC remote restrictions". if you connect to a computer via smb with a local account with admin privs (as opposed to a domain account with local admin privs) windows usually disables the admin group in your token. the second setting turns that off, I don't know where the point is when UAC is already disabled but maybe it's in order to keep access if someone turns UAC back on via the control panel the uac remote restrictions can be disabled w/out disabling uac entirely.
|
|
#
?
Jan 31, 2017 15:47
|
|
|
hackbunny posted:encodes the strings in utf-16 before hashing them, I answer that'd just be what would happen if you encrypted the output of string.ToCharArray
|
|
#
?
Jan 31, 2017 17:37
|
|
|
flosofl posted:He explains later on that there's a hash for each image (or something like that). So the new file won't display because there's no way that someone that has managed to compromise the computer to load the images can replace the hashes. i wonder if they're all like that. we have a sign for the football stadium that doesn't check anything, it just displays what the scheduler tells it. as long as the filename is the same you could swap out the image or movie and it won't care.
|
|
#
?
Jan 31, 2017 19:13
|
|
|
I bet the software or hardware they use has a way to sign packages to prevent tampering but nobody has ever used it.
|
|
#
?
Jan 31, 2017 19:17
|
|
|
Dolomite posted:i wonder if they're all like that. we have a sign for the football stadium that doesn't check anything, it just displays what the scheduler tells it. as long as the filename is the same you could swap out the image or movie and it won't care. they're all completely different because of course they are
|
|
#
?
Jan 31, 2017 19:17
|
|
|
the most common ones here in toronto are just a display segment off a standard windows pc. you occasionally see the image app crash and there's a standard windows desktop with a few common remote control apps. usually teamviewer or vnc
|
|
#
?
Jan 31, 2017 19:23
|
|
|
Shaggar posted:I bet the software or hardware they use has a way to sign packages to prevent tampering but nobody has ever used it. oh no, i bet they used it a few times at first. but it was too cumbersome or someone forgot to do it, and it seems to work just fine. then that guy taught the new guy to do it and then the old guy left and now nobody knows that you can sign the packages.
|
|
#
?
Jan 31, 2017 19:28
|
|
|
> Security Fuckup Megathread - v13.2 - car go bep bep yessssssssssssssssssss
|
|
#
?
Jan 31, 2017 19:33
|
|
|
Countdown until Giuliani gets invited to Keynote RSA and/or BlackHat
|
|
#
?
Jan 31, 2017 19:50
|
|
|
Optimus_Rhyme posted:Giuliani 
|
|
#
?
Jan 31, 2017 21:03
|
|
|
https://twitter.com/ericgeller/status/826524501294903296
|
|
#
?
Jan 31, 2017 21:29
|
|
|
i guess it was too mundane of an order
|
|
#
?
Jan 31, 2017 21:29
|
|
|
He needs to fire a few people with spines first so that it goes smoothly.
|
|
#
?
Jan 31, 2017 21:34
|
|
|
|
|
#
?
Jan 31, 2017 22:46
|
|
|
ayyyyy also http://whatsinmyredis.com/
|
|
#
?
Jan 31, 2017 22:46
|
|
|
OSI bean dip posted:ayyyyy I AM LIABLE
|
|
#
?
Jan 31, 2017 22:54
|
|
|
OSI bean dip posted:ayyyyy quote:How does the latest version of redis fix this issue?
|
|
#
?
Jan 31, 2017 22:59
|
|
|
This allows for a cleartext HTTP request to be sent to a listening Redis server. Redis will ignore the HTTP headers, and as soon as it sees a valid redis command in the body, it will execute it.
|
|
#
?
Jan 31, 2017 23:08
|
|
|
Winkle-Daddy posted:lmao i see myself in more of an alies type role
|
|
#
?
Jan 31, 2017 23:12
|
|
|
antirez has been dragging his idiot feet on ssl support for redis for two goddamn years, and running that even with self-signed certs would stop this (your browser would freak out)
|
|
#
?
Jan 31, 2017 23:21
|
|
|
rumor was that phineas fisher was arrested in a raid in catalan but lol maybe not
|
|
#
?
Jan 31, 2017 23:50
|
|
|
theperminator posted:You think you're having a bad day?
|
|
#
?
Feb 1, 2017 04:41
|
|
|
good to see gitlab has worse backup practices than my dumbass personal website
|
|
#
?
Feb 1, 2017 05:09
|
|
|
actually doing the full backup restore procedure for real just to test if it works? that's crazy! waste of time! it's just copying files from point a to point b! nothing can go wrong! do it all the time! dead simple! i mean we even keep the backups in a network share on a raid array just to make sure it's as simple as possible
|
|
#
?
Feb 1, 2017 06:26
|
|
|
ate all the Oreos posted:good to see gitlab has worse backup practices than my dumbass personal website why does your dumbass personal website have a half terabyte of postgres database
|
|
#
?
Feb 1, 2017 06:36
|
|
|
Storysmith posted:why does your dumbass personal website have a half terabyte of postgres database where else am i going to keep my meticulously catalogued and documented notes about porn 
|
|
#
?
Feb 1, 2017 06:46
|
|
|
i can sympathise since i accidentally blew away our production database in 2011 myself, and our first backup didn't work (the second did, thank gently caress) but database size isn't an excuse, we're doing daily backups and restores of a 500gb postgres db in production as well, and we're doing it on australian internet connections, so these guys have no excuse
|
|
#
?
Feb 1, 2017 06:57
|
|
|
they also have no excuse in that their entire business proposition is to be a repository of peoples data. not being able to keep peoples data does put a bit of a dent in the plan
|
|
#
?
Feb 1, 2017 07:02
|
|
|
Cybernetic Vermin posted:they also have no excuse in that their entire business proposition is to be a repository of peoples data. not being able to keep peoples data does put a bit of a dent in the plan This failure only took out the free tier, the enterprise 'on your premises' (40-200/user/year) / hosted customer instances (80-800/mo) survived. So doing a crappy job on the free tier surely just convinces people to give them money, right? (Likewise, the value of any user who walks away forever over outage / data loss is close to zero)
|
|
#
?
Feb 1, 2017 08:00
|
|
|
quote:h. Somehow disallow rm -rf for the PostgreSQL data directory? Unsure if this is feasible, or necessary once we have proper backups lol
|
|
#
?
Feb 1, 2017 08:06
|
|
|
I'm still not sure why people habitually use -f when deleting stuff.
|
|
#
?
Feb 1, 2017 08:13
|
|
|
Jabor posted:I'm still not sure why people habitually use -f when deleting stuff. same reason people put sudo in front of everything cuz it doesn't work otherwise!!!
|
|
#
?
Feb 1, 2017 08:15
|
|
|
ate all the Oreos posted:same reason people disable uac cuz it doesn't work otherwise!!!
|
|
#
?
Feb 1, 2017 08:15
|
|
|
i guess we have an ad hoc, informal backup test thing going on whereby most devs grab a recent copy of whatever production database they need and restore it on their laptops
|
|
#
?
Feb 1, 2017 08:17
|
|
|
|
| # ? May 16, 2024 02:45 |
|
|
Jabor posted:I'm still not sure why people habitually use -f when deleting stuff. Because it complains about directories otherwise.
|
|
#
?
Feb 1, 2017 08:25
|
|
