Malware Noob Month Post #7
There are different types of reverse engineering. Each play a critical role in malware reverse engineering and detection engineering.
The most widely known is what I would define as "standard" reverse engineering. This is attaching a debugger to a running process (i.e. x64dbg) and watching what the program does as it's running.
Another common method for reverse engineer is "static reverse engineering". Static reverse engineering is looking at the program while it's "on disk", in other words, staring at it while it's not running. People usually use Ida or Ghidra.
A third method for reverse engineering is "emulation", "sandboxing", or "triaging". They all kind of mean the same thing, all maybe a little different if you want to get really nitty gritty on the details. This type of reverse engineering is detonating (running) the program in a virtual machine (or special environment) and recording everything that the program does.
Each method listed has a strength and weakness.
Emulation is really good at doing the job quick and dirty. If you use emulation tool suites, like Triage or AppAnyRun, you can very quickly get a high level overview of what the malware is doing, where it's connecting to, etc. Additionally, these tool suites usually have built in rules to automatically detect the malware family (if applicable). However, these tool suites cannot detect everything and it's possible for malware to fall between the cracks and evade emulation.
Static reverse engineering, using Ida or Ghidra, is also really good. You can review the malware before it tries performing evasive actions. The primary issue with this method however is that if the malware obfuscates itself on-disk (encryption, it's packed, etc) this method can challenging.
"Standard" reverse engineering is probably the most difficult form of reverse engineering. It requires you to have a good understanding of Assembly. However, this method is the most superior. Once you're comfortable with assembly and the debugger you're using, it makes it extremely difficult for malware to "evade" the reverse engineer (some non-noobs probably feel tempted to mention LLVMs, don't).
Regardless, it is impossible for malware to evade all of these methods. It is possible to develop malware that makes it challenging to reverse engineer, but ultimately a dedicated (or skilled) reverse engineer will figure it out.
Malware authors must constantly evolve their malware code (update it, use new methods, introduce additional layers of complexity) to hinder reverse engineers. If they do not do this, reverse engineers will have developed methods to detect the malware and it's basically game over.
Large scale malware campaigns are constantly changing the malware code base, delivery mechanism, etc. to ensure the malware can "survive". Likewise, anti-malware companies and reverse engineers must constantly monitor malware campaigns, keep reverse engineering them, and updating their strategies to detect them.
It's a game of cat and mouse.
There are different types of reverse engineering. Each play a critical role in malware reverse engineering and detection engineering.
The most widely known is what I would define as "standard" reverse engineering. This is attaching a debugger to a running process (i.e. x64dbg) and watching what the program does as it's running.
Another common method for reverse engineer is "static reverse engineering". Static reverse engineering is looking at the program while it's "on disk", in other words, staring at it while it's not running. People usually use Ida or Ghidra.
A third method for reverse engineering is "emulation", "sandboxing", or "triaging". They all kind of mean the same thing, all maybe a little different if you want to get really nitty gritty on the details. This type of reverse engineering is detonating (running) the program in a virtual machine (or special environment) and recording everything that the program does.
Each method listed has a strength and weakness.
Emulation is really good at doing the job quick and dirty. If you use emulation tool suites, like Triage or AppAnyRun, you can very quickly get a high level overview of what the malware is doing, where it's connecting to, etc. Additionally, these tool suites usually have built in rules to automatically detect the malware family (if applicable). However, these tool suites cannot detect everything and it's possible for malware to fall between the cracks and evade emulation.
Static reverse engineering, using Ida or Ghidra, is also really good. You can review the malware before it tries performing evasive actions. The primary issue with this method however is that if the malware obfuscates itself on-disk (encryption, it's packed, etc) this method can challenging.
"Standard" reverse engineering is probably the most difficult form of reverse engineering. It requires you to have a good understanding of Assembly. However, this method is the most superior. Once you're comfortable with assembly and the debugger you're using, it makes it extremely difficult for malware to "evade" the reverse engineer (some non-noobs probably feel tempted to mention LLVMs, don't).
Regardless, it is impossible for malware to evade all of these methods. It is possible to develop malware that makes it challenging to reverse engineer, but ultimately a dedicated (or skilled) reverse engineer will figure it out.
Malware authors must constantly evolve their malware code (update it, use new methods, introduce additional layers of complexity) to hinder reverse engineers. If they do not do this, reverse engineers will have developed methods to detect the malware and it's basically game over.
Large scale malware campaigns are constantly changing the malware code base, delivery mechanism, etc. to ensure the malware can "survive". Likewise, anti-malware companies and reverse engineers must constantly monitor malware campaigns, keep reverse engineering them, and updating their strategies to detect them.
It's a game of cat and mouse.
π₯43β€31π€8π3β€βπ₯1π’1π―1
Malware Noob Month Post #8
What is "undetectable malware"?
Well, it doesn't really exist. Kind of. There has been discussions of governments (United States, Russia, China) which had malware active for long durations of time and not getting caught. For example, Russia's "Woodchipper" was undetected for years.
The secret is "tailored" malware.
Malware campaigns are caught and tracked all the time because Threat Actors want their malware on as many computers as possible. The more "noise" these groups make, the more machines they infect, the more anti-malware companies can see.
However, specially crafted malware, designed for unique systems, unique environments, with a very specific goal in mind, can go undetected for A LONG time. Once a malicious program has made its way onto the target... And it's nowhere else in the world... How can anyone know it exists?
In these scenarios the chance of the malware being detected boils down to luck and/or fate.
For example, the United States government malware "Stuxnet", which targeted Nuclear Centrifuges, was caught by complete accident. That is a long story I highly recommend you read (or maybe look it up on YouTube, maybe a video exists about it)
In summary, the more machines infected the more likely you'll be detected.
What is "undetectable malware"?
Well, it doesn't really exist. Kind of. There has been discussions of governments (United States, Russia, China) which had malware active for long durations of time and not getting caught. For example, Russia's "Woodchipper" was undetected for years.
The secret is "tailored" malware.
Malware campaigns are caught and tracked all the time because Threat Actors want their malware on as many computers as possible. The more "noise" these groups make, the more machines they infect, the more anti-malware companies can see.
However, specially crafted malware, designed for unique systems, unique environments, with a very specific goal in mind, can go undetected for A LONG time. Once a malicious program has made its way onto the target... And it's nowhere else in the world... How can anyone know it exists?
In these scenarios the chance of the malware being detected boils down to luck and/or fate.
For example, the United States government malware "Stuxnet", which targeted Nuclear Centrifuges, was caught by complete accident. That is a long story I highly recommend you read (or maybe look it up on YouTube, maybe a video exists about it)
In summary, the more machines infected the more likely you'll be detected.
β€71π8π₯4π€3β€βπ₯1π€―1π’1π―1
I watched this video on YouTube which questioned the validity of a YouTube series called "Hot Ones".
To make a long story short, each of the hot sauces in that show are derived from super mega fuck off hot peppers, but the sauces themselves are not nearly as hot because they're watered down, given flavoring, etc. It's like, sort of fake advertising, but sort of not? It allows people to be like "i HaD tHe HoTtEsT sAuCe eVeR", but it's not. Whatever.
Anyway, then these nerds sent all these different sauces to a laboratory to have scientists do science. They determined that they hottest sauce in the world (or from the dozens of sauces they selected) is a hot sauce called "Mad Dog 357".
I just got a bottle of it
I don't know why because normally the spiciest thing I eat is salt. The science and stuff inspired me to experience the hottest thingy of sauce in the world.
To make a long story short, each of the hot sauces in that show are derived from super mega fuck off hot peppers, but the sauces themselves are not nearly as hot because they're watered down, given flavoring, etc. It's like, sort of fake advertising, but sort of not? It allows people to be like "i HaD tHe HoTtEsT sAuCe eVeR", but it's not. Whatever.
Anyway, then these nerds sent all these different sauces to a laboratory to have scientists do science. They determined that they hottest sauce in the world (or from the dozens of sauces they selected) is a hot sauce called "Mad Dog 357".
I just got a bottle of it
I don't know why because normally the spiciest thing I eat is salt. The science and stuff inspired me to experience the hottest thingy of sauce in the world.
β€41π€£25β€βπ₯9π±2π’1
vx-underground
I watched this video on YouTube which questioned the validity of a YouTube series called "Hot Ones". To make a long story short, each of the hot sauces in that show are derived from super mega fuck off hot peppers, but the sauces themselves are not nearlyβ¦
I don't expect anyone to give a shit about "the weird malware cat picture collection" persons thoughts on hot sauce and esoteric YouTube videos is. I just wanted to share this random bit of information with someone.
π32β€16β€βπ₯14π€£10π’1
vx-underground
I watched this video on YouTube which questioned the validity of a YouTube series called "Hot Ones". To make a long story short, each of the hot sauces in that show are derived from super mega fuck off hot peppers, but the sauces themselves are not nearlyβ¦
Update: Tried MadDog 357. The bottle is cool looking and it comes with a bullet thingy that is a keychain. No idea.
Opened the bottle, the smell made my nose tingle. Very cool.
I put a few drops around a chip. The few drops were probably too much in retrospect. Nerds told me to use a single drop. I thought they were being dramatic. They were not.
At first it tasted kind of sweet. It then went 0 to 100 and it summoned a burn I haven't really experienced before from spicy stuff.
It made my tongue feel like it was physically on fire.
It's been well over an hour and my stomach feels like it has a bruise.
I drank milk and slowly the burn went away within 5 minutes or so.
Overall I rate the experience a 3/10. It was painful and uncomfortable, but it wasn't crazy (I didn't cover a chip in the sauce, I used the sauce sparingly). It sucked, but it was a fun experience with super spicy stuff.
Opened the bottle, the smell made my nose tingle. Very cool.
I put a few drops around a chip. The few drops were probably too much in retrospect. Nerds told me to use a single drop. I thought they were being dramatic. They were not.
At first it tasted kind of sweet. It then went 0 to 100 and it summoned a burn I haven't really experienced before from spicy stuff.
It made my tongue feel like it was physically on fire.
It's been well over an hour and my stomach feels like it has a bruise.
I drank milk and slowly the burn went away within 5 minutes or so.
Overall I rate the experience a 3/10. It was painful and uncomfortable, but it wasn't crazy (I didn't cover a chip in the sauce, I used the sauce sparingly). It sucked, but it was a fun experience with super spicy stuff.
β€42π«‘24π€£18π₯8π2π’1
Really exciting things coming.
Working on a massive enhancement to vx-underground. It'll take several months to accomplish it, but it'll be well worth it.
Thank you all of our sponsors and donors. Your money lets me do crazy shit on the internet.
Hint: it's involves malware
Working on a massive enhancement to vx-underground. It'll take several months to accomplish it, but it'll be well worth it.
Thank you all of our sponsors and donors. Your money lets me do crazy shit on the internet.
Hint: it's involves malware
β€84π€―10π₯°3π«‘3π’1
for a really long time i thought the Large Hadron Collider was the "Large Hardon Collider".
i never even questioned it. i was like, "well, its science and things are hard"
i never even questioned it. i was like, "well, its science and things are hard"
π37π€£26β€7π€4π’1π€©1
Media is too big
VIEW IN TELEGRAM
this is the type of music people listen to when they're extorting companies and laundering money on the internet
π€£77π―22π€7π6π₯3π’3β€2π1
Hello,
All APT samples and papers have been moved to "./Archive/Old APT Collection". It is available for bulk download.
A directory will be created which will house ALL malware samples listed in malware analysis papers. This is a long term project which may years to complete.
All APT samples and papers have been moved to "./Archive/Old APT Collection". It is available for bulk download.
A directory will be created which will house ALL malware samples listed in malware analysis papers. This is a long term project which may years to complete.
π₯33β€11π3π’1
vx-underground
Hello, All APT samples and papers have been moved to "./Archive/Old APT Collection". It is available for bulk download. A directory will be created which will house ALL malware samples listed in malware analysis papers. This is a long term project whichβ¦
may take years**
π29π«‘15β€4π’1
I know absolutely nothing about AI or LLMs. But, the boys and I decided to goof around (as is tradition) and built an LLM using all the papers we've collected.
1. It's really cool
2. It's super slow and super resource intensive
3. It likes to hallucinate because we fed it super unstructured data (see image 2)
4. No idea what to do with this. This would require insane infrastructure, significant time investment, and ???, to not make this ghetto.
1. It's really cool
2. It's super slow and super resource intensive
3. It likes to hallucinate because we fed it super unstructured data (see image 2)
4. No idea what to do with this. This would require insane infrastructure, significant time investment, and ???, to not make this ghetto.
β€57π13π11π₯5π«‘4π€£2π±1π’1
vx-underground
I know absolutely nothing about AI or LLMs. But, the boys and I decided to goof around (as is tradition) and built an LLM using all the papers we've collected. 1. It's really cool 2. It's super slow and super resource intensive 3. It likes to hallucinateβ¦
tl;dr trained ai on malware, kind of works, was silly experiment. llms are cool and badass
β€40π₯6π₯°4π’3π2π«‘2
vx-underground
Probably not that big a deal tbh no one uses NPM
Also, don't see any facts to back up these claims. Could be some dork going bananas over nothing.
Guess we'll wait and see
Guess we'll wait and see
β€27π₯°7π₯5π’1
vx-underground
Probably not that big a deal tbh no one uses NPM
Update: it's real lmfao y'all are COOKED bro
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
www.aikido.dev
npm debug and chalk packages compromised
The popular packages debug and chalk on npm have been compromised with malicious code
π62π±9π’8π€£4β€2π€2π1
vx-underground
> do largest supply chain attack in history > potentially infect millions of apps > doesnt do the thing good > makes $0 from compromise I don't wanna support the villain here, but my guy, you gotta lock in. You could have infected hundreds of millions ofβ¦
Look... If you had... one shot... or one opportunity...
To seize everything you ever wanted... one moment...
Would you capture it? Or just let it slip?
...
*slips*
To seize everything you ever wanted... one moment...
Would you capture it? Or just let it slip?
...
*slips*
π€£123π―11β€6π2π€2π1π’1