Comment by userbinator
2 years ago
Open in hex/text editor, scroll through and look for anything suspicious like network, crypto, obfuscated sections (major red flag), strange strings, etc. The #1 most reliable sign of malware is if it's unusually large and packed/obfuscated, but this isn't.
The guy even has his full name and contact info in there.
This is harmless.
If you don't trust me you could upload to an online malware multiscanner (which tends to invite false positives, but better than nothing).
It's not about whether this particular announcement, with these particular executables, is trustworthy or not.
It's about the whole process of regularly downloading and running executables uploaded by individuals to a BBS-type forum being unimaginable in most other parts of the software world, and violating every security "best practice" written about in the past 30 years.
I know that this is how things were once done everywhere. But that was a long time ago.
Are we even in the same universe?
The vast majority of the world still downloads and runs executables uploaded by individuals, albeit perhaps not on a bulletin board or forum (most of those have been killed and replaced by social media).
This argument comes up reasonably regularly.
No, the majority of the world does not download and run binaries from non-reputable sources.
The distinction between reputable and non-reputable varies, but broadly easily spoofable user uploaded content falls into the non-reputable.
Most people download software from trust worthy websites like the official chrome website.
Indeed, the fact that people are continually scammed by this sort of attack is why Apple now refuses to run unsigned binaries by default.
To pretend nothing is wrong here is like pretending JavaScript supply chain attacks don’t exist because you don’t want them to exist.
…and yet. They do exist; wanting it not to be true does not make it so.
Likewise, downloading and running arbitrary binaries from a forum is naive.
You simply want nothing bad to happen.
That does not mean nothing bad will actually happen.
Even if you trust the authors of the posts, how reputable is the forum itself? Are the binary hashes posted? (No, they aren’t).
> I'm new in this forum
^ does not inspire confidence.
5 replies →
A lot of malware just waits for a while and the opens another file (or a pastebin) and downloads the payload from somewhere else. A small executable without anything dodgy in it means nothing.
without anything dodgy
I said there weren't any network APIs either (whose presence in an application like this would definitely be a red flag.)
If you say their presence can be obfuscated, then let it be known that obfuscation is also very obvious in a binary and another red flag.
FWIW: I support your position and wish that there was more trust on the internet. I’m happy that some of these old-school forums still have that level of trust.
But, from a technical perspective, I think it’s naive to assume that you can easily spot obfuscation that’s trying to stay hidden. If I understood your analysis model (open in a hex viewer and scroll around), then it is quite trivial to just add a few normal-looking functions that happen do things like manually load socket DLLs and make network requests without the API names being visible.
I could even, say, hide the code or data in a table of opaque filter constants or lookup tables, and it wouldn’t have to be much: you can implement a very dumb PE parser and function loader in a couple dozen lines of C, and an IP address target is just 4 bytes which can be smuggled into anything. Open up a socket, read everything from it into an RWX buffer, jump to it and voila, a programmable backdoor. Make the trigger something random so dynamic analysis doesn’t find it immediately.
The Underhanded C Code Contest demonstrates that even with source you can hide malicious behaviour; how are you going to detect malicious behaviour in a binary that’s trying to evade manual detection?
It is still possible that the author's machine had a virus and the executable got infected without the author's knowledge. I too trust the author in that matter, but that's irrelevant here.
That's precisely why you look at the binary and not the source...