Comment on Update: Remote Access Trojan backdoored through WINE
forrgott@lemmy.sdf.org 4 days agoWhat symptoms have you seen to imply there’s any malware to start with? Cause, like the other guy said, this sounds like an extremely unlikely attack vector.
Remember, effective malware will not be engineered to target you. Malware is about maximizing return from minimal effort. So it is engineered for the most common installations. Second, it’s simple. The smaller, the harder to detect. In other words, it’ll target a specific vulnerability of a specific OS. It will not be written to discover what OS it is on, and then adjust what code is executed accordingly. Doing something like that leads to higher chance of of the code being discovered and disabled. Not to mention the higher complexity, the higher chance it will simply fail to execute properly. So instead you create a tiny simple piece of code that will either succeed or fail and just be done. Last, but not least, it is autonomous; if you have to actively take over, you have completely defeated the whole point point of using malware in the first place. Besides, if somebody’s going to target you, they’re just going to actively hack into your network and you’re not going to know anything about it because they’ll wipe the logs on their way out.
By the way, if what you’ve noticed is some change in what’s showing up in your log files? That’s very unlikely to indicate malware in the first place. Far more likely some low-level part of the code that runs your system is corrupted.
ushiftye_1@infosec.pub 4 days ago
As I explained, I am not who this is for this is fuck tonnes of viruses delivered at once. My first post is linked at the top. It goes into detail about, what happened, how I found it and what I did immediately afterwards. Oh completely, it is about maximising return. That’s why everything is for windows, I was just unlucky enough to have a program with both network access and filesystem access that runs windows software. That’s also, why I believe this is a series of programs that were stitched together and why I believe they fail so much in the logs, because of course it’s gonna fail i the payload is syntaxed for windows and executed on Linux. They loaded ssh keys, that I know for sure. But agian, as I explained, in my very detailed follow up, I believe there’s automation in creating a virtual machine that will connect to the computer’s filesystem. That’s why I was rooted with 32x Ubuntu and my housmate was connected to a windows 10 machine. I think all of their payload for delivery is based on windows. Which would make sense, one part is written pair the machines up. So if it’s windows 10, windows 11 windows 8 etc. That’s what you’ll be rooted with. That’s what you get. I believe that worked for me, like it created a 32x ubuntu server, but then the following procedures failed.
I do go over stuff quite extensively between these two posts here, apologies, I lost all my information. Immigration documents, family photos, my entire hard drive. Music collection every single one of my config files, applications I built from source, specifically tailored to my hardware. have been back and forth replying to cops for days and I HATE cops. Well, to the other gentlemen I would again, love to have a counter theory as to how I have over 10GB of windows viruses and counting that wound up in the data dump of the image it took of my ssd, if it did not proliferate through WINE? WINE is the ONLY way for these programs to run on my machine. You can load ssh keys, OS doesn’t matter then. Open SSH supports Windows, Linux, FreeBSD, Android. I didn’t download double digit gigabytes of windows malware and make up a story. I don’t think the WINE repositories are compromised, that is not what I am saying at all. But since WINE is the only program with a windows registry to edit, the only one that can run Windows software and the only thing capable of loading DLL files and given the fact that the initial detection was for a remote access trojan in a fake DLL loaded into WINE (see my first post). So, I believe that the DLL that popped initially loaded ssh keys into my machine, giving them remote access as you can see in the logs. It’s frustrating because I have actually spent days digging into this, grepped log files provided images and explanations of what I believe happened timestamps and everything. and someone else can say, I don’t think that’s likely because the package for remote filesystem access already exists on your distro.
It is just so disingenuous and I really don’t like the insinuation that I have to convince someone that this happened to me when I was there, I inspected the root myself and watched everything on my machine get wiped. I saw the ports, I closed them down I go over all the persistence I had to remove in the first post. I would have to do hours of research anyway to be able to construct a story like that. I’m not gonna do that, when I don’t even use social media. I created an account here, just for this, because It wasn’t gonna be fuckin reddit I run to to document this.