Saagar Jha
(replying to Saagar Jha)
Report: This injects an obfuscated script
Me [reading the Makefile changes]: Ah yeah I can see how that is pretty obfuscated and difficult to understand
Report: …I haven’t even gotten to the obfuscated script yet
Me: Don’t bother this is too hard for me to read already
Me [reading the Makefile changes]: Ah yeah I can see how that is pretty obfuscated and difficult to understand
Report: …I haven’t even gotten to the obfuscated script yet
Me: Don’t bother this is too hard for me to read already
Saagar Jha
(replying to Saagar Jha)
I need to apologize for an earlier tweet where I said people weren’t looking at this. After looking at this code I have to say “I am *not* a security researcher, nor a reverse engineer” is the understatement of the year. The malware is quite sophisticated and difficult to analyze
1 replies →
1 replies
Khaos Tian
(replying to Saagar Jha)
@saagar we got really lucky this time… in another timeline it’s easy to imagine this get pushed to the stable Debian releases and exists years without getting noticed 😅
Saagar Jha
(replying to Saagar Jha)
It would make for a decent CTF challenge–I’m surprised someone without reversing experience was able to get as far as they did. There are people actual security people in my timeline who did put some effort but the reason I didn’t hear about it is that they didn’t get very far
1 replies →
1 replies
Dominic Hopton
(replying to Saagar Jha)
@saagar wait till it turns out this was just one of:
1. A precursor to a new interview take home test for a security company (“Find the vuln”)
2. Someone doing a take home test for a security company (“Insert the vuln”)
Saagar Jha
(replying to Dominic Hopton)
@grork People get upset about one hour take-homes and this company is making people do two year tests…
Saagar Jha
(replying to Saagar Jha)
Definitely not impossible to fully analyze of course but this is way past your “lol click around in IDA” stuff
(Full disclosure I poked at it with that level of commitment myself because was curious and very quickly abandoned the effort as too much work)
(Full disclosure I poked at it with that level of commitment myself because was curious and very quickly abandoned the effort as too much work)
3 replies →
3 replies
Saagar Jha
(replying to Sahil 🐧)
@sahil Yeah I actually mostly use Binary Ninja for personal work (including this)
Sahil 🐧
(replying to Saagar Jha)
@saagar
Yeah, I was trying on binary ninja too yesterday but couldn't find anything XD
Saagar Jha
(replying to Sahil 🐧)
@sahil This is one of those things where the tool matters much less than the person looking at it and the effort they put in
osy
(replying to Saagar Jha)
@saagar wasn't your full time job for almost a whole year to look at Android malware samples for Google
Saagar Jha
(replying to osy)
@osy86 No my job was (…checks half-updated résumé) “developing resilient techniques to thwart bad actors targeting Android by following them into where they operate”
Sahil 🐧
(replying to Saagar Jha)
@saagar
Someone reversed engineered it. It's RCE.
Source: https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b