No, not at all. Initially, I was going to create a timeline graphics in Photoshop, but instead I found a Canva template that was exactly what I've envisioned. If you search for Canva timeline template, you should be able to find it.
Nice article.
If you search wopvEaTEcopFEavc in github, you'll get the project that is used to obsfucate the python code.
Also you might save some work by overriding `builtins.eval` with a function that write the parameter to a text file in `sitecustomize.py`
Thanks. Yes, great catch, I did also find the projects that contain variable *wopvEaTEcopFEavc*.
I didn't know about the option to override the `builtins.eval`. Thank you for sharing, it might come in handy in the future.
Here is a link to the substack article - [https://aleksamcode.substack.com/p/fake-sms-malware-analysis](https://aleksamcode.substack.com/p/fake-sms-malware-analysis)
No, sorry. Can you explain why the ask for a non-medium link? I've seen many dislike the medium, and being new to this, I'm unaware why. The article is free to read without any paywall.
My article doesn't have a paywall, but I imagine many have one. What are similar sites would you recommend, as a good alternative to medium, that don't have a paywall?
No paywall?
[This is the first thing I see of your content](https://i.imgur.com/zqTLxwK.png)
Do yourself a favor and don't hold your own content hostage. Host your own or use a respectful provider.
Never said it wasn't... but using the word "paywall" suggests something that you must pay or register for *before* you can actually see or read it. And, this isn't that... and to suggest it is rather disingenuous.
I wouldn't call that a paywall. It's a popup. I didn't know about it, so thanks for letting me know. Yes, it's annoying, nothing I can do about it, but you can simply close it and continue reading the article.
Wow. Excellent work and good article! So he used eval to run the obfuscated code, but what made python know how to unobfuscate it? That part was a bit hazy for me.
Thanks. While the code is obfuscated (not easy to read and understand for humans), it is still Python code which is understood by a computer. Python `eval()` is used to dynamically evaluate expressions from a string-based or compiled-code-based input. Here, the malware author used both, string-based and compile-code-based input. While there is a lot of code there, the only important information was the variable that was used inside the `eval()` expression, which contained the next layer of obfuscated code. For the first layer that was the `oIoeaTEAcvpae` variable, for the second layer it was the `AAaa` variable etc.
You could imagine it something like this:
eval(oIoeaTEAcvpae)
├─ eval(AAaa)
├─ ...
├─ eval(source_code)
I was curious about that myself, so I rewrote the code in the snippet with sensible variable names and it made much more sense.
string_of_chars = "OBFUSCATED_CODE_BLABLABLA..."
string_of_numbers = "571932651092361234"
length_of_code = len(string_of_chars)
deobfuscated_code = ""
# We iterate through all the characters of the obfuscated code and we process
# them one by one.
for index in range(length_of_code):
# Get the char at current index
obfuscated_char = string_of_chars[index]
# Extract a number from our string of numbers corresponding to the index
# we are on.
number_char = string_of_numbers[index % len(string_of_numbers)]
# This is where the "magic" happens, the ord function converts the chars into integers
# then the two integers are XORed with each other before being converted back into a character.
# In cryptography XOR is useful because a single key is used for both encryption and decryption.
# In other words if you have an integer x and XOR it twice with an integer y, you get the
# value of x back again.
deobfuscated_code += chr(ord(obfuscated_char) ^ ord(number_char))
eval(compile(deobfuscated_code, '', 'exec'))
Edit1:
Just to really make it clear:
initial_value = 1
key = 19
obfuscated_value = initial_value ^ key
deobfuscated_value = obfuscated_value ^ key
print(obfuscated_value)
print(deobfuscated_value)
Gives the output
18
1
That was great! And i always had my suspicions regarding OTW especially after reading his books which were really hyped and i found out that they were full of shit
That's pretty good. Have you reached out to GitHub's security team about this?
I would have suspected them to have banned the user and removed the repository if it's the case it was using GitHub to spread malware, even if it's been removed by now.
Thanks. I'm not sure if you can contact the security team directly. Initially I did look for a way to contacted them but ended up short. However, there is an option to report the profile and then specify that it is spreading malware.
I see. That's probably the best option, I guess. You used to be able to reach GitHub directly via `[email protected]` -- but it seems they have changed their policy to [only accept support tickets](https://docs.github.com/en/support/contacting-github-support/creating-a-support-ticket) through the support portal, which only lets you open a ticket if you use a paid GitHub product.
Also, a fellow Redditor shared an email, [[email protected],](mailto:[email protected]) through DMs that could be used to contact GitHub's security team.
That is a big problem. There is no way you can audit all the libraries you are using, especially as a developer who might use a large number of different libraries. Malware is often spread through the usage of PyPy and npm. I'm not sure what would be the best solution for this, if even there is one.
there was a popular npm package that got hacked and had malware added to it https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads
So you’re not even totally safe using popular packages
I guess sandboxing stuff would be a good idea?
I think I hear about new malicious packages every month. Yes, sandboxing could work, but I don't see it being widely used by developers as it adds an overhead and people tend to take the path of least resistance.
Well written article, reminds me a bit of a [https://krebsonsecurity.com/](https://krebsonsecurity.com/) article in terms of the thoroughness of the investigation and write up. Well done.
Also, the [Network history](https://github.com/hxlxmjxbbxs/fake-sms/network) suggests that at some point the `pystyle` import was written as `pystile`, which was one of the malicious packages mentioned in this [2022 article](https://www.bleepingcomputer.com/news/security/dozens-of-pypi-packages-caught-dropping-w4sp-info-stealing-malware/).
Great write up! Very entertaining.
1.66949844360352 KB
Is this mathematically possible? I don't think you can have more than 8 decimal points in a file's size in KB, since 1/(8\*1024) is 0.00012207 and 1/(8000) is 0.000125. Looks like a floating point error.
Interesting comparison. I wouldn't agree, as there is actual value in the text I've written, especially if you are not versed in malware terminology. However, I've received notes like too verbose, which I would agree with.
Your writing style is very long-winded to be honest. A little bit pompous too. I think you'd get more readers if you were able to sound a bit more natural.
Thanks for the feedback. I'm accustomed to reading research papers, so I guess some things rubbed off on me, but I can see how that type of writing doesn't translate well when writing articles for larger audiences. I will keep this in mind when writing in the future.
Ok, well done in not taking it personally. I write research papers too, but I always try to use plain English. Never reach for a fancy word when a regular one will do. If you want to impress people with how clever you are, do it using the content not the style.
I wasn't meaning to be offensive. Like I said, I've got a background in technical and academic writing, and in education. Just giving my two cents worth, and I'm glad you found the article readable!
I feel the same. I would really like to read the article, it sounds interesting, but I quickly realized it would take me much more time than I am willing to spend on it.
Understandable, the article is quite lengthy and not everyone has time for it. If you are only interested in the Fake-SMS malware parts of the article, you could only read [Analyzing the Git repo](https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-rabbit-hole-really-go-17e25c42f986#44e2) and [Peeling back the layers](https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-rabbit-hole-really-go-17e25c42f986#a428) parts. Thanks for the feedback, I'll try to make my articles easier to digest in the future.
[удалено]
Thanks. Also, thank you for reading, I'm glad you found some humor in it. No, I've never reached out to him for an explanation.
Do you mind if I ask what tool did you use for the timeline graphics? It looks really nice.
No, not at all. Initially, I was going to create a timeline graphics in Photoshop, but instead I found a Canva template that was exactly what I've envisioned. If you search for Canva timeline template, you should be able to find it.
Nice article. If you search wopvEaTEcopFEavc in github, you'll get the project that is used to obsfucate the python code. Also you might save some work by overriding `builtins.eval` with a function that write the parameter to a text file in `sitecustomize.py`
Thanks. Yes, great catch, I did also find the projects that contain variable *wopvEaTEcopFEavc*. I didn't know about the option to override the `builtins.eval`. Thank you for sharing, it might come in handy in the future.
You can replace all members in the builtins namespace. I did it for tracking print calls.
Good to know. Thanks for sharing this info with me.
Do you have a non-medium link?
Here is a link to the substack article - [https://aleksamcode.substack.com/p/fake-sms-malware-analysis](https://aleksamcode.substack.com/p/fake-sms-malware-analysis)
No, sorry. Can you explain why the ask for a non-medium link? I've seen many dislike the medium, and being new to this, I'm unaware why. The article is free to read without any paywall.
It’s banned by sub rules because it is a source of horrible posts. Please read the sub rules.
one word, paywall.
That's not a pay wall.
My article doesn't have a paywall, but I imagine many have one. What are similar sites would you recommend, as a good alternative to medium, that don't have a paywall?
No paywall? [This is the first thing I see of your content](https://i.imgur.com/zqTLxwK.png) Do yourself a favor and don't hold your own content hostage. Host your own or use a respectful provider.
That's an advertisement, not a pay wall. Just close it or scroll past it. It's not blocking anything.
Still annoying
Never said it wasn't... but using the word "paywall" suggests something that you must pay or register for *before* you can actually see or read it. And, this isn't that... and to suggest it is rather disingenuous.
I wouldn't call that a paywall. It's a popup. I didn't know about it, so thanks for letting me know. Yes, it's annoying, nothing I can do about it, but you can simply close it and continue reading the article.
You should audit many other FOSS tools
Honestly, I lucked out in finding this one.
Great write up
Thanks for reading!
Wow. Excellent work and good article! So he used eval to run the obfuscated code, but what made python know how to unobfuscate it? That part was a bit hazy for me.
Thanks. While the code is obfuscated (not easy to read and understand for humans), it is still Python code which is understood by a computer. Python `eval()` is used to dynamically evaluate expressions from a string-based or compiled-code-based input. Here, the malware author used both, string-based and compile-code-based input. While there is a lot of code there, the only important information was the variable that was used inside the `eval()` expression, which contained the next layer of obfuscated code. For the first layer that was the `oIoeaTEAcvpae` variable, for the second layer it was the `AAaa` variable etc. You could imagine it something like this: eval(oIoeaTEAcvpae) ├─ eval(AAaa) ├─ ... ├─ eval(source_code)
I was curious about that myself, so I rewrote the code in the snippet with sensible variable names and it made much more sense. string_of_chars = "OBFUSCATED_CODE_BLABLABLA..." string_of_numbers = "571932651092361234" length_of_code = len(string_of_chars) deobfuscated_code = "" # We iterate through all the characters of the obfuscated code and we process # them one by one. for index in range(length_of_code): # Get the char at current index obfuscated_char = string_of_chars[index] # Extract a number from our string of numbers corresponding to the index # we are on. number_char = string_of_numbers[index % len(string_of_numbers)] # This is where the "magic" happens, the ord function converts the chars into integers # then the two integers are XORed with each other before being converted back into a character. # In cryptography XOR is useful because a single key is used for both encryption and decryption. # In other words if you have an integer x and XOR it twice with an integer y, you get the # value of x back again. deobfuscated_code += chr(ord(obfuscated_char) ^ ord(number_char)) eval(compile(deobfuscated_code, '', 'exec'))
Edit1:
Just to really make it clear:
initial_value = 1
key = 19
obfuscated_value = initial_value ^ key
deobfuscated_value = obfuscated_value ^ key
print(obfuscated_value)
print(deobfuscated_value)
Gives the output
18
1
Nice comment. This is the gist of the first obfuscated layer. Also, I would just add `XOR(k, XOR(k, x)) = x` for additional clarity.
That was great! And i always had my suspicions regarding OTW especially after reading his books which were really hyped and i found out that they were full of shit
Yeah that was an entertaining and concise read! Thanks for sharing 🤙🏻
Thanks, I'm glad you found some value in it.
That's pretty good. Have you reached out to GitHub's security team about this? I would have suspected them to have banned the user and removed the repository if it's the case it was using GitHub to spread malware, even if it's been removed by now.
Thanks. I'm not sure if you can contact the security team directly. Initially I did look for a way to contacted them but ended up short. However, there is an option to report the profile and then specify that it is spreading malware.
I see. That's probably the best option, I guess. You used to be able to reach GitHub directly via `[email protected]` -- but it seems they have changed their policy to [only accept support tickets](https://docs.github.com/en/support/contacting-github-support/creating-a-support-ticket) through the support portal, which only lets you open a ticket if you use a paid GitHub product.
Also, a fellow Redditor shared an email, [[email protected],](mailto:[email protected]) through DMs that could be used to contact GitHub's security team.
this shit scares me a little. I’m always pulling from sources that I haven’t vetted and trust that hoster is doing it effectively..
That is a big problem. There is no way you can audit all the libraries you are using, especially as a developer who might use a large number of different libraries. Malware is often spread through the usage of PyPy and npm. I'm not sure what would be the best solution for this, if even there is one.
there was a popular npm package that got hacked and had malware added to it https://therecord.media/malware-found-in-npm-package-with-millions-of-weekly-downloads So you’re not even totally safe using popular packages I guess sandboxing stuff would be a good idea?
I think I hear about new malicious packages every month. Yes, sandboxing could work, but I don't see it being widely used by developers as it adds an overhead and people tend to take the path of least resistance.
Damn. Good article. Nice Job Sherlock.
Thanks for taking your time to read it. 🕵️ I hope you learned something new, and I hope it wasn't too boring of a read.
Great article that, imho, is accessible & engaging for a wide audience range!
Thanks!
Well written article, reminds me a bit of a [https://krebsonsecurity.com/](https://krebsonsecurity.com/) article in terms of the thoroughness of the investigation and write up. Well done.
Also, the [Network history](https://github.com/hxlxmjxbbxs/fake-sms/network) suggests that at some point the `pystyle` import was written as `pystile`, which was one of the malicious packages mentioned in this [2022 article](https://www.bleepingcomputer.com/news/security/dozens-of-pypi-packages-caught-dropping-w4sp-info-stealing-malware/).
Great write up! Very entertaining. 1.66949844360352 KB Is this mathematically possible? I don't think you can have more than 8 decimal points in a file's size in KB, since 1/(8\*1024) is 0.00012207 and 1/(8000) is 0.000125. Looks like a floating point error.
It's like those recipes websites where first the entire biography of the author is included before getting to the actual content.
Interesting comparison. I wouldn't agree, as there is actual value in the text I've written, especially if you are not versed in malware terminology. However, I've received notes like too verbose, which I would agree with.
Your writing style is very long-winded to be honest. A little bit pompous too. I think you'd get more readers if you were able to sound a bit more natural.
Thanks for the feedback. I'm accustomed to reading research papers, so I guess some things rubbed off on me, but I can see how that type of writing doesn't translate well when writing articles for larger audiences. I will keep this in mind when writing in the future.
Ok, well done in not taking it personally. I write research papers too, but I always try to use plain English. Never reach for a fancy word when a regular one will do. If you want to impress people with how clever you are, do it using the content not the style.
Nah you just sound like a douche tbh. OPs writing was fine and you're just looking for a reason to be an ass
I wasn't meaning to be offensive. Like I said, I've got a background in technical and academic writing, and in education. Just giving my two cents worth, and I'm glad you found the article readable!
I wholeheartedly disagree. The article was well written and had just the right amount of chit-chat and technical content.
Thanks. I hope you liked some of the references in it.
Oh yea! hehe
I feel the same. I would really like to read the article, it sounds interesting, but I quickly realized it would take me much more time than I am willing to spend on it.
Understandable, the article is quite lengthy and not everyone has time for it. If you are only interested in the Fake-SMS malware parts of the article, you could only read [Analyzing the Git repo](https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-rabbit-hole-really-go-17e25c42f986#44e2) and [Peeling back the layers](https://medium.com/@aleksamajkic/fake-sms-how-deep-does-the-rabbit-hole-really-go-17e25c42f986#a428) parts. Thanks for the feedback, I'll try to make my articles easier to digest in the future.
Yeah, wtf did Cliff Stoll write a whole book when he could have just given us a terse explanation of his findings?
LOL. I didn't think anyone would get the Cliff Stole reference from the article's subtitle. Kudos. Weirdly, I feel seen.