Category Archives: Trivia

StackOverflown in practice…

Posted on by

We are so used to all the jokes about programmers re-using online code and copypasting stuff from StackOverflow all the time that we sometimes forget about a sad reality – lots of public code is being copied blindly, and ‘if it works’, it more than often makes it to a production level… yes… including code that is incorporated into release build and signed binaries.

This brings a lot of interesting side-effects:

  • signed binaries are often blindly trusted, so vulnerable code that makes it into a signed binary is a big bonus for researchers/attackers (follow hFireFOX and his kernel driver copypasta discoveries)
  • a code that uses a hardcoded set of crypto primitives will be vulnerable to the fact these primitives are out there and in public –> attackers can decrypt secrets faster
  • since the programmers who copypaste the code don’t know any better it often takes a lot of efforts for them (or their successors) to fix these issues

The main topic of this post is the item #2 on the above list:

– crypto primitives re-use.

After poking around en masse in a large number of ‘good; samples I discovered that many of these samples re-use the AES crypto routines that rely on the following two primitives:

  • IV: “OFRna73m*aze01xY”
  • Salt: “Kosher”

This is not a coincidence – you can find code instances that refer to this combo here. Programmers don’t know what to change in this code and they just embed it as it is. Bad and pretty big mistake.

There are many more examples like this and I may list them some time in the future.

Yara to spellcheck’em all

Posted on by

This is a trivial yara rule stub. It picks up binaries with mispeleleleled words. I have started putting it together only yesterday when I noticed that many of popular (and often signed) binaries include lots of these. This suggests the coders are non-native speakers. The more far-fetching scenarios could include automatic checks against APT for popular misspellings to quickly highlight a possible attribution hints or… a false flag 🙂

Improve at your own risk 🙂

rule mispel
{
    strings:
        $s1 = "appling" ascii wide
        $s2 = "runing" ascii wide
        $s3 = "youre" ascii wide
        $s4 = "faild" ascii wide
        $s5 = "suces" ascii wide
        $s6 = "seting" ascii wide
        $s7 = "opend" ascii wide
        $s8 = "seqence" ascii wide

    condition:
        (1 of ($s*))
}