Well you see, that’s the thing… If you don’t want to be the main attraction in the next episode of amateur hour, you do not ship a dropper with malware in it. Today because of aforementioned reasons, malware never comes with the trusted carrier. The malware never touches disk. It only runs in RAM…Reason? For the very same reason your are questioning me The common delivery mechanism? Ads!..And similar mechanisms. The IPs mentioned in the analysis, some are just that - Content delivery mechanisms known for providing the second, third or even the fourth stage in the kill chain. So I’m sorry to say, you seldom see a smoking gun when just grabbing the dropper part/trusted software.
You will have to get the execution in progress and grab a RAM dump, which in turn means that in order to do so the easiest way would be to run it in a virtual machine. However the “gui.exe” also seems to have VM detection mechanisms included, which is common in malware in order to change behavior to an innocent one. Well yes, this mechanism is also common on commercial software in order to make reverse engineering harder. But as this is FOSS, the latter would hardly be the reason.
So, 20 years may produce tons of online content, some don’t…I’m more of the latter type. But you will however find some at 0x90.se
I never said that FOSS is more vulnerable than closed source/proprietary software. It all depends on packaging and delivery mechanisms. Side loaded and non-signed packages/apps/programs will always run a greater risk of being compromised, be FOSS or proprietary software. But FOSS projects, especially smaller ones that doesn’t have the big spotlights towards them used in bigger projects that are the end targets are today valuable targets and the authors are not always security savvy following the OWASP Top 10 dev guide. I see no difference today between FOSS and proprietary software when it comes to patching in general. Its different from team to team and company to company.
A slight revelation came to me the other day, and this is interesting from a cultural perspective I think. I realized that I’m somewhat guilty of assumptions. There is a net cultural gap here. Where I’m from, the forums i spend time in, the persons are of less importance. The claims and such are of greater interest. If I drop some concern about something, others usually tear the concern (and usually software connected to said concern) into pieces and get back to me and say “Hmm, there is some substance here to support your concern…” Or “Hey dude! You are full of bull!” and we usually have a good laugh about it. Here I see it is slightly the opposite. Here I am the ostensible antagonist in your eyes and I also sense a tone of dislike throughout your writing. Had it been the other way around, some people in my type of forums would think you are defending the suspected behavior in the software and perhaps would have something to do with it. As I said, this is interesting and you always learn from interacting with people. My guilt is that I’ve spent way too much time with people of my like.
I’m not doubting the devs. I’m doubting the libraries and tools used to build said software. And you are so right! Going directly to the devs is the right and most constructive thing to do. But related to the paragraph above, I perhaps assumed too much. Since devs usually hang around the forums they develop software for, I assumed they would be present here as their software has a very slim area of applicability.
I wish you a good day!
/C