
The Supreme Backdoor Factory - seslaire
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/
======
nneonneo
Fascinating. The author uncovers a huge web of fake accounts across GitHub and
SourceForge which are used to push backdoored versions of legitimate software
installers. A good reminder to be cautious when downloading “unofficial
builds” and to always check checksums for official ones.

There’s also a really unexpected connection with sneaker-buying bots, which
was a surprise to me. I did not know the lengths to which sneakerheads would
go to to procure new shoes. I wonder if these backdoor bots are used just to
give someone an extra leg up on online auctions and sales of sneakers...that’s
some real twisted dedication right there.

~~~
ageitgey
The after market for "exclusive" sneakers is at a crazy peak right now. You
can buy a $250 shoe and flip it for $500-$1000 nearly instantly. So it's not
just old school sneakerheads looking for cool shoes - it's big business.

There are whole sub-industries within this bubble, too. People selling
sneakerbot code, people selling purchase alert services, people selling access
to private dischord groups that alert you to upcoming sales, etc. It's huge.

~~~
mruts
My co-worker and I (he was into sneakers, I was into money) used to have a
nice little business arbitraging sneakers. Pretty easy to make 100%-500%
returns with a little code and some ebay dedication.

------
HelloFellowDevs
So what does this mean for the people who have created bots for sneaker sites?
I actually used to write code for those sneaker bots and run a slack group
(before we all moved to discord), but I've never encountered oddities in the
code builds for bots I used. This may be going over my head a bit but does
this mean that the builders for the bot installs could contain malicious code?

~~~
rolleiflex
In short, yes - could be. The blog shows at least one case where this has
happened in practice.

Semi-unrelated, but why did you end up moving from Slack to Discord, if I may
ask?

~~~
dylz
The demographic of people buying the bots are not... very technical. Discord
is what they are "used to".

------
renholder
I know I'm late to the party and this is probably the stupidest question in
the world but one never knows unless one asks, yeah? How did he/she know the
binaries were packed with upx?

~~~
detaro
There's various analysis tools that can identify common packers, and I think
you can at least guess UPX by looking at the file contents and seeing the
string "UPX" a few times, which it uses as markers for something.

------
iceninenines
If you want to find malware with no AV signatures, look at no-name warez of
medium popular and niche professional software, and honey-net via unpatched
Windows computers on exo-DMZ unfiltered IP addresses. I saw this one sample
behavioral analysis of a trojaned well-known firewall product for Mac that
tries to download Google Chrome in order to clickbot... no AV signature for
it. With the right APT defenses, such as a root priv esc, SIP bypass and
process & file cloaking, it would be entirely possible to keep nodes pwned
much longer, at the cost of 2-3 sploits... and better use such farm for a big
money-maker.

~~~
UncleEntity
> and better use such farm for a big money-maker.

So...like raise goats or something?

