this hard drive contains 25 million pieces of malware and this computer is about to become very very sick what do you mean threat service has stopped Windows Defender is completely disabled but I guess that’s what happens when you send $500 to a faceless person named smelly who runs a shady Network that collects develops studies and reverse Engineers nefarious code so why did I do that because if you’re trying to learn about computer security this is probably the most valuable textbook you could find it contains their entire repository of malware samples research papers blog posts from security researchers and source code now of course it’s all freely available on the VX underground website but the $500 isn’t really for the content it’s a donation to ensure they can keep building this repository which wait is that actually a good thing well let’s talk about that the single biggest hole in most Security Systems computer or otherwise is trust new malware pops up every day and defending against it is a never-ending game of whack-a-mole that is such a constant churn of zero day exploits and unpatched vulnerabilities that it’s better to just assume the worst that is why today’s episode sponsor threat Locker uses a zero trust approach to security their endpoint protection platform works by assuming that applic a are guilty until they’re proven innocent meaning that users within your organization can’t just accidentally open the wrong email attachment or program installer and take down the entire company from the inside lead to a whole bunch of really bad like oh I don’t know [Music] maybe the very first thing I asked when this video got pitched to me was isn’t this thing kind of dangerous to have lying around and the answer is yes yes but also no these mostly aren’t ready to go viruses mostly and while they absolutely can wreak havoc on your system if you’re not careful you don’t really need to worry about doing a lock bit on yourself and encrypting your whole Drive part of the reason for that is how things are stored most executables are missing the exe file extension so the system is far less likely to automatically run them and everything else is in a password protected 7zip archive to prevent it from being automatically unpacked furthermore many of these malwares are older and the only real damage they can do to a fully updated system is by overloading Windows Defender threat detection engine that’s what caused the weird behavior that you saw before of course many of them are still dangerous and once you’ve got them decompressed and armed all safety is completely out the windows and also Mac OS and Linux Borat rat popped up in 2022 and was referred to as a triple threat because on on top of granting remote access it also includes dods and ransomware tools this seems like exactly the kind of thing I would want to just run launch Borat 7z archive in any run Windows 10 or 11 this is Linux yes would you like me to show you any run they do sandboxing there’s so much resetting and reimaging and everything in this project a fun one right oh it’s just the best well interesting at least right it’s interesting it’s abs absolutely interesting it’s also uh extremely scary I mean it’s not like you could single-handedly take down the whole company if you do anything irresponsible or careless Windows 10 or 11 so we’ll do windows 11 here we’ll run a public analysis it’s going to start uploading the file we have 660 seconds to do this before it implodes implodes oh this instance just goes away in 10 11 minutes no matter what that’s correct we’re going to launch Bor at. exe so if someone managed to execute this on your system this is what would happen this right here is actually the control panel for it so this is what the hacker Sees God it and what I want to do right now is I’m going to go build a client for this so I’m going to go just quickly here build alls yep yeah we’ll choose an icon here let’s give it the Borat rat icon okay so we are going to go build exe here client.exe is going to save into the Borat folder and then what we should be able to do and this works 50% of the time for me is when we open up client.exe so this will infect this instance this is what we would try to remotely execute on the target system yeah so we would try and remotely execute that and you can see that we’ve done that we’ve successfully infected ourselves it’s going to run a couple it’s going to run system info. exe conhost host name. exe just spit out absolutely everything that we want to know about this system here is everything about it all in just this uh this text file here and this will get sent to the attacker probably as fun as it gets as in the utilities so we can hide and show our taskbar hide and show our desktop just to mess with people yeah oh Mouse is the best swap will swap around the left and right click dude we can turn off the webcam light yep most webcams do work with the webcam light just kind of hardwired into the camera circuitry but some of them don’t and that’s where this is going to really exploit it the other thing this is going to do is allow you to turn on their webcam light basically activating their camera but not actually have to do any it’s just a quick way of freaking them out if they’re trying to make threats at you over the phone while you uh try and extort them for money fod helper watch how easy it is to get admin you can see permission right here it says permission user over on the right side we’re going to hit fod helper it’s going to restart the client and oh look admin that’s it and they haven’t patched that yet okay what are we running on yeah 2021 second half so this is pretty old window that’s good that’s that’s really good that that’s still unpatched on this version but it’s probably patched somewhere else I I’ve not run this for real I’m very afraid of it obviously this dashboard here right there’s a lot of lines yep I mean you could have a lot of clients and you could just poke around in one anytime you want what’s surveillance do oh surveillance just uh just lets you watch a little bit you can remote shell remote screen remote camera go into their file manager you can record you can get their uh their Network information see what’s what processes are running else we got here uh control so you can send files to them you can run yep key logger is built into every malware these days malware is where it gets real interesting oh I just pick what malware I want yeah you want to Dos somebody you can do that especially if you’ve got a lot of bots there uh you can ransomware them so if you wanted to just do a lock bit on someone you can just ransomware them like that there is a way in here to steal credentials for Discord it steals the the session token for Discord so that you can gain access to somebody’s Discord and then start messaging all their friends start messaging their friends with your client.exe which you’ve just made look like whatever program you want because that’s part of the whole uh Builder and this is this is old but it’s it’s not that old it’s still active in some regards maybe not this exact version but clearly there’s still people using it and this kind of thing is only going to get scarier and scarier when Windows 10 reaches into of Life dude M cuz so many people are going to stay on Windows 10 and it’s not going to be getting security patches guys patch your software the stuff that gets patched isn’t what really worries me it’s the zero days there’s so many zero days and there’s so much money in this now especially with all of those hospitals getting Ransom weed anyway good luck practically speaking there is no limit to what a creative attacker could do with something like Borat rat we haven’t even touched on some of the basic functionality like exfiltrating data popping up text messages so the attacker can communicate with the victim but how does it do so much well a big part of it is thanks to the dll files that are included these DLS are mostly feature plugins that are taken from a fork of DC rat called Santa rat when you really think about it Borat does look a bit like a dirty Wizard or a homeless Santa but that’s besides the point the point is if we run the rat in a malware sandbox like any run which using here we can get some idea of how it’s executing individual exploits take the fod helper exploit for example how is it giving the rat administrator privileges with almost no effort whatsoever well we can see that it makes some registry changes before launching fod Helper but what registry changes is it making exactly searching through the VX drive we can find the source code for it and see that it uses UAC bypass method 3 from options. dll the source code for options. DL might be missing but as we know it came from Santa rat so we can check the source code for that and see that it’s modifying this key in the registry even if we don’t have any programming knowledge just searching our virus drive for Borat reveals several articles that summarize the threat in slightly more legible terms how can we use this though well if we’re a bad actor now we know a way to get to a command prompt window with admin privileges and we can explain that but if we’re a good actor we know to set up something to watch that section of the registry in order to avoid this issue that is where today’s episode sponsor threat Locker comes in if we try to run this on a protected machine threat Locker will block the executable not because it’s a known virus but because it’s trying to execute at all our threat Locker administrator account can now see it within Response Center open it up in a virtualized testing environment to ensure that it’s safe and either keep it on the block list add it to the allow list outright or allow it with ring fencing just in case you’re not sure about the application ring fencing is the act of limiting what a program can do like blocking it from connecting to the internet blocking it from writing to the registry accessing protected files or interacting with high-risk applications like Powershell and command prompt after all malware can’t get access to an Administrator Command Prompt if it can’t open a command prompt at all coming back to our VX underground drive though being able to pone Windows not exactly a big accomplishment Windows machines get hacked every day what about Linux here’s the thing web servers usually run Linux and there’s a lot of things that are trying to Target that a WordPress server is especially susceptible to attacks like the c99 backdoor ooh is it demo time WordPress is often used by wouldbe web Masters because it is relatively user friendly at least on the surface and free to use but not all of the plugins are free technically because of wordpress’s GPL license all der Works including plugins are required to use GPL as well that means that they can charge money but they also can’t stop people from sharing their code so websites that host cracked plugins aren’t usually able to be taken down by lawyers they do however often serve plugins with a little something extra that might make you want to pay for plugins from the official Source they can be used to host sketchy files they can be used to ransomware your network and once a back door is installed other malware can be uploaded and potentially executed want to show us how it works what I’ve done is gone ahead and just added uh our back door into one of the most generic websites of all time yeah this is a default theme the way that this could be kind of replicated in real world other than just through infected uh themes or plugins is also through mismanaged upload uh credentials so okay if you’ve got user uploads they can potentially make this happen and uh this is what the back door actually looks like so you can see that here we’re going to Local Host into the themes folder and we’re just running this simple PHP file and now we have access to everything wait what okay so hold on a second so my server is serving that website that’s correct and you took advantage of a misconfigured upload permission setting yes I just uploaded this file and I have this yes so this could be used to do any number of things let’s say that your website was hosting um you know a cool mod for something or or a cool useful little application I could go in and I could replace the file with something completely different and if they don’t bother to actually check the check sum that I publish on my site although I could of course overwrite the check sum as well then they could download a completely different file execute that on their computer and boom they’re infected and since everything is usually done with not the greatest encryption for PHP websites usually especially WordPress the encryption on passwords Is Not Great you could just go in grab the database and then use I don’t know your RTX 490 at home to right crack the passwords kind of like in the uh Wi-Fi cracking video right you should check out that video If you haven’t seen it already equally scary honestly that’s a little bit less scary than uh than some of these things because people can steal your Wi-Fi credentials but this will allow them to do stuff to you from anywhere sure but if they’re on your network then it’s it’s just so convenient at least you know they’re nearby though that’s nice that’s true means I’m not alone now PHP is a just intime programming language so malware spreaders need to be a bit more creative than simply hiding it within a binary file that’s where things like base 64 encoding and GP come into play by converting everything into unreadable text that also fits into a single line in a code editor they can turn 5,000 lines of backd door code into only nine pretty lines of totally not suspicious at all gibberish if that gibberish code gets into a publicly accessible part of a web server either through misconfigured file upload permissions or nefarious WordPress plugins it can be executed by anyone who knows it’s there with php’s eval function nefarious code can break out of the PHP container and start executing commands directly on the operating system now whoa whoa hold on a second here lonus all this seems pretty irresponsible are you guys really really just trusting VX underground and plugging this drive into a live system here the answer is no and of course not even though we’re not using any run here like we were with Windows our sponsor threat Locker would never forgive us if we just blindly gave out trust I mean that’s the antithesis of the zero trust model trusting a stranger is the number one way to get pwned no worm or back door can ever match the effectiveness of a social engineering attack so if a guy named name smelly tells you that the drive he gave you contains lots and lots of malware you should probably believe him and take the necessary precautions but what are they well to start with we set up our Linux machine to be air gapped okay to clarify no system is completely immune and it was only a few months ago that the popular compression Library XZ was found to contain a back door but desktop Linux is less likely to be attacked with simple automated malware as for air gapping this refers to the practice of isolating a computer from the rest of your networked machines and it can be simulated with vlans but if you want to be sure I’d recommend just unplugging it VLAN hopping isn’t a huge risk these days but it isn’t impossible of course if you want to step up your safety level further you need a malware sandbox a virtual machine on a virtual Network that is completely isolated from any other machine and that will be destroyed the moment that you no longer need it threat Locker has their testing environment feature that allows you to pass executables that are quarantined from your protected computers into their sandbox without any runs overly restrictive time limit or the requirement to make your sample public now we’re using any run for deeper Dives right now simply because it allows us to upload our samples directly but threat Locker’s Response Center is more than adequate for 99% of use cases the two products the sponsored one and the other one actually complement each other really nicely to fill different sand boxing needs threat Locker is great for production environment work while any run is better suited for noodling around shall we noodle some more Hey look it’s the chief noodler himself what are we looking at now ooh lock bit yeah we’re going to take a quick look at lock bit so I’m told it’s shocking how simple it actually is that’s in the script this is super cool is this a paid version of any run yes okay did they send that over to us they did hey shout out any run thanks so we’re doing the same thing we did with B rat we’re going to drag it out of here and I did not passord protect this one Tanner hey if we get infected I don’t own the company so here we’ve got just some configuration things uh local discs true Network shares true yeah so I think it makes my skin crawl just thinking about something like this getting on our Network oh have I clarified that it’s a ransomware well it’s a ransomware if I didn’t say that already so now we’ve got our decrypter mhm we’ve got password. dll so that’s the decryption password here if uh if it is executed through dll the exe version is a slightly different password but yeah it’s it’s essentially here’s the here’s the encrypter and then here’s the key that you can provide to the victim in whatever form you like yeah what a lot of people have been doing lately is accepting the payment from their victims and then not decrypting so that is an option too that is a that is a whole other level of yeah so if you uh were to run lb3 exe and yeah you’ve now lost everything that was quick it actually looks you can set what kinds of files it looks for off the bat so you can aim for uh databases first if you want which is what a lot of places have going after more of a commercial entity yep see this is the kind of thing we cover on Wow and we talk about in the news and and we discuss but there’s a big difference between you know sort of talking about what’s out there and and these high-profile attacks and just seeing how simple the tools are you want to know I could do this you want to know how simple some of these are you know the W to cry virus that was the one that was that was the ransomware that was just all over the place for several years there it got defeated when somebody went into to the source code for it did a whole decompilation found uh found a line of code in there that kept calling one particular website address yeah so they decided to buy the domain because it hadn’t been registered apparently that domain was just being used by wan to cry as a kill switch so they accidentally stopped W to cry the guy ended up uh getting caught by the FBI for credit card fraud that he did earlier in his life and then the judge at judgment was like n the you know what the public good that you’ve done kind of outweighs whatever credit card fraud so if you’re going to commit credit card fraud also stop the worst ransomware attacks in history of course the groups that are executing ransomware attacks be they monoc cry or lock bit or something else aren’t just using ransomware they need to find a way to infiltrate their targets organization spread it around and remain undetected and many of these tasks require some level of social engineering so what might start as a fishing attack could then transition into a rat being planted which can then be used to plant the ransomware Borat rat isn’t its own ransomware necessarily but rather it’s a vessel for carrying many payloads one of which happens to be lock bit style ransomwares and all of this is being accomplished by several competing groups um some are simply trying to cash in but some clearly have other goals in mind as there’s strong evidence that many malware groups operate as part of government entities North Korea’s Lazarus group uh Russia’s berserk bear and Amer America’s NSA equation group are just a few suspected examples so is this hard drive only for researchers or could somebody conceivably use this repository to create and spread malware possibly in an act of state sponsored terrorism don’t kid yourself this is on the blacker side of gray and the only moral justification for its existence is that realistically the bad guys have access to this information anyway and by shedding light on it we’re at least giving the good gu a hoping chance to counter any upcoming threats security through obscurity is a pipe dream and just like we probably upset some gas station owners when we made our video on The Flipper zero we’re probably ruffling some feathers with this one but we feel it’s a valuable conversation to start and one that we should keep on having the last question you guys might be asking is what are we planning to do with the VX underground hard drive well the first thing is to put a warning label on it maybe even a bigger one than this and then after that I don’t know we’ve actually had some really cool ideas for videos in the past that have required us to intentionally infect a system but providing real malware to us is against the policy of every white hat organization and person that we have ever interacted with so we have struggled at times to create for example an infected system to bring to a shop for servicing if you have any other ideas we’re open to them but for now we’re going to Fester on it for a little bit and seeing the kinds of threats that are not only out there but more numerous than I previously imagined I guess we’ll look into hardening our security maybe with some help from our sponsor threat Locker if you guys liked this video why don’t you check out the time we bought antivirus USB sticks from Facebook they were they were USB sticks all right
source