They keep trying to backdoor Open Source
Вставка
- Опубліковано 15 лис 2024
- They keep trying to backdoor Open Source
Official Discord Server - / discord
Learn Reverse Engineering - skool.com/eric...
Follow me on X - / atericparker
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
(C) Eric Parker 2024
People doing these are the malware of the Mankind
they most likely will live a happy life :D
@@uhohwhy Not if I can help it!
@@zakyia keep dreamin
@@uhohwhy nah buddy, there's something called karma, god will take from you as much as you took from people
@@turkym7md5 thats a myth
Adding an obvious eval of obfuscated code as the only code change in a PR claiming to be a documentation update kind of feels genuinely _less stealthy_ than just adding the malicious code unobfuscated, lying about what it does, and hoping no one reads it though
Encoding a code like this doesn't ever have a legit usecase right? its only to bypass the automated checks
Yeah, that was dumb. Maybe it's a(n unethical) researcher testing to see how easy it might be to compromise software
@@deltamico It tries to exploit human error, that you wont notice. Yeah, sure its hard to miss but shit happens. Obviously it wont pass any human that notices it and has 2 brain cells working to check wtf is this even doing.
@@paxcoderatp there’s no difference between a “researcher” and “attacker”
@@undefinedchannel9916 I'm not quite sure what you're trying to say. There should be a difference between a black hat hacker and someone who does research.
scriptkiddie level of "stealth"
Unfortunately that's still sophisticated enough to rekt people
I read skibidi
@@ouss skiddie toulet
@@ouss You're not too far off. It's the same level of brainrott scriptkiddies have
@@ouss skididi kiddie
1990's virus: hello
2024's virus: i am gonna hide in your files, decode myself, download another one, decode that one too and then DOWNLOAD another one.
90s viruses tended to be a lot more sophisticated imo.
@@eadweard. Like "I am hiding in your MBR and wait for 30 boots or until 12th December to run the payload."
@@eadweard. 90's malware compared to today's malware is SUPER basic.
@@Sypaka That sort of thing, plus self-modifying code, ploymorphic encryption, remaining resident in atypical locations like video memory. They had to spread using a few bytes and no Internet access.
@@su-25frogfoot74 Other way around I'm afraid.
Why do people try this method anyway? Obfuscated code is the biggest red flag of all. It would be detected immediately. Especially in large/popular repos where maintainers check commits for malicious code before accepting.
cause they only need 1 slip up
Does github have a flagger to users who submit obfuscated code to huge public repositories?
Reminder that the XZ backdoor was only caught because some dude noticed SSH takes 0.5 seconds longer than it used to, not because it was caught in code review
@@lolwutizit reminder that Jia Tan wasn't as stupid as the people trying to insert these. he didn't just put execute an obfuscated string made in a for loop from a character array
it was a combination of binary test files (which is fine and expected for a compression utility, but the ones Jia Tan added were never used in any actual tests, see cf44e4b in the xz repo) and a configuration script to insert the backdoor into distributed tarballs
that isn't to say that the code is safe just based on how safe the diff looks; it's just that the people doing these python backdoors are idiots targeting idiots. unless the maintainer suffers a stroke in the middle of code review, this would never pass
@@soccerguy2433 This. Once you let them get on the other side of the airtight hatch, they can wreak all kinds of havoc.
Nowhere nearly as sophisticated as Jia Tan. This is script-kiddie level.
I love your profile picture lmao
me watching this who casually downloads hundreds of random projects from github without reading the code 💀
same lol
most of them are safe since owners wont merge these prs
omg just read this while installing 5 github projects through winget 😭
@@Pepo..Hehe, interesting timing. But this is an old problem. Our civilization long ago passed the point any single person could vet our tech/knowledge. Like it or not, we rely on overlapping networks of trust.
6:29 “DiS-“
from my comprehension, we can hear that Eric Parker does not approve
I mean if he would have hidden this in a huge PR then it might have slipped through but this is just lazy.
5:07 i saw the command "termux-setup-storage" which only exists in android terminal emulator named termux and grants the storage permission
so the payload asks for storage permission, then proceeds to just wipe half the phone
cool!
that command is used to give Termux access to storage. Running this command for no reason will NOT wipe your phone. It will wipe ONLY whats set as your ~/storage. If you are dumb enough to set your root (/sdcard or /storage/emulated/0) as storage in Termux, it COULD wipe your stuff, except it wouldnt due to missing privileges.
@Sharpless2 i said 'that script' not 'that command'
bad word pick ig
@@Sharpless2 also considering android updates, it is even worse regarding privileges?
i smell andriod malware upon seeing the termux-setup-storage line of code
@@SanekGamer007 no, the word choice was fine. The commenter just has bad reading comprehension
this youtube channel appeared in a dream i had and i don't know why
There can be no doubt. You are the chosen one.
Maybe you've seen it before and forgot about it
u might got hacked in another timeline and that is the echo from u warning u
@@pixelcatcher123His brain got hacked
Fated to be
Good work. Here's another thing to look at.
One youtube ad while running librewolf Mozilla Firefox 130.0-3 spawned a "RDD" process.
Apparently, it is related to "distributed media" or something like that but it seems people are talking about hackers exploiting it to run crypto mines. When RDD was spawned it took 50% of CPU load. Killing librewolf removed the RDD process.
It's a marvel ad providers are still not held accountable for stuff like that, and yet they'd like to control what you say.
You mean an ad from googleadservices? So UA-cam processes uploaded videos to standardize the format and scans their content, but Google Ads serves us random files just as they come?
idk, writing or fixing documentation isn't a job most people like to do so I think it's just as valid as a small bug fix.
The issue is people spamming small pulls instead of just bundling lots of documentation changes into one pull I think.
It wastes maintainer time and is used to pad out contribution stats for job searching
Assuming someone looks at what was changed; It's not fooling anyone. The bigger problem is people just accepting commits without bothering to check out what changed. Once we have really good software to scan for weird stuff like this reliably, then we can let that system deal with it; But we're not there yet... at least in this repo.
The one thing I learned from DDLC is to be weary of the "Import os" function that game uses it pretty responsibly to Add in some spooky looking image files/deletes certain files in a subfolder of the install directory overall not malicious/harmful to the OS
Please use punctuation, I almost died reading that, no offense.
I literally died reading that. (take offense)
The easier thing is looking at exec functions.
Exec is rarely necessary for a program and using exec on some random numbers should be quite obvious redflag.
If exec is used it should be obvious of what it does, because it can be a security risk even without a payload.
Why would I get tired of a function?
*wary
interesting you are seeing more and more of these attempts to backdoor large projects that are open source, it seems like a concerted effort but man you are just seeing it more and more nowadays.
neat video eric
Cyber attacks are becoming more frequent worldwide. It's not a surprise.
The explanation is simpler, because openai & others selling ai agents services and many don't care what you doing with them. One american already waiting court with 16 years jail for Spotify thing.
It's not just the big ones, I believe a lot of no name repos are probably full of malware too. We don't know for sure whether smaller projects are being targeted or not.
Recently I came across a big open source AI project with thousands of stars where the developers themselves were harvesting user emails or something. Man I love to tinker and explore open source but this is holding me back. ;-;
Docs only pulls are great if you actually clarify or fix something. I have never had a PR like that rejected.
They're sometimes shady because it just becomes someone that's doing clout chasing and adds nothing of real value. eg: they add useless documentation based on what a LLM recommends. More commonly I see people trying to fix code issues based on having a LLM look at the code and make mass recommendations. Something like recommending that a pointer be set to null, even though it goes out of scope the very next line or something equally useless.
@@futuza"Now that I fixed 1 line of grammar, I can finally add 'AOSP Contributor' in my bio 🥸"
this is like the A=1 B=2 cipher of attempting malicious code. did a 13 year old do this
most likely
"until automated scanning gets better", this is a worse issue, when people start trusting automated scanning. attackers just need to bypass that, as people will be less likely to review code and automated scanning won't be able to catch "new" attacks, there MUST be HUMANS reviewing code.
"Um... whatcha got there?"
"A smoothie"
How it actually happens is that the package maintainer is threatened in real life and forced to merge something. That's it. No normal people would merge this crap
Pushing an obfuscated code as random array is red flag enough.
5:37 i think "facebook hack" is like they send this to ppl on facebook or using a zeroday to run it or something like that
And sometimes they have funny names like Linus Torvalds.
How convenient for corpos who need to fix their reputation known for bad code, privacy concerns or even security breaks.
06:09 also check if standard library has what you want
Why has github no virus scanner, that slaps a big red warning on any code strings like this? Must be not to difficult to detect.
It has. It is called static code analysis and it can be enabled for projects, but maybe they didn't have it enabled for some reason or configured it incorrectly that it didn't recognize this payload? Usually the static code analysis is done as a part of your "test" pipeline in GitHub.
You have been making absolute bangers of videos recently man.
I always assume these kinds of attacks are State actors.
Only a government employee would be so lazy.
well, State actors attacking stuff are more subtle (jia Tan, Pegasus, etc), this is really script kiddy stuff
if i write some in batch code will that make me a pro hacker since batch is a hacker languge
No
@@EL_DIABLOMATEO09ik im jokin😭
Yes
it would make you a pro elite wine prefix hacker while you try to join your friends on the next popular game (you will fail to do so and bootup winwows)
if you see anything that even resembles this in a PR and it doesn’t set off every alarm bell in your brain please quit programming forever
I like how you broke it down and opened it up in a virtual machine, you should do more! Really enjoyed it
These people are dragging humanity backwards.
They’re trying to make “open source” no longer safe to exist.
This kind of obfuscation gives me so much second-hand embarrassment lol. They could have at least tried to encode the bad stuff into utf-8 white-space and make it look like some kind of actual commit. Honestly, it'd probably be less noticeable to just add the actual code and not call exec at all.
We need teams of people out there reviewing code on a regular basis for major open source apps. Sadly that requires lots of resources, lots of money. I'm a programmer myself, got a degree, I don't really do it anymore, but even I would have difficulty detecting something malicious or "hacker-friendly" code. Not to mention, already compiled code could been messed with by altering the given source. What we see on Github and downloading some final compiled file of that app could be different.
2:20 it is nice enough to close the connection it opened so it has that going for it
I rarely use third-party libraries because of this. I have no idea what is in the code. Unless it's something it would take months for me to do it myself or that is beyond my abilities, I'm not shipping someone else's code to users.
And this is not how modern web development works. I don't think anyone has read most of what's on npm for a decade *scared face emoji goes here*
You might as well not use the internet, every software or website ever made relies on "third party" libraries
Buddy really lied to get likes … lmfao
This is why I loved how Linus Torvalds ripped people a new asshole for making bad Linux kernel pull requests
20/1 odds some proprietary company is behind these. OpenAI I'm looking at you
Wouldn’t be surprised if it’s someone’s job at the CIA to just try and put these in as many open source projects as possible
These attempts are so pathetic.
It's like when I opened an issue, and someone respond with "hey, I have a fix for you, download this, and execute this here binary".
If someone falls for these kinds of attempts, they shouldn't be involved in FOSS.
04:38 add `exec=print` to start of file?
This doesn't catch every case. Python has some sneaky ways of doing stuff. The simplest thing would be using __import__('builtins').exec.
There are even sneakier ways like replacing the binary code of a lambda function.
So manual checking is still the way to go
@@snudget Maybe the only safe way is not to copy-paste any into Python at all. e.g. load the string from another file, or load the list as json
@@AlexanderVulpes only safe way to do this is compile custom python version.
or use a find and replace ffs this was painful to watch
3:39 gagal means fail in Indonesian / Malay
this is far too obvious it makes me feel like this could have been done to attempt to cover up some actually hidden backdoor somewhere else
it's all jia tan's fault
Lets all love Lain!
( i was kinda little confused when saw lain as user directory in PS, because i have it too XD )
Good lord these hackers would actually be worth something if they went out and spent time building better software. What a waste of life.
my anxiety watching you paste the malicious code into your IDE 📈📈📈
as indonesian i know this guy and i feel ashamed
Good. They're self-reporting so we can easily update antivirus signatures
"There's no such thing as a free lunch".
At least these mfs are here to remind us of that. A necessary evil, dare I say.
i know it's off-topic, but just by seeing "e/acc" in the username i have an immediate disgust response
That dude must have lost his job to the U-net 😭
gagal means fail
do these PRs generate builds? maybe the intention is not to get anything merged, but get a build going on someone's github actions instance, which may then execute code
Not me thinking he was going to open Photoshop somewhere in the video.
embarrassing how they think they can get away with it
bro is not jia tan
surely no one is actually merging these PRs? its so obviously malicious code.
If someone thinks this is a real backdoor, this is just an AI anti-backdooring engine test
Good video. And info.
As an aside - notice how quickly that microsoft 'update' fiasco died down?
I mean...it wasn't a small thing eh?
I think that "implement on your own" vs "use library" dilemma is kinda false - you probably should use library, because less code you maintain on your own the better and library will be proportionally to its popularity more tested and efficient, but the real issue here is that you need to trust the library's maintainers. There are always exceptions of course, so universal answer "it depends" still holds, but generally I'd say: use libraries where you can, but only if you trust their maintainers.
Gagal basically means "Failed", on Malaysian/Indonesian Language.
The Reddit Writes Code one is just a rickroll, I decoded it. They used Unicode characters to obfuscate it + selenium to open the link in a browser
Make some automated code review tool that would prevent merge if it has detects int array or hex array so that only repository owner can manually approve it if it turns out to be actual legit code. This way juniors/students just need some first project to work and therefore may not care as much on won't get to merge this. And alternatively you could block merges if line is more than 150 chars long for example so that any attempts to start line with many spaces will get caught.
3:43 I wonder if github is going to do anything about it if he deleted the secondary files, they sure didn't care when the dude that made the peacenotwar malware hid all traces of it and closed all issues
Hello Eric, what should i learn to understand those things? python programming?
i think he is from indonesia, the word sandi and gagal is indonesia word
stealthy vm video when? :c teased it but hasn't dropped yet haha
At least these here are very obvious, assuming the reviewers actually review everything
ofc we gonna read into the code, that's the point of open source
That's the sloppiest shit I've ever seen
>base64
always assume base64 is a backdoor
use exec=print to overwrite it
normalize devs posting the hash of their project and putting it on github for data verification
5:18 probably targeting "hackers" using an app called termux on their phone.
termux is just a terminal emulator thing for android phones
Can you analyzes the winlator? Its on here too
Unfortunately, automated scanning with be met with a ton of automated scamming.
Why would you back door open source?!
No worries bro if you publish a Nuget package you can just run whatever powershell script you want on install
How do they obfuscate it like that. Do they use a tool ? Or figure it out manually
You could just invert it.
str = "whatever you want"
print([ord(i) for i in str])
[119, 104, 97, 116, 101, 118, 101, 114, 32, 121, 111, 117, 32, 119, 97, 110, 116]
@@EricParkeractually used this to send strings over pytorch's distributed link when I was trying to sync filenames lol
Cat ears at 200k
Will never stop. Will grow.
lain in the powershell, based
This makes me skeptical of all the open source software I use- oh wait I use Linux I am cooked. Jokes apart day by day github is getting scary and my paranoia suggests that it was a scary place before but people are just finding out about it now
Don't be overdramatic lmao just be vigilant and careful when running untested stuff from GitHub
Bro that's so lame, it's like writing eval(malicious code) in javascript. Literally a code execution command right in front of everybody, so obvious.
For javascript specifically: never merge any eval() or Function() or even tagged template literal, read them carefully and then decide what to do.
Uses backdoor closed source browser
Yeah these script kiddy attempts aren't fooling anyone. It's when there's a believable excuse to include a binary file that things get scary, for example oh I don't know, if it's a well known compression library.
My assumptions on which country that person came from is too narrow just from how they type
else:
print("gagal")
😂
1 minute ago is wild
Not everything in life is wILd, kid.
Take some ritalin.
@@heretic0014 calm down bro im just congratulating that im early 😭
@@heretic0014 get out unc 💀
@@heretic0014 shudup unc ruckus, go back to the docs
Imagine falling for these PRs lmao
this guys got the same accent as Andy Tate!
orang Indonesia kah??
Looks like it, "gagal"
pakai variabel sandi dan ada git nama ktp macam mahasiswa
malu maluin wkwkw
Is evildojo666 actually well known in the AI community? I can't see anything from him besides random game dev videos
it’s ok I’m sure capitalism will sort this out real quick or something
3:04 hexadecimal values hidden create a code for a command who open ports. easy to spot now ??
ANOTHER ONE???!?
WTF IS HAPPENING?!
GitHub/GitLab and Open Source code seem to be the newest targets to slip in malware. Blame the lack of security protections (like nothing is scanned prior to being uploaded) and the fact that it’s the easiest target currently since more and more companies and users are using open source code and applications
Nah but this has to be the most scuffed attempt ever xdd
haven't watched the video and don't care to so i don't know if you mentioned this but this was probably a false flag attack against some random guys website
1000 like is mine!
But i thought we got rid of all the russians russians russians from open source