XPost: alt.comp.freeware, alt.computer.workshop
On 05/07/2022 09:05, John Hill wrote:
On 4 Jul 2022 at 10:27:40 BST, "David Brooks" <nomail@afraid.org> wrote:
Fact-checking The Undeclared War: ‘A hacker COULD turn off the lights in >> Putin’s office’!
Should not this at the very least have been labelled [OT]? What on earth has it to do with the subject matter of any of the groups to which it was crossposted?
Stick to the point, David.
J.
John
*I apologise*. I somehow thought that folk would have already read what
poster 'Apd' had said about this new drama on my ACW group. It's all
about my favourite subject! :-D
Message-ID: <t9lbtd$21s83$
1@apd.eternal-september.org> refers:-
New drama series on Ch4 about a cyber attack on the UK. My interest
was piqued when, in a scene inside GCHQ, Simon Pegg was revealed to be
the "head of malware" in the "malware department" (really!?). A young
intern asked to see the code and an IDA disasembly of the malware was
brought up on her PC. It's clearly 64-bit Intel code from a Windows
executable.
She scrolls through the '.rdata' section which is encoded text of some
kind (looks similar to base64), and the guy next to her points out
that it's obfuscated (duh). He then tells her the jumps in the code
(shown by lines in the IDA disasembler) are to skip over garbage and
that the garbage is there to fool anti-virus software (hmmm...). I
hope he didn't mean the obfuscated "garbage" because that's not in the
'.code' section and won't be in the execution path.
She wants to take part in the analysis but the guy tells her to go run
the malware in a sandbox. It doesn't work and he says that's common
because malware can detect that (true). He says it would look for real
activity and tells her to paste in some Word documents (WTF?). Well,
it might certainly look to see that it's not running in a reverse-
engineering envirnonment but it won't be hinging on the use of Word.
She inspects the code more closely and tells the guys she's found
something. They smile and say it's boilerplate library code and they
all made that mistake early on (IOW, skip over it). However, she has
found a file name and a call to WSAStartup (needed before doing
anything with sockets), and it turns out to be for further comms and downloading more stuff. The "head of malware" reports that work on it
is slow-going because of anti-debug tricks (you don't say!).
Later, in a Cabinet Office briefing room (COBR), GCHQ is embarrassed
by a minister who highlights their incompetence when, with all their
experts, a young trainee has found something they overlooked!
Despite some unlikely things there, they didn't do too bad a job on
the technicalities. I wonder who advised them? Looks to be a good
thriller. I shall watch the rest of it.
--
The whole thread, in ACW, is worth reading, if you have a few spare minutes.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)