They also posted a bunch of hashes for a file which was customized for them, and then remarked that virustotal hadn't seen it.
Though it does make me think that it would be a good trick to offer this 'service', but then keep all the proceeds (everyone gets the same ransomware download). Maybe less profitable on the long term though.
No, AV has capabilities much more sophisticated then that, however from what I understand, within the malware analysis community specific samples are generally identified with their hash. In addition, if the hash of a file is known-bad, you can skip all the binary pattern matching and heuristics and stuff.
Most not-shit AV runs checks from easy to hard so it will blacklist/whitelist on easy identifiers (like hash) and only do a more in-depth look at greylist stuff
They used to do a lot of fancy things, back in the days, including running bits of suspicious executables in heavily sandboxed interpreters to spot behavioral patterns.
I'm guessing those kind of approaches have largely gone away, being replaced with signatures that are hopefully fuzzier than a wholesale cryptographic hash, but still essentially only catching things after the fact, which works well with subscription business models.
> "Based on the strings present in the PE file, it has been written in Go"
I find this kind of interesting. I've seen reports on other malware/virus stuff written in Go recently. I wonder if this is because the ability to cross compile with Go is pretty painless? Or is it because the language is fairly approachable but still allows you to dig a bit "deeper" if you need to?
Beyond assembly code and C, which is used for obvious reasons, malware authors often just use a language they are familiar with, like any other developer. Lots of malware has been written in Delphi, which has been popular in Eastern Europe, and even some in Visual Basic.
Maybe it’s a social reason and not a technical one… like, maybe Go is more popular in… some… country… and maybe that country happens to be over represented in… I mean, obviously not. Of course.
2. Technical users in China use VPN to circumvent said block, while non-technical users switch to something else
3. Technical users search for programming language terms a lot
4. Thus the normalized ratio of (programming language search queries) / (total search queries) is a lot higher in China compared to other countries where Google isn't blocked
They are proposing that countries where it is very lucrative and popular to write spyware for money are also countries where golang is popular, thus making it a social reason as to why they are getting written in golang as opposed to any technical one like cross compilation.
The list of countries where spyware is written intersected with golang popularity to me is actually a rough one, measuring languages' regional popularity always seems fraught.
In addition to easy cross compiling, being able to easily link statically is another nice feature of Go. You get one executable that has everything it needs to run.
That's exactly why I chose it when I made a PoC ransomware. That and using a virtual file system that bundles all assets into the executable, having a decent stdlib, tons of well written libraries and being able to cross-compile with ease.
> The business model behind the service is simple: the bad guys keep 10% of the ransom.
Creating a ransomware is indeed not a very nice thing to do, but IMO the ones that deserve the most to be called "bad guys" are the ones that actually spread the binary (so, the ones that keep the other 90%)
I was thinking of that analogy as well. With weapons, you can claim it is for self defense.
I guess some people will argue that releasing ransomware will make software developers study the different types of attacks, so they increase security in computer systems.
They do increase security... but if violating security could be justified like that, then why have any security at all? You'd already have a useful justification for legitimately violating security.
Like if drinking poison builds up immunity, you don't get a free pass to feed people poison because of it. If you did, then the immunity goal doesn't matter because everyone would be poisoned to death first.
Don't want to wind up in an Xzibit moment. "Yo dog, we heard you like ransomware, so we put ransomware in your ransomware so we can steal when you steal!"
That's just a tor tunnel, IP and location doesn't matter.