Free Coding Tool Distributes Malware
2024 ж. 29 Ақп.
127 105 Рет қаралды
jh.live/n8n || Build automated workflows between applications, and integrate JavaScript or Python code whenever you need to -- with n8n! jh.live/n8n
Free Cybersecurity Education and Ethical Hacking with John Hammond
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥KZhead ALGORITHM ➡ Like, Comment, & Subscribe!
To be clear, the website freecodingtools[.]org no longer includes this malicious payload in their obfuscator. They reached out to me over email and explained this was due to a previous breach of their servers, but this has since been fixed. Free Coding Tools made it clear they never intended to distribute malware, and I had no intention to suggest that they did. ✌
Firefox flagging as malware, would be interesting if you find anything on it
That's good to hear it wasn't done on purpose. Too bad their security sucks enough for them to get hacked like that.
@@UltimatePerfection And that their practices suck enough that they don't mention it on their website!!
bit late of them, once something like this happens they should be done as a service.
@@UltimatePerfection I hope that they learned their lesson and improved security.
very polite i think of the people who wrote this malware to leave the comments in their code when they shipped it, to help future security researchers
I don't think they wrote the malware, not really. The script looks like the output generated by a few tools to write installer wrappers for you. The only thing unique to their application over any other admin application to run at startup(for legit reasons like providing a VPN or checking a hardware device/driver) is the naming, and often that's pregenerated from a prefix by tools to ensure that it doesn't conflict with other logic sharing the script.
i always comment my malware... dont want others to think i am a troglodyte.. :) // this prints a message console.log("a message");
its a bunch of libraries and tools they used to make the malware not the malware itself.
A good mentor always teaches his protege'/s discipline, which proper commenting is considered good house-keeping and proper etiquette. ;-)
There are so many flaws with the obfuscator website's logic. If I'm trying to PROTECT my intellectual property, the LAST thing I'm gonna do is take it and paste it into some random stranger's website. And then running the "obfuscated" code on any of my machines is even more mind-boggling. It's almost as bad as the low-budget nigerian ransomware meme where they just leave a text file on your desktop asking you nicely to encrypt all your files and give them the key. You'd have to be truly unhinged to fall for this.
Abeg why u add Nigerian there😢😂
@sparks621 Nigerians are 10 percent in NSA.
Are we just ignoring that the primary function of obfuscated code is to disguise malware?
@@serkhetreo2489 scammers lie about who they are in their emails they send to elderly folks to try and trick them. Pretending to be a Nigerian Prince is the most famous example.
EXACTLY!
I stop watching John for a few month maybe longer.... He had 250k subs... When did he hit 1 milion? 😮 Congrats john!
You can tell a base64 encoded string is not what it claims when the string generated is WAY too long compared to the original code.
Last time I had to deobfuscate an obfuscated python script I just turned the exec function into a print. Seems a bit easier.
doesnt work when its multilayered, that only works when its a monolayer obfuscator
Good that n8n sponsors content creator. Will keep a look out for it
Man programmed viruses are so amazing, just the sheer mental process in order to make it happen - its like being a detective at a crime scene piecing everything together the deeper we go . . . . i love it.
This is awesome (and scary AF). Great to see a peek into some malware. Subscribed
I cant express in words how fascinating your content is =) keep it up!
Hi John! I love your vids! I learn tons from them and always find them interesting. 🙂 I have some audio-related feedback I hope is welcome: I think there is an overly aggressive compressor somewhere in the vocal processing chain. I think relaxing the settings on this to preserve more natural dynamic range will reduce listening fatigue in your audience and may result in longer watch times. Thanks for another banger vid!
Yep. With my Sony headphones it's easier to hear, I can lower the volume but I still hear the voice on steroids somehow. But I guess most listeners don't hear / don't care .....
The volume is normalized to KZheads standard. Stop listening to things on full volume.
@@nordgaren2358 I’m not talking about normalization, which is just a flat volume adjustment across the board, I’m talking about compression, which modifies loudness by different amounts over time to bring the loudness of quiet sounds and the loudness of loud sounds closer together.
Definitely too dense
@@lalanotlistening voiceovers are compressed. That's how it is. They need to be. It's for clarity.
The weird HTML looks like part of the Brotli compression scheme's static tables. Since Brotli is optimized for Web content it contains things like JS and HTML keywords in its tables. I'm guessing that this is part of the bundled Tor client's Brotli implementation, since the standard Tor client is based on Firefox and Firefox has native Brotli support as an HTTP transfer encoding
It should come as no surprise that executing unverified code is extremely dangerous. Anyone doing obfuscation should be using one of the many open source options you can run locally on your machine with full confidence that it's not stealing your code or injecting anything naughty.
i wish you would digg deeper in it. love the long videos
I would want to look more at the HID component. It isn't likely, but possible that it could use USB peripherals for other purposes, or attempt to locate storage to copy itself to.
You deserve more viewers!
This will be interesting to watch. Thanks John
HID = Human Interface Device? Could it also be a keystroke logger?
could also be Hardware ID, but i think that's usually HWID instead
keylogger and perhaps a usb file downloader or usb identity/crypto device stealer,
You have me hooked. This so fascinating and scary.
Your channel is like a hidden gem on KZhead. So glad I found it!
i wonder on the C# hid device library... could that be used for parsing keystrokes>?.. detecting 2factor like ubikey.. detecting hard wallet?
It can be used to get keyboard/mouse inputs (however there are a lot of ways to do this) It can be used to detect any USB devices
That HTML page looks like one of the pages you sometimes find in google results from completely random domains that just try to match on some keywords and get you to click on them. It probably then tries to redirect to some scam site, or download a file. My guess is it's not intended to be deployed on regular desktops, but perhaps will be used when it detects a webserver process running.
Then I’m your number two fan!!
The miner section, I wonder if this was a decoy or its main purpose. Was it setting machines up to be mining bots?
The icons that you found, looked like ms sql icons. Maybe a light sql client?
Really enjoyed the last 2 minutes of the video. Sketch.
I suspect given the compilers and such they offer there.Someone may have used one of the online tools to infect them.
I have seen this a few times before on "free tools".... An attacker will embed a script into a compromised server, package or tool. This was a creative method for propagation. I wonder how long this was active...?
What keyboard is that!?
Hi, just want to know to detect app that output music on Android, because I can NOT find app that will do that, and this annoying music plays every 1:16am or 2:00pm and the 3C Tools(3C All-in-one Toolbox) do not show app that is outputing the music(I try killing apps/tasks and the music do not stop) + Android do not show the music in notification menu
Once you've noticed the lack of a pop filter you can't go back
Yet nobody can point out timestamps that need editing
@@nordgaren2358 As I read this, another pop that was super annoying happened, 14:26 it's constant through the video.
it has a windscreen on it already. An additional pop-filter is silly in this context. Also, the audio sounds great.
@@nordgaren2358 Well I did try, seems like the comment got deleted. Hm.
I think these websites may have advertently or inadvertently used the same infected pypi module. Or X website also hosted their module on their own website. Or a site was exploited.
Bouncy castle is an old cryptography library
Amazing, John! Thanks so much!
Just thinking about it I have 2 things in mind. 1. How dumb are you to create an obfuscator for an interpreted language like python where at the end of obfuscation you can have the original variable names. At least obfuscate those and do some random stuff 2. The scary part is the at 127 rounds of deobfuscation necessary to get to the "raw" code. Theoratically the actual malware execution steps could be split and executed during the steps of deobfuscation which can make it hell to debug and reverse engineer
Sounds like it does similar to that one package that got found in aur
This is such a cool vector of attack, that exclusively pointing towards cyber researchers. Should really be more mindful when doing this :V
About 35 minutes how did you write multiple lines at the same time, think it was 25 and what was the editor
i love long videos John
keep it up 🎉
Longer the video the better. I enjoy watching your videos
"... obfuscation, this method makes it difficult for hackers to gain access to your sensitive source code." - free coding tools python obfuscator page shown at 13:57 . Obviously it does not. All it does is make it hard/impossible for much less technical people to read the code. Such as the users of that page :P I of course hate malware in the wild and anyone who spreads it. But to be honest, there's kind of a satisfying instant karma component to seeing "security by obscurity" used against the very people subscribing to that mind virus :D
John the KING
using a obfuscator site is something else, if you want to hide your intellectual property there are better ways, e.g. create a web app.
Just to let you know, i got a malware from this some time ago... Edit: I removed the malware by deobfuscating that .pyw file and came to the conclusion that my antivirus blocked it because for example in the task scheduler or windows defender exclusions the specified paths didn 't exist, i still removed everything tho
*Sees title* Me: "It's VSCode, isn't it?" *Watches* Me: "Damn it."
Another Dev on my team hated VSCode. Now he's been fired for low productivity while I got a raise.
@@ZM-dm3jg And everybody clapped
Neovim and emacs maybe the best editors
@@wafinashwan8242 Neovim is no joke, i used to use VSCode, i tried Neovim and it really makes you do things faster, also doesn't spy on you.
the legion of the bouncy castle...
great vid
"Thangs MR JOHN HAMMOND"??
Ah yes... good obfuscators blow up my 20 byte script to a 40 MB file when starting with a string like `print("Hello World")`. Nothing strange about. Let's just copy-paste that whole thing!
Sorry for that what are u say I m understand so may I request KZhead pls translate to hindi language becoze I m not understand . This is option is very important us Like mx player etc enother apps Regard mehra production
@38:20 System.Reflection.Emit.ILGeneration - Very interesting to see there, I don't think it is a standard include for dotnet and would allow JIT compile of any code within the malware that is further obfucated or was being sent back via TOR
It can be used for legit purposes, like generating serializers on the fly as classes in dynamic assemblies.
Looks like php viruses in wordpress 10 years ago.
Who owns the website?
Casio ❤
Just makes my point that unless you're someone who can use a disassembler, understand source code and even decode hardware I/O voltages you cannot trust anything. Anyone got a cave going spare? 🤣
I don't know why we're shouting!
anyone knows if anaconda could have pulled a malicious package by default?
John: We could open Ghidra on this code chat... SQUIRELL! Lets look at this over here in ILSPY... SQUIRELL! WHOA guys look at this sketchy code running over here...SQUIRELL! Pick a lane John XD Love, Love, Love your videos. Dont change.
wow thats cool
10:58 what's this terminal? Anyone?
Terminator
Did you think about running the script in a virtual environment. Maybe the website will allow access to the script.
This may be a wild guess of me. They drop a TOR exit node, which can only be used by certain users. The discord webhook thing should tell them, when a node is up AND also sends keypresses using the HID lib. So they mine XMR on the victim and also use their bandwidth exclusively for shady stuff.
Bro is a top tier genius how in the hell. I feel sorry for any future ex girlfriends 😂
Lord this isn't 42min worth of material
the HTM file looks like a weird n-gram cipher with a corpus of HTML and Chinese ( maybe??? ) I don't know what's happening with all of the missing spaces and the random dump of Unicode though.
Maybe their code detects if specific libraries or snippets of code exists and only activate on those situations
the author put in so much work but ruined it by using desktop runtime
"WOW"
why do you only use one finger to type with your right hand?
wayback suggests the change to remove the malware happened on Feb 18
w video man
LOLBAS next upload Jhon
When John disapears for 4 days you already know he's balls deep in terminals and sublime text editors contracted to figure out what no-one else can in the latest and biggest breaches yet! (CHANGE HEALTH THATS YOU, SORRY! I'm ready for the video John! You are friggin genius tbh man; You can learn a shitton watching your videos and I appreciate them btw & fyi! 👌✌👍🤜🤛
I wanna guess what the malware shall do: 1. After setting everything up, it connects to the Wallet via Tor due the specific notes 2. Cryptomining 3. Reporting status to a hidden dc server (maybe also due the noted Tor notes)
❤❤❤❤
❤❤❤❤❤❤❤❤❤
The amount of scammers using discord as a free less-traceable server is unnerving
Why is there a whole lot of nothingness at the end of the video
Look at the keyboard and type with only one finger? I was told that you cant be successful unless you dont look at the keyboard and type over 75 wpm
you were lied to
3rd!😃
Take too long to get the point
Yes yes yes implode yes
Dag
2 hours ago
It's called Ob-fuss-cator not Ob-fuse-cator.
Noooo
"obfyewwscate", you say?
You destroy the Channel,where is the CTF Videos,i start watching you Long Time ago ,only for CTF ,and now ,i have Not watching anymore ,do more CTF Videos
Would you like just anything from CTF time, or like TryHackMe/HackTheBox/practice wargame sites?
@@_JohnHammond hackthebox
why are you yelling?
One more reason people should stop using Python for anything important.
more importantly a good reason to stop using code you let a foreign agent encode without having an idea what it's turned into.
Python is not the issue. It's designed to promote legible code, the exact opposite of obfuscation, which on the other hand is highly suspect. Trusting someone else with manipulating your programs like this is also absurd from any security perspective, which are the only ones where the operation could be motivated to begin with.
@@0LoneTech Exactly. And this is why it's a favorite language of the spineless beancounting PHBs dreaming of replacing his staff with graduates that will do the same work for less. A good programming languages promotes job security over code legibility, because as soon as someone else understands your code, you can be easily replaced. That's why Perl should be used instead - not only it is way faster than Python will ever be, but it also provides a natural facilities to ensure that the company you work for cannot fire you or their software will not be able to be maintained anymore and would need to be rewritten from scratch (a huge cost compared to keeping you employed).
I read your latest reply. Uhhh, sir: what if I'm sending my goddamn code to be open source??? Like, is not just bean counters that need it to be legible!!! What if you're part of a team, or, again, want your code to be open source? You are making a bad argument for your perfferd language, you are pretty much admitting that, because you don't want to be fired, you'd kill other developers time.. . Just to try and screw over big guys? Seriously, dude.... If you wanna really fight the big folks, don't make your code unreadable just to work for big tech, make good, open source alternatives that are BETTER than what they have (don't forget to use the GPL, so incase they wanna use your code they need to open source their project.) In short: don't mess with other folks in your position, just to mess with the big guys. Do something that allows you to work with them so you can do a more direct attack
@@MrMeow-dk2tx Then you can make it legible yourself by following good practices. But under no circumstances you should be FORCED to do it.
You would get more views if you include more viewership, this channel is basically a honey pot for idiots to commit crimes and get caught. You'd get more views if you included how to not get scammed
You stopped going through the DLLs right before the last one in the list, the c2hash_00061952.dll.cs. That file is not a DLL, but is actually a .exe that was renamed to a .dll. That was probably the "main" application that gets run here.
Next time, keep going. 6 hours straight or bust. We all watch Joe Rogan and Dr. Jordan Peterson because they do 3+ hr videos. Step it up!
Its called ms code right?