wanna learn assembly? check out my courses at lowlevel.academy

Maybe they left the debug symbols because they knew that even when you disassemble it, you won't be able to extract any information that could help the victim. I.e. it was a "flex".

Honestly, the large font size is useful on larger screens as well! Much, much easier to read.

Considering the part that causes actual harm is an unobfuscated *bash script,* it's pretty safe to say that leaving symbols in their generic encrypt/decrypt binaries wasn't a consideration.

They made the binaries easy to use because they wanted you to know that there is no backdoor, you need to get (ie. pay for) the private key.

Keep the cybersecurity stuff coming 😎

Great video, this has been on my mind though: Why would a ransomware writer want to obfuscate their code? If their main goal was to collect ransom, and the program was cryptographically secure, wouldn't they want to lay out everything they did in an easy to understand way? Beeing able to see exactly how I was pwned would give me at least a little bit more confidence that I would get a key in exchange for money.

Thank you for the big fonts!! I wish the other KZbinrs would do this more: I only consume content from my phone and it’s always hard to read.

Thank you triple L. Loving the cyber security content! Keep it coming.

This part of the malware is not the valuable part. This is just some basic encrypt / decrypt software that probably took them like half a day to make. Hell I'm surprised they didn't provide a readme / documentation for how it works. After all, their goal is to convince you that you'll get your stuff back if you pay the ransom. The real important part is how they got the files onto your server and ran them. That's the secret part that I'm sure they'd want to protect.

Thank you LLL

Great video! 4:14 Large font is very much appreciated but 64 pt is maybe a tad TOO large. 48 pt or 56 pt might be a better compromise. 5:32 Also, maybe make your camera be a slightly smaller circle and move it up to the right so it doesn’t obscure the code

I think they can leave the debug on because anyone analyzing the binaires will just learn that he cannot actually decrypt the files without the private key. The sooner the victim realizes that he cannot decrypt the files without the private key, the better for the scammer. The scammer could truly send the source code that it wouldn't matter. As for obtaining the private key form the public key, that is possible in theory. However, you won't be able to find the private key in practice unless the key is way too small (which is unlikely) or has been made by a program that is way way too predictable in how it generates its keys (and you know or guess that that program has been used to create the key) . You could wait until quantum computers with as many quantum bits as the public keys are a real thing (and boy that will be a mess when they reach that stage...) but that might be a long wait... As for using modern supercomputers, you are very unlikely to find the private key with them unless it was generated using some weak algorithms.

very nice code! I've seen corporate code that looked worse than this malware. Also: security lives from openness. The symbols were left in, so you could read it. And if you had found a bug, only then they could have improved your malware ^^

common lowlevellearning W

3:57 *Missing summary:* There are two types of encryption: * symmetric, and * asymmetric. *Symmetric* cryptography uses the *same key* for encryption and decryption. *Asymmetric* cryptography has the *FULL key split in half:* a public key and a private key.

I just wanted to take a moment to express my appreciation for your incredible KZbin channel. Your dedication to teaching low-level programming concepts and techniques is truly inspiring,. I would love to hear your personal story about how you learned reverse engineering, and any tips or advice you have for people who are just starting to explore this topic, and thank you.

They can run just string reversion, for example taking some strings from the end of file and putting it to the start of file, so you cant open it, and mention that it's strongly encrypted. ive got a ransom like that once. Its time saving, when you need to corrupt large amount of data, before ransom to be found

They bought the code. They didn’t write it themselves and must pay a fee to the script writer. The signatures are to ID the program and who must be paid.

Was the "encrypt" command really malware though? It looks like a useful cli tool for legitimate purposes, and maybe it's open source software that they pulled off someone's github - in which case they wouldn't care if someone gets into the source code.

You know what people I commented on a lot of videos about not being able to read them and stuff. This is the first content creators that I ran into that's actually blown it up for the people that have to use the phones that are too poor for the internet. So just content creator on the sign up for that thank you for considering us is part of your viewing group.

If all universities taught like this, we would have a much difficult time getting jobs...

As a cell phone user i love that you made the font larger 🙃 i appreciate your thoughtfulness

I think, even stripped binary without debug info would have symbol table. Due to external linkage in C/C++ for main function, you'll see it there as it is required for possibility of late symbol resolution (e.g. substituting original main with something else during run-time).

Thanks LLL, not mobile, but legally blind. I was able to read your 64 point font. Since they built the encryption right, it doesn't matter that they didn't strip the binary … all that does is tell you that if you pay, they CAN actually decrypt your data. OTOH it also tells you that once they give you the key that decrypts you, it probably decrypts everyone hit by this malware. That actually poses an interesting thought if I were a malware author myself-a ransom pool. By the time the ransomware is spreading, the servers that'll release the key have already been set up and will never be touched again. If the thing spreads fast and the ask is relatively conservative, a large entity hit hard might have just paid it by the time smaller fish get infected. The malware in that case may just suicide with a "you got lucky" message. Meanwhile before anyone's looking for the bastard who wrote it seriously, they've already cashed out and vanished. IDK why anyone would do that, but it'd be damned hard to catch the people doing their "one-time" heist. Especially if they truly did just do it one-time.

It seems like the authors took "security through obscurity isn't security". I mean, having it not obfuscated probably lets the victims know there is no other way than paying up, and prevents wasting everyone's time I guess. And it also makes it abundantly clear that the only way out is the private key, and could also be a way to tell "lmao it's so simple, babies could write this encrypt binary, get rekt lol", so maybe a flex there too, I guess? This shows that the actual "malware" isn't advanced, the way they got it in is. And honestly, bringing light to this is the good part. Because let's face it, most OSs these days have good protection. The only "vulnerability" is probably the organization and/or the humans in the gears.

I have been coding in assembly since the late '70s, working with processors like 8088/86. One effective method to avoid dealing with semi-script kiddie activities is to restrict access to specific files through a tunneling script stored in the RAM. There are various ways to achieve this using concise code snippets. It seems like the world has it backward; instead of preventing such issues with straightforward methods, many rely on extensive, advanced, and expensive antivirus software. What's the point?

Conclusion: Nothing weird or unexpected. On a side-note, if more linux programs were made this way, where they scan for the libs they need and then check each lib to ensure it has what they need, they'd save people a lot of headache with the perpetual fail of libs and their dependencies, and the various versions of them, which often make it difficult to produce an executable that "just works" regardless of the distro.

The way the ransomware is encrypting--ie. making the symmetric key with their public key, and then they supply the corresponding private key to that when someone pays--doesn't that imply that the first person to get that private key could decrypt anyone else's ransomware-encrypted files? ie. Their algorithm does not employ perfect forward secrecy.

LLL Is the best! Thank you! Just a question, the name of disassembler software that you use is "Ghidra" ?

As someone who often watches on his phone, I appreciate the effort, but you don't need the font THAT big. If you're watching a programming video in portrait mode on your phone you're doing something wrong. Also, "with debug_info, not stripped" LOL. I'm no infosec/reverse engineering guy, but seeing that in malware is hilarious.

As someone who's recently been getting into the low-code/JS space due to work, this was very interesting, as you covered the main functions and described what they do, leading to better understanding! Got a subscribe from me.

Thank you LLL!!! Seriously bro, that move is next level! That is how you take care of the peeps consuming your content. This is the first video I have seen of yours but I have subbed and liked this vid. Keep killing it!

Thank you for the font size! - and also for the great content in general 🙂

ok, I'm very happy that (at least until you put it in the disassembler) you didn't run this under GDB. I'm a gdb developer, this is a public service announcement: As much as we would LOVE to make gdb safe to just look at a file without executing it, it isn't safe to do that just yet. We have a few issues in how we read debug information. Maliciously crafted debug information can at the very least cause your GDB to crash, and while no one ever managed to prove that those crashes lead to controllable memory corruption or code execution or whatever, no one ever manage to prove it _doesn't_... so for the time being, if you wish to look at an untrusted binary - even if you just look at it statically - sandbox your environment. And if you wanna see how something ticks with GDB, it's literally as secure as running it raw, we perform no security controls whatsoever.

Hey, cybersec engineer student here poking around with reverse engineering. Love the quality of the content! I'd love to try and apply my knowledge on some malware reversing. Is there any (softly) obfuscated malware that you would recommend to play with?

Thank your triple L

If they give you the private key, wouldn't that mean that you could just share it and everyone else will be able to decrypt their files? Also, I think the thing I was most curious about was how they encrypt the file in place. The cryptography stuff seems like they are just using standard stuff, seems unlikely they would mess up there. BTW, wouldn't they want for people to be able to inspect the code at some extent? If you are confident that the code will actually recover your files you're more likely to pay than if you suspect the files may just been overwritten entirely and are now impossible to recover. Leaving debug info may be intentional. There's nothing to hide there anyway, they are doing exactly what you'd expect and the only solution is paying them.

4:06 - what? no. You encrypt using the public key, needing the private from them. - If you encrypted with private key, you could decrypt it with the public key :D (if it's possible at all) EDIT: yeah, ok, sorry, you corrected yourself. It was just a slip of the tongue.

They don't care if you have the encryption/decryption algorithm since it doesn't do much good without the private key. It seems unlikely they're "mad at you". Still, an interesting video.

Thanks for putting up with the large font, certainly was appreciated. Cheers ~Smile oN

Why should they strip their code? If it is secure, then this information is useless anyway?

@4:20 ,while watching from phone, Thank You. :)

They use rsa_encrypt directly on a blank symmetric key? Did you check the public key for having a low exponent e? If it's 3 or 7 you might just be able to take the 3rd or 7th root of the value to get the symmetric key out.

I'm just smart enough to hear you speak and know that I'm not smart enough to understand 90% of what you said. Whatever you're doing, keep it up

Thank you triple L! Excited for more rev content! Also binary exploitation and other cyber subjects would be cool

Well they are certainly going with the No Security Through Obscurity Principle.

they left the debug info to prove that if they give you the private key, you can build a decrypter by yourself, so you know that there is something to buy. quite smart. also if you buy the decript key but you don't have a way to verify or build by yourself the decrypt program, the effort to write a decryptor could be significative and also you may not trust the decrypted data and then make less likely to buy the key. i think that it is really to make you to buy the key, and it is a very smart move.

If you're confident that your encryption is good then not stripping the binary will just help security analyst tell their clients that they indeed would need to pay to be able to decrypt it faster. Ransomware is a full-on business at this point.

Thank you LLL, as a mobile consumer it’s appreciated

The large fonts are great. This is the first malware video I've ever seen. I'm very glad that you're a white hat guy! Keep up the good work.

So the only weird thing was the presence of debug symbols? I was expecting _a lot_ more with such a clickbait title. This ended up just being a walkthrough of the most basic steps for how _ordinary_ encryption/decryption works, and barely even that.

Another here who likes the large font. I watch via casting to my TV and it made everything nice and easy to read. No squinting required. Thanks!

love this type of content !

With debug info not stripped, that's luxurious :D Also, thanks youtube algorithm for recommending this!

Love your LL system-related content, could you do one regarding how to use the core dump of a segfaulted C executable? I'd love your explanations on that.

Who in here also expected him to find a flaw in the code and managed to decrypt the files for free?

The .pem file in the encrypt argument list gave everything away, even without the debug info.

why should the attacker care if you reverse engineer their binary? 2:47 - They don't want you to find the vulnerability that gave them exec permission on the host. And they don't want the channel used for money transfer to lead to their identity. That's all. - Antivirus people will find a way to fingerprint the binary regardless of it being stripped or reverse engineered or what not. - If the data is "properly" encrypted, it doesn't matter that you know the alg - without the key you cannot do anything anyway.

I'm on the toilet with my phone on hand really appreciating the fontsize. Thank you Mr. Triple L

People who got hit by this ESX attack should be fired. The version that was touched by this attack had been release in december 2020 for 7.x and february 2021 for 6.7 ! They were a year late in patching

My guess is the malware author intentionally left the debug symbols for analysis, so it would be obvious upon review that the victim was indeed screwed! Curious what an openssl dump of the public pem file would reveal??

Good stuff. Still eagerly awaiting part 2 of the baby monitor pen testing too 😉

It makes a lot of sense to leave ransomware easily reverse-engineered, because it helps prevent a few of the ways the scam can fail if the victim suspects the ransomware isn't being candid -- about what it actually did to the files, or whether it's actually worth paying up in the hopes the decryption key they receive works. Keeping the malware easily inspected, a savvy victim can assure themselves that (a) the encryption _is_ reversible, the files aren't just scrambled to "look" encrypted, (b) there's no "stage 2" to the malware when they run the decrypt binary, (c) the encryption itself is sound, with no way to defeat it except by actually obtaining the key from the hacker, and (d) the files themselves probably haven't been exfiltrated, so there's no PII dump that'll be putting them in the news in a few weeks even if they _do_ pay up.

The concept of the series is nice but the example is not great. You can tell exactly what the binaries do just from looking at the shell script, and it doesn't really help to have debug symbols etc because what you really need is the private key. They pretty much could have done the same thing using readily available cli tools. It would be nice if you could show examples where reverse engineering lets you fix the damage because they have done something stupid like embedded the key in the binary etc, but I don't know how easy it is to find examples of that kind of thing.

Ok, I didn't expect a simple open bash script doing a lot of it. Possibly explains why there was a lot of seemingly rookie moves in the encryption code. I suppose it does what it needs to do to accomplish what they're trying to get done. It will be enough to get a result from most people and businesses.

Correct me if I’m wrong (probably am) but the random bytes is the initialisation vector for each chunk? (9:20)

As someone that binges these during downtime while not at my pc I appreciated the larger font

I would love to see death penalty for those who write ransomware and malware.

So we're a further four years down the road from when this was first published on KZbin, and it is more on point than ever, Italy has once again elected a fascist leader, the USA is literally torn in half by misinformation, and hatred, and the lie still thrives, and Russia, of course, has decided to re Annex countries they once occupied as part of the Soviet union. Your work presented here, is a reminder of how easily it is to deceptively lead people to extremism, forcing the idea that it is their only way for survival. This was done in the thirties, without the entrancing tools of social media, I wonder what chances we have today. Thank you for making this.

I haven’t a clue what you just did or either do I understand what you said, but I still appreciate your knowledge, and respect the fact you’re always trying, and most instances succeeding, to be one better than the people who cause so much misery to so many people. Thank you 🙏

The faster they know that the cryptography is sound the faster they pay

I had an email from a scammer telling me they had my password. They did, but it was a very old one that I only use for unsecure networks where I have to log into crap I don't want to use that I only use there. I remember the email was "I have my malware in your modem" or something "you can try to change your password but I will catch it every time". He demanded bitcoin and then he's go away, and "don't be mad, we all have our jobs". Seriously, who tries to pass off such disgraceful attacks as "just doing their job"? Obv the scum never got a penny.

Thank you LLL for the readable font size. I watch on monitor and mobile. Nice to have programming oriented channels that you can view on the bus 🙏

Thank you LLL. Fascinating stuff, can barely follow it ( last time I "played" with code was Dos. LOL. Yeah, old). But its nice to see a pro work.

Thank you LLL, my eyes appreciate it.

So basicly remove the option to set a private/local key without permission and 90% of all programs dont work anymore xD

Hey Lx3, thanks for enlarging the text so I can see it on my phone. Not that I have any idea what any of it means, it's just nice to know that you're thinking about your audience. Good form, brotha. Bravo.

imagine when AI starts writing viruses and malware and it starts infecting everyone's divices. "you humans think you're so smart. you aint sh*t, watch this..." *infects almost every device in existence with malware*

Loved what I could watch of the video, but KZbin was running 30 seconds of ads for every 1:30 seconds of content. It just made the video unwatchable.

Thanks for the large fonts, I am now enjoying your videos from bed before going to sleep 👍

You could just get the encryption key, by looking at the changes made to the magic number of each file type

I could not follow anything in this video, it could have been in Swahili as far as I'm concerned but still, I subbed, liked and watched the entire thing because it was fascinating! And because you asked, thank you LLL!

Nice! I look forward to seeing more security related content on your channel! Thank you for supporting our community! 🧠🏴‍☠

Thank you triple L. I went down a youtube rabbit hole and found a cool video with a cool creator (facial hair game is on point btw) who's considerate to their viewers. Y'all are cool

Thank-you LLL! Not on mobile, but on TV, and eyes appreciate readability.

props to you for including mobile/partially blind accessibility

Man, what a nest of if statements. The best thing they did to hide their code was to nest it unti it was unreadable.

I wonder why KZbin suggested me this video. If KZbin had suggested a video about how to read Ancient Sumerian tablets, I would probably understand it more than this.

Thank you, LLL. I appreciate the large code font! It doesn't looks cursed as a video.

Thank you for the big fonts, makes it more accessible, I have difficulty reading small fonts!❤

TY for blowing up that font so I don't have to turn on my other machine while I'm working.

This type of hacking should be considered a capital crime especially when critical infrastructure, banking, governmental or health agencies are hacked.

back around 2014 I started seeing a lot of decisive memes on social media. I usually tool about 10 minutes with strings to isolate the localization info for the software used to edit the image. I was not surprised to find Chinese and Russian locale codes and quite surprized to find Hebrew and Macedonian localization in a lot of the memes

I think leaving symbols is a good idea. If someone were victim to this ransomware and had the technical background to look at the code- that means they're being given confidence/trust that when you buy the key, it can/will actually decrypt the VM. Since it's encrypting VM's, it seems likely that they're attacking organizations where its quite plausible that someone could find this. Moreover, they didn't seem to have forgotten to remove symbols, they seem to have explicitly included an instruction to keep the symbols?

THANK YOU TRIPPLE L! JUst found your channel today I love it I don't even code.

Thanks LLL for the mobile code display. I just subscribed because I have low vision and it helps out a lot when creators go to that lengrh for us.

I'd be interested in how they get the RSA pubkey to the script in the first place. They must have distributed a bunch of separate pubkeys or else the first guy who pays the ransom could just share the private key with everyone else. Wannacry did a more sophisticated job of this -- it made up random keys just for you, encrypted those, then you'd send them in with your bitcoin to get them decrypted. In theory, anyway.

I usually watch youtube on mobile, and when I'm watching tutorials I watch on my smart phone while I code on my laptop, I don't have a second monitor

So what was the weird thing you found? That the debug into was left in?