Did someone send me MALWARE to Code Review??

New series : Cherno reviews your malware and fixes bugs to make it mega effective

MattThomson

One obvious and straight forward thing that you didn't do is to use the same online tool to check the binary you compiled from the source code. If it's flagged in the same way, then you can at least assume the source code includes whatever was flagged. Much easier to figure it out from there, instead of trying to read decompiled stuff.

starchsky

Really appreciate Cherno's honesty. I feel like lately most tech content content creators have a hard time admitting they don't know everything - Refreshing to hear him literally say "I don't even know what any of this means."

PledgeBass

I recommend to implement all code reviews implementation in a virtual environment like VMware or Vbox once you finish immediately delete that virtual environment.

almatsumalmaadi

send it to low level to look at, security/reverse eng is his thing. and that could be a cool video w you both

ssmith

Keep in mind you ran their premake.exe, not sure if you checked that file

QuerijnHeijmans

That email was definitely written by an LLM. lol.

zoeherriot

My theory is that the code was broken (commented out, precompiled headers, etc) to force you to "give up" and run the precompiled version

Quique-szuj

Omg cherno, I know you're not a security expert, but:
1. You didn't look for network functions/sockets
2. You completely disregarded the "password123" string
3. You could have actually run the .exe in a VM and analyzed the network traffic with wireshark

Any trojan, crypto or not, will try to call home.

perkele

12:02 and that's exactly what you see happening in some of John Hammond's malware analyses; strings being encoded in various elaborate ways to make sure they are harder to spot. Stuff gets base64 encoded, every character is stored separately and appended in memory, lots of stuff.

RC-

It has been a while since I was into malware analysis but any serious malware is going to be packed, virtualized and/or encrypted, makes reversing and analysis a lot harder. Ironically, the exact same techniques some legitimate software employs to attempt to avoid piracy.

gnanaitvara

You should contact John Hammond to check it out. This is his field basically.

nitrous

Btw, for those of you who hasn't used Ghidra - it's freaking magic. I used it to apply some binary patching to my firefox on my linux machine, so I wouldn't have to build it from source every time (it was just a matter of a returning a nullptr at a specific place in the code - and ghidra could find it every time). And what's more fantastic is, Ghidra could actually provide some level of "source code" analysis even for release builds.

The people at NSA that wrote this are *incredibly* talented. It's like, I am envious because it feels like the rest of us are just never going to be that talented.

simonfarre

>be 11
>get AI to write your code
>get AI to write your email
>reach adulthood
"Why am I illiterate and why can't I code?"

superscatboy

Someone expressing themselves as an 11 year old in an email is already suspicious on its own, but deleting the repository without a heads-up is definitely real bad

I think its best that you get a cybersecurity expert on this and do a full system scan, too many security concerns lining up.

therealsyncro

You know you can compile the source code and compare binaries, like, automatically? On Linux there is actual command line program that compares any two files. If the binary you compile is the same, you can analyse the source code, you will lose nothing.

РайанКупер-эо

When a Microsoft detection ends in "!ml", it means they detected it with machine learning, meaning it's not always correct, but likely is.

ermilburn

Fun fact: statically linking MinGW libraries (especially pthread) under Windows notoriously causes false positives, even in well regarded antivirus software. There's just something in the binaries that MinGW generates that trips up heuristic tests.

SylvanFeanturi

As a forensic investigator analysing malware daily, this video was quite amusing (not in a bad way). To see you analyse it with a slightly different mindset

Henoik

theres a service called triage that lets you test malicious executables in a sandbox vm thats heavily monitored, meaning everything that happens will be recorded and logged which makes it pretty easy to see what its doing

backhdlp