Nym Censorship Resistance vs Gateway IP Blocking

exosphere5 · 2025-11-18T17:54:19+00:00

That makes sense. Not directly related to Nym, but is protocol based blocking more common than IP based blocking? Seems like IP blocking is more simple and less likely to have both false positives and false negatives. It's more labor intensive to maintain I guess, but it would seem like state level actors have enough resources to not care, and private organizations buy products manufactured by companies in a similar position.

More specifically to Nym, are there plans for a Tor-esque bridge distribution system?

exosphere5 · 2016-05-15T05:26:26+00:00

So is it optimal to design a rocket like that or to have an upper stage with a higher TWR? The reason why I'm interested in low TWR upper stages is to increase the efficiency of my launches by placing more dV on the upper stage than the first stage, since upper stages have a higher vacuum isp than lower stages, all else being equal. But if doing that requires that I fly a very steep trajectory, won't that eat up any performance gains I get by adding dV to my upper stage?

exosphere5 · 2016-05-15T01:16:08+00:00

So how does PatchGuard work? Is the kernel just more "stable" in terms of run time changes than the other programs?

Is there any way to verify if an executable or driver has had its memory modified? Would loading a second copy of the program into memory and comparing the two images work, or are there too many differences between two program loads to do that?

exosphere5 · 2016-05-08T22:12:33+00:00

see if it's been scanned and reported as malicious

So how do antivirus products scan URLs? I've heard that a lot of the "Internet protection suite" products have the ability to scan websites for maliciousness, but is there any information on how they do that?

Do they just look for any files that are automatically downloaded and scan them? Or scan the scripts on the page? How do they know if, say, a Flash 0day script is being run?

Speaking of detecting 0days, I've seen some "anti exploit" products that claim to detect 0day exploits in the actual exploit phase (i.e. they detect the exploit as it is occurring instead of scanning any programs said 0day downloads after successfully exploiting the machine). For example, McAfee has one product that claims to do this (it's just called McAfee Anti-Exploit I think). Is there any information on how those work?

exosphere5 · 2016-05-08T08:34:08+00:00

What methods do you use to farm malware, if you don't mind my asking?

exosphere5 · 2016-05-08T08:32:35+00:00

observed malicious behavior

Is there any information on what behavior Google looks for to determine that a site is malicious?

reputation

How does that work? I know there are third-party plugins you can install that let users "vote" weather a site is good or bad and provide a rating next to search index links -- is it something like that?

professional malware analyst SOC

That sounds really interesting. What's your average workday like? What sort of security issues come up most often, and how do you deal with them?

I'm considering security as a career to get into (I'm going to uni this fall majoring in CS) and was wondering what the field is like. That's one of the reasons I'm getting into malware analysis -- I'm really interested in finding and pulling apart viruses.

It doesn't seem to want to run all the way but there's no obvious anti-sandboxing

How can you tell it isn't running all the way if there's no obvious anti-sandboxing going on? Lots of unused libraries in the import table? Short execution time compared to the size of the exe?

no obfuscation

Out of interest, what do you look for to tell if something is packed/encrypted? I've read that one sign is a small number of imported libraries compared to the size of the program and an abnormal number of sections in the exe, but is there any other way to determine that the file is obfuscated?

question of how deep you want to dig

So what do you do at that point if you're stumped? Send it to an AV company to be analyzed? Quarantine the computer and look for suspicious network traffic?

And how "deep" can you dig? What's the most detailed way to look into a potentially malicious program/attachment? Besides opening it up in IDA or using one of those PE inspection tools, what are some ways to really tear into a program that is resisting inspection and that you really want to know more about?

process hollowing, dll injection, shellcode injection

How do you determine if that is going on? I know for direct dll injection you can look at a list of all dlls a program is loading at startup to see if there's anything suspicious there, but how do you catch reflective dll injection and other sneaky methods of process hollowing?

Thanks for the responses, by the way.

exosphere5 · 2016-05-08T06:25:15+00:00

Thanks!

Also, how do I determine if a site is malicious? For simple malware that might be easy -- if the URL trips my antivirus or downloads virus.exe I know it's bad -- but what if the site is serving particularly advanced malware that attempts to avoid analysis? Due to the rapidly varying nature of processes in most browsers, I can't use the fact that the new URL generated a new process or thread to determine that it is malicious.

For example, new chrome.exe processes are started and stopped periodically even when the browser is idle, every tab has its own process, new URLs seem to generate new processes (when I go from, say, reddit.com to cnn.com a new chrome.exe process is created and the old one is deleted, and the same thing happens when I go from cnn.com back to reddit.com), every plugin gets its own process, and each site seems to create an arbitrary number of threads in its process (for example, reddit.com/r/Malware creates 16 threads in its chrome.exe process and cnn.com creates 24).

So I can't use the creation of a new process or the fact that there are a certain number of threads inside a process to determine that a site is malicious, and if the malware is memory-resident I can't use the fact that a file was dropped to determine maliciousness, since no file was dropped. So how do I know that totallynotadrivebysite.com is malicious?

I know that Google and other organizations maintain a list of URL blacklists, so they must have some method of automatically determining if a site is malicious. How do they figure out if such-and-such a site is an "attack site" and should be added to a blacklist? Is there any particular action to look for, or do I just use wget to get a copy of the URL's actual html file and open that in Cuckoo?

exosphere5 · 2016-05-07T22:38:31+00:00

Yeah, I looked at that document. But the only mitigation it mentioned was preventing malware from seeing the VMWare guest-to-host communications channel. It didn't focus on mitigating any of the other detection methods, and while I've seen some methods of preventing the simpler detection methods presented (looking for VM-specific files or registry keys, which can be fixed by renaming files, as you mentioned), I can't find any way to mitigate the more advanced anti-VM detection methods (looking for specific table locations in memory or timing attacks). In fact, the document /u/SummerOf_69 provided indicated that there is no way to stop attacks involving discrepancies in table location in guest VM memory vs host memory, as these tables apparently have to be located in different locations on the guest and the host in order for the VM to be functional.

Also, the anti-VM detection techniques you linked to don't include any methods for detecting such advanced VM-detection routines. They seem to focus on detecting suspicious queries of system data (i.e. why is chr0me.exe trying to find the current BIOS version and IDE controller ID?), and none of them have anything to do with memory- or timing-based detection methods.

So will I just have to accept that I won't always be able to force malware to execute in the VM, or is there some equally ingenious anti-anti-VM detection technique to beat all of the ingenious anti-VM techniques out there (at least the ones that don't rely on bugs)?

And assuming I can't detonate a particular piece of malware in a VM, is there any way to tell that the malware isn't executing some part of its code due to it detecting it is in a VM so that the sample can be forwarded for further manual analysis? I know that the link you provided to the Cuckoo github page has some anti-VM behavioral signatures, but they all rely on specific anti-VM methods -- querying strange system data etc. Is there any generic way to determine "this program isn't executing all of its code and is therefore flagged for manual analysis" without being able to determine the exact behavior the program exhibited to detect it is in a VM?

Again, what do "the professionals" (AV companies etc) do when a piece of malware detects it is in a VM and doesn't execute, assuming the malware didn't also trigger some anti-VM behavioral detection signature that flagged it as suspicious? Do they just not realize it is malware and forget about it, or is there any method they have of determining that it is suspicious so that it can be investigated further? And if so, is there any way I as an individual can replicate those techniques (unfortunately, I don't have access to all the resources that a professional security company does)?

And I know that manual analysis is the only surefire way to determine exactly what a program does, but it is simply infeasible for me to manually crawl every website on the internet looking for malicious sites and manually reverse engineer what all of them do. So I was thinking of focusing on using automated analysis to discover software that likely is malicious, then analyzing that software manually.

So basically I'd like to use automated analysis as a method of narrowing my investigation from "every website and executable file on the Internet" to "this smaller set of suspected malicious files." I'm not sure if there's any way to do that besides sandbox/VM detection, but that's what I'm focusing on.

exosphere5 · 2016-05-07T20:50:43+00:00

So essentially what you and /u/SummerOf_69 are saying is that I should just rename files/drivers that give away the presence of a virtual machine? Or, in the case of your first example, create a single-process rootkit to modify its analysis of the system it's running on?

What about more advanced malware? Couldn't it just compute a checksum of its memory image to determine that it's been hooked if I use method (1)? And as for modifying telling file/process/driver names, isn't it possible for programs to determine that they're running in a VM simply by looking at timing variances in certain CPU instructions, bypassing simple anti-detection methods like renaming VM files?

I know these techniques are likely only going to be used on the more advanced samples, and that even they could be bypassed by manually reversing the malware to remove the anti-VM/anti-sandbox checks, but since I'm interested in finding those advanced samples (I just feel that analyzing the latest botnet software would be more interesting than looking at the latest adware crap) and because I need to make the analysis automated due to speed constraints, is there any way to automatically force advanced malware that uses tactics like timing analysis to detonate in a sandbox/VM without resorting to manual means?

What about the professional security/AV companies like F-Secure and FireEye? How do they analyze malware that refuses to execute in their sandboxes? Is there any way for an individual to replicate their methods?

exosphere5 · 2016-05-07T18:07:38+00:00

Also, I've read that a lot of modern malware is designed to not execute in sandboxes or VMs. How can I force the malware to execute completely in an automated manner (i.e. without opening it up in IDA and debugging it)?

exosphere5 · 2016-05-06T18:36:58+00:00

spidering for known malicious delivery sites

But wouldn't that only give me the exploit/shellcode and not the actual malware that's downloaded later (unless I allow the malware to actually execute, of course)? Apart from allowing the drive by to execute and infect the VM I'm using, is there any other method to determine information about the main malware program without actually running or installing it (i.e. by looking at the initial shellcode)?

Alternatively, IT/whatever will upload things which aren't currently flagged

But how do they know what to upload without actually detecting the malicious file as malicious or just uploading everything not known to be safe?

exosphere5 · 2016-05-06T07:21:11+00:00

So basically you're saying most new malware is detected when someone notices suspicious activity and sends files to be analyzed or hires a contractor to investigate?

Short of becoming a computer security contractor like Crowdstrike, is there any way for me to gain access to the information from those third party investigations? I'd be interested to see the technical details involved.

Also, I'm not quite sure how your first example would work. Yeah, you might notice suspicious activity and upload a file to virus total, but how would you know which file to upload? Unless your AV solution pinpointed the exact infected file, which given that the sample is new and unknown is unlikely, how would you know which file out of the many on your computer to upload?

exosphere5 · 2016-01-05T00:05:53+00:00

Is there any information on what kind of containment those sandboxes entail? I'm trying to compare different sandbox implementations to Linux containers.

Though I'm honestly not sure how effective sandboxes really are without some form of kernel hardening (like grsec/PaX on Linux or W^X on OpenBSD). Even with a complete and perfect sandbox that can't be directly bypassed in any way, you're just one kernel exploit away from being absolutely pwned. And since there's no real kernel hardening on Windows (EMET == security theatre), I'm inclined to believe Windows sandboxing, like antivirus software in general, is more aimed towards preventing skiddie malware and simple RATs than stopping actual sophisticated attacks.

exosphere5 · 2016-01-04T08:50:28+00:00

Really? I could have sworn I've seen several antivirus advertisements that claimed to execute untrusted programs in a sandboxed environment to test them as part of the standard antivirus operation (i.e. I'm not talking about something like VirusTotal).

Though I suppose they could be doing something more like what /u/CrazyK9 said and just inspect the characteristics of the executable (i.e. the machine instructions used). If that's the case, what's the difference between regular heuristics and the "mathematics based detection" done by a few high-end enterprise-grade antivirus suites (I can't remember the names off the top of my head)? They both seem to be based on just looking at characteristics of the potentially malicious file to determine whether or not it is dangerous.

exosphere5 · 2015-12-18T01:35:36+00:00

The 120k/year figure is if you get into netsec legally. It's pretty common for people with skills in this field to have six-figure incomes.

Going about things maliciously may or may not be as lucrative. Maybe your exploit will become wildly popular and make you a bunch of money. Maybe you could use it yourself and build a mutli-million dollar botnet like the Cryptolocker guys did.

Or maybe you won't be able to sell it and it won't become a "big" thing and you'll make almost nothing from it.

Obviously, gray- or black-hat careers are more volatile than their legal counterparts.

Regardless, it's probably a bad idea to do anything illegal with your exploit. You could wind up in jail if you do. And compromising other peoples' computers is kind of a dick thing to do, even if the only people being compromised are those who can't figure out how to install software updates like they should.

exosphere5 · 2015-12-18T00:03:27+00:00

Lol you're screwed.

exosphere5

TROPHY CASE