Quoting Linus Sphinx (sphinxtar(a)gmail.com): There are only two (closely related) questions about "malware" that are even remotely interesting, and this Bleepingcomputer article is typical in being a bit unclear on, and failing to emphasise, those questions and their answers: 1. How does the code get executed? 2. How (if this happens) does process privilege then get escalated? The article's _extremely_ vague about key question #1. Just an "encryptor" gets run. How and by whom and why? The article has zero to say about that. For the Linux version analyzed by ReversingLabs, the encryptor focuses strongly on encrypting VMware ESXi virtual machines, including two command-line arguments that control how the Linux encryptor will encrypt virtual machines. One gathers that this particular "malware" doesn't bother to escalate to system privilege -- or is assumed to have been run as root. The implication of this rather shoddily written article is that GwisinLocker is not an attack vector at all. It is a post-attack tool used by bad guys who have entered and cracked root on your machien through other means entirely. So, the gist of this article is: _If_ bad guys can find a way to enter your machine and crack root authority, _they_ can do bad things with root authority. Here's an article about one of the myriad variety of bad things they can then do. For _that_, we need an _article_? On the other hand, Ahnlab and ReversingLabs got some free publicity, by writing a report that Bill Toulas of Bleepingcomputer copied-and-pasted into an alleged IT news article. Everybody wins, except the reader. _______________________________________________ Lug-nuts mailing list -- lug-nuts(a)bigbrie.com To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com

That was a big disappointment for me when I went to a security/black hat conference 10 years ago in Las Vegas. All the talks started with the attacker already knowing so much that yes, they could do almost anything. Not a single talk was about how the attacker got themselves into that position. I didn't attended any more of these, figuring it was a waste of time. But, an unfortunate side affect was that perhaps it gave me a false sense of security. I figured the victum had to have done something 'stupid'. Where can I go to find standard 'textbook' examples of gaining access (other than brute force) and privilege escalation? I don't care if the vector has been addressed, but it would be nice if it was through something commonly run. Also, it is easy to see how if someone has access to the host they could mess up the VM's. But how hard is the opposite? -Gary On Sun, Aug 07, 2022 at 11:06:42AM -0700, Rick Moen wrote: _______________________________________________ Lug-nuts mailing list -- lug-nuts(a)bigbrie.com To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com