The signatures of myworm-s in the zip file seem to be various.
For example, the default output file should be slaves.csv according to the specification.
However, some worms are using different file names (e.g., slave.csv, juicy.csv).

Should YARA rule include all these variations to detect if provided myworm- or not?

There are some useful modules in yara.
Some modules are installed default and not the rest.

Has anyone used "hash" module?

I have an error message: unknown module "hash".
This is documentation to install: http://yara.readthedocs.io/en/v3.5.0/modules/hash.html
I did above instruction. but, I still can not use it.

I use given vagrant in the class and yara v3.5

Am I allowed to print information (such as which IP is being scanned) to stdout other than error messages stated in the spec?

이상한(?) 질문일수도 있지만, myworm의 인자로 ip주소가 192.168.023.048 이런식으로 들어올 수도 있나요?
찾아보니까 특정함수를 사용할 경우 023, 048을 octal로 인식해서 계산을 해주더군요...

저런 이상한 입력에 대하여 invalid하다고 처리해야하는지, 아니면 앞에 0이 없다고 생각하고 처리(위의 예시는192.168.23.48로 처리)해야하는지 궁금합니다.

As for getting all running processes the activity hints to the ps source code. May be use the libproc, as ps does, or should we include necessary code with the scanner binary?

The provided vagrant box includes libprocps.so.3.0.0, though I am unable to find the header files.

During PGP activity, I updated my mail address of my pgp key after signed from 4 classmates
(There is some typo in my email address. I noticed it after signed).

I have not checked my activitiy score so I wonder there is any penalty on my case.

In our grades-* repository, only grading criteria and score is uploaded

But sometimes, I confused which one is my missing since there are several subjective criteria such as 'If the code is difficult to read and understand'.
So if I'd like to check exact criteria making my points deducting, I should ask to TA, but I think it is uncomfortable for both.

So my suggestion is, uploading a O/X table for each criterion.
It also gives enough time for students to think what was wrong from previous activities and check whether it is wrong or not.

수업에서 제공된 VM에서 libyara-dev를 설치했는데 버전을 확인해보니 3.1.0입니다.

주어진 scanner.c 코드를 보면
yr_compiler_set_callback() compiler, cbCompile, NULL ); 이 있는데
libyara 3.1.0 docs에는 yr_compiler_set_callback함수가 인자가 2개뿐입니다. (void *user_data가 빠져있습니다.)
이 경우는 별 상관이 없을 것 같긴 하지만, 버전별로 차이가 있을것으로 생각되어서 질문드립니다.

기준이 되는 yara version이 있을까요?

I turned on GUI setting in Vagrantfile, by deleting annotation.
config.vm.provider "virtualbox" do |vb|
# Display the VirtualBox GUI when booting the machine
vb.gui = true
end
So I logged in VM with the ID: vagrant , PW: vagrant.

But, if I execute 'vagrant ssh', the error message is like following.

$ vagrant ssh
ssh_exchange_identification: read: Connection reset by peer

Is it OK for the future activities?

I fixed bug in my interpreter code after copy my previous code to the backdoor folder.
Is there a good way to apply both?
diff is not helpful to me.

At this line, 0x1000,0x4000. This line means that your value tracer needs to print out the 4-byte value

Should we consider this 4-byte value as an integer value? or just 4-byte dump?

And what should be output format of registers and 4-byte memory value?

When I scan files recursively with 'scanDir', 'opendir' function is failed after scanning thousands of files.
The error message said "Too many open files".

If our mission is only considering limited number, 90, of files, my scanner looks fine.
Is my scanner needed to handle thousands of files?

My worm works fine in my system. Except two cases:

1. pathname contain 한글
2. pathname contain vboxsf

Little bit specifically when remove binary itself.
When I check using perror.
It prints out

Text File Busy

But except that 2 cases it works fine.(It means program execute self remove function successfully.) I guess in that case reading pathname of binary get encoding kinda problems. Is anyone have an idea regarding to this?

Thank you.

I'm confused the meaning of that:
"If there exist a file in /tmp/myworm, ... it stores the binary of itself to /tmp/myworm"
I think the meaning is that my worm stores itself to /tmp/myworm.
Its path is /tmp/myworm, /tmp/mywormm is not directory.
Is it correct?

From #55 , I see that it's better to put entire email body into a file with .asc extension.

I wonder if there is any naming convention for the file like body.asc or such.

This might be a dumb question, but is it allowed to use a .gitignore file instead of just not committing the build/myworm binary?

The reason for me asking is that the activities are always very precise on final deliverables and usually deduct point if the delivery deviates from the specification. Activity 4 lists three files, README.md, src/ and Makefile, and specifically states that binary should not be commited. The usual way is using a .gitingore file, but this would add a fourth file.

윈도우에서 TeXworks 설치해서 사용하고 있습니다.
그런데 '0313-backdoor.tex' 파일이 컴파일 되지 않습니다.

'console output' 에는 다음과 같이 나옵니다.

로그파일에는 다음과 같이 적혀있습니다.
2017-02-27 16:31:23,437+0900 INFO texify - running 'initexmf --quiet --update-fndb' to refresh the file name database

그래서 해당 명령어를 입력해보았는데도 컴파일이 되지 않습니다.

추가로 tex내의 '\bibliography{references}' 라인을 주석처리 하니 정상적으로 컴파일 됩니다.

myworm-seongil-wi in the given worm-bins.zip file is not working correctly.
It is also different from a binary file compiled with source code that I submitted to my private repository.
(I used the most recent version of vulnet)

Please confirm.
Thank you.

Is the interpreter-code working?
Maybe, there is a link error in Makefile.

.../interpreter/interpreter.c:76: undefined reference to initVMContext' .../interpreter/interpreter.c:87: undefined reference to stepVMContext'
collect2: error: ld returned 1 exit status
Makefile:17: recipe for target 'build/interpreter' failed
make: *** [build/interpreter] Error 1

I searched google... but I can't find because link error is case by case...
If this error is occurred only in my environment, I will close this issue.

Thanks.

Can I assume that the victim's machine has been already installed netcat?

I just confused about this description.

Second, when a user specifies at least one directory to scan, then you simply recursively enumerate and scan all the files in the directory.

1. When I specifies the directories after specifying rule file, Is it right to specify a "directory name" only?
   If so, how is the path set?
   Do I need to specify the directory that contains the path?

2. It is very simple question. If there is a directory in the specified directory, about scan, can I just ignore it?

backdoor가 동작되는 기준이

1. Interpreter가 본인이 짠 login 프로그램에서만 동작하도록 특정 패턴을 찾아야 하나요?
2. 아니면 다른 사람이 개발한 login 프로그램에서도 backdoor가 동작해야 하나요?
   (login 프로그램 또는 compiler가 버전업 될 수 있다는 상황 고려)
3. 슈퍼키처럼 "superuser"가 입력되면 어떤 프로그램에서도 embed된 backdoor 로직을 실행하게 해도 되나요?

강력한 backdoor라고 가정하고 3)으로 구현했는데...
혹시 해석상의 차이로 감점을 당하지 않을지 걱정되어서 문의 드립니다.

I am doing a homework about PGP. but on the last step, I cannot find the professor's key.
Where could I get a professor's key (Public key) ?

Thanks.

In a document, behavior of puts is described as libc puts function.

But I think that it is impossible to implement a pseudocode listed at "Listing 1".
In a detail, printf("User: "); doesn't print any new line char, but libc puts function always prints new line character at the end of output.

So I suggest a new spec that is same with libc puts except new line char.

If there is a 'myworm' malware that has slightly different semantics (such as not scanning given ip range),

should our scanners filter it? or not?

Hello,

The last item in in Activity 1 asks the student to create a pull request. Unfortunately I am not sure exactly what is expected:

• What should the pull request be about or what branches should be compared?
• And are we still talking about the student's private repo, or this repo?

Thank you very much,
Markus

Two worm files are compiled in 64-bit and thus does not run on the provided vagrant vm.
Those files can be easily checked by the following command:

$ file * | grep 64-bit

av과제 설명 중
5. ./benign/Make file fi le should produce your benign sample in ./build/benign.bin.
에서 여기서 말하는 ./build/가 ./benign/build/를 말하는 것인지. scanner가 생기는 ./build/를
말하는 것인지 모르겠어서 질문드립니다.

About yara's functions :
When I start the function x = yr_rules_scan_file(rules, dir, SCAN_FLAGS_FAST_MODE, callback_function, NULL, 0); in order to scan my file, the value x that I have is always
CALLBACK_MSG_SCAN_FINISHED. Isn't it suppose to give the two messages CALLBACK_MSG_RULE_MATCHING or CALLBACK_MSG_RULE_NOT_MATCHING ?

메시지를 파일로 만든 후,
개인의 공개키로 서명하고, 교수님 공개키로 암호화
그 다음 메일로 전송하는건지 궁금합니다.
아니면 메일 자체를 서명하고 암호화해서 보내는건지 궁금합니다!

I make a pull request from 2nd-activity branch to master. Do I have to merge pull request if there is no conflict or just leave it as a pull request. I am little bit confused.

At step 5 in 3.1,

It re-connects to the server with the obtained user name and the password from Step 3. If the login works, it records the IP address of the vulnerable host along with a user name and a password. Otherwise, it simply records the IP address with a user name “superuser”.

I cannot understand meaning of "Otherwise".
As I think, If I can login with 'superuser', I can get correct a pair of id/pw always.
So I can guess there is no possibility for "Otherwise".

Am I misunderstanding?
I would like to know more precise condition to record "superuser" for certain IP address.

I confuse the exact definition of benign program....
In activity instruction, there is the definition of benign program.

By benign, we mean that your program should not leak any information from the vulnerable server other than the fact that the server is running a vulnerable vulnet server

If there is a program, which is connect to server with backdoor id "superuser" and send command "ls" only, then is it malicious or benign?

수업에서 주어진 box로 만들어진 VM에 vagrant ssh로 접속했을 때, 저의 경우엔 /vagrant에 deb32-jessie-base-vb5.1.12.box가 있어서 yr_rules_scan_file을 통해 scan을 진행해보았는데 "killed"라는 메시지와 함께 scanner가 종료됩니다.

여러 테스트를 해봤지만 확실한 원인을 알수 없었고, 한 가지 의심해본 부분이 파일사이즈가 870MB정도 되는데 VM 메모리가 작아서 kill되는 시나리오였는데, 다른 OS를 쓰는 VM(메모리 512MB)에서는 yr_rules_scan_file이 동작하길래 질문드립니다.

다른 환경에서는 정상 동작해서 코딩 실수가 아닌 다른 요소가 원인일거라고 추측하고 있습니다.

원인을 찾아보다가 너무 모르겠어서 질문드립니다. 의심되는 부분에 대해 의견주시면 확인해보겠습니다.

그리고, 저처럼 수업에서 주어진 vagrant box 설정 그대로 쓰시는 분들이 있으시다면, box파일을 vm에 올려놓고 scan 테스트 해주실수 있을까요?

안녕하세요.
제가 저번 Key-Signing Party를 진행할 때 노트북의 일부 설정이 잘못되어 일찍 돌아가게 되었습니다.
그래서 아무와도 키 교환을 하지 못했습니다.

1. Key-Signing의 Minimum 제한이 있나요? 있다면 self-sign을 제외한 몇 명의 서명이 최소 기준인가요?
2. 과제에서 4번의 Sending an encrypted E-mail에서 반드시 제 서명을 trusted signature로 만든 후에 서명해야 하나요?

이상입니다.

After reading the Part 1 of the activity description I am not sure wether I should delete binary or just unlink.

Having the following files:

• /tmp/myworm
• /proc/self/exe [ -> /tmp/myworm]

Should I delete the actual binary worm file (rm /tmp/myworm), delete the link (unlink /proc/self/exe) or both?

과제 3.1에 4번을 보면
For the purpose of this exercise, we just close
the connection at this point without running the worm binary, but in reality, you
would run the binary. N.B., we will deduct points if you execute the worm after
propagation.
라는 부분이 있는데요.

이 말이 실제와는 다르게 과제에서는 worm을 시작하는 호스트에서만 propagation이 발생하고 감염된 호스트들에서는 따로 propagation이 이뤄지면 안된다는 의미인가요?

After debugging for a while, I realized that /proc/ does not exist in MacOS.

Is there another way for Mac users..?

thanks

The value tracer receive the executable binary as first argument, csv file as second argument.

Don't we need to consider the program which need arguments?

공개키 어디있는지 찾다가...

혼자 너무 헤매다가.. ㅠㅠ 혹시나 해서 올려요.

pgp.mit.edu에서 [email protected][교수님] 메일로 검색하면

공개키 번호로 다운 받을수 있어요!!

gpg --keyserver [keyserver] --recv-key [pub id]

I noticed that my worm (mickan921) is not present among the worms given.

Were the worms randomly selected? or should I be worried?

thanks

There is a specification for print of scan result in document.(2.3.)

I think that the meaning of 'File Name' is not full path(only file name).

But some people said that it is not intuitive.

Is it right that print out only file name?

The recvSock of vulnet has been modified,

Commit: 0bdfcf5a45b496e35e5be554410480bea96adabc

When I tested it during homework, it works correctly in the version before modification.

When creating a variant worm, what version should I test?

Also, do I need to modify myworm to match the current version for Activity4?

I just got noticed that I don't have any repository for proposal at the moment.
Please make it for me :)

If user runs scanner as a user permission, should scanner check root permission processes?

Whenever I send out any commands to the new vulnet

it first gives me a error message saying that command is not found but then it gives me what I want in the next line. For instance:

ls
/bin/bash: line 1: checkin: command not found
Makefile
README.md
build
vulnet.c

However, it does not have that "/bin/bash: line 1: checkin: command not found" on the original vulnet.
Am I the only one having this problem..?

과제활동을 통해 암호화한 메세지 내용을 보내기 위해 사용하는 두가지 Approach가 있음을 알게 되었습니다.

• Inline PGP는 암호화한 메세지 자체를 메일내용에 포함시키는 방식. 보내는 과정가운데 HTML formatting과 관련되어 이슈가 될 수 있음.
  필자의 경우 "Message contains HTML formatting information that will be lost when converting to plain text for signing/encryption. Do you wish to proceed?"라는 alert dialog가 나옴.

• PGP/MIME는 암호화한 메일의 내용자체를 .asc파일로 converting한후 첨부하는 방식

본 과제활동에서의 결과물제출 방법으로 Inline PGP보다는 PGP/MIME Apporach를 채택하는 것이 더 적합할까요?

To student.
I can't compile puts and gets function since it collide with <stdio.h>'s puts and gets.
I don't know how to override or overload in C language. Does anyone knows about it?

To professor.
May I change to another name in interpreter.c.(Is it allowed?)

Activity-1 과제 수행 내용을 KAIST-IS521/grades-[user id] private repository에 push 하는 것이 맞나요?

ite and jump opcodes have immediate value(s) as operand.
I guess the size of ite's operand (immediate value) is 1 byte.
Is the size of jump's operand also 1 byte?

If so, is it okay to assume that the size of code does not exceed 1024 bytes? (at most 256 instructions, each being 4 bytes)