June 9, 2022
A userland rootkit is pretty weak. There are some easy ways to detect it. The simplest is to just use a staticky linked binary, like busybox
, rather than the utilities on the compromised box. Honestly, I thought this was standard practise, so I’m a bit surprised that a userland rootkit can defeat live forensics.
![Twitter avatar for @IntezerLabs](https://substackcdn.com/image/twitter_name/w_96/IntezerLabs.jpg)
![](https://substackcdn.com/image/fetch/w_600,h_314,c_fill,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F7c688aa2-1399-4eb1-9cc7-f65c7b1c2c7d_1024x475.png)
-
Big SIGINT energy.
“People were asking ‘Well you know, I’m not sure we’re seeing a dip in ransomware, how do you know this; can you show me?' I would just say: how did we know? Really? We’re NSA,” said Joyce, alluding to the agency’s core mission of collecting signals intelligence. “We heard them say they can’t get their money out. We heard them say that they can’t buy infrastructure.
-
![Twitter avatar for @Laughing_Mantis](https://substackcdn.com/image/twitter_name/w_96/Laughing_Mantis.jpg)
-
-
![Twitter avatar for @mrkoot](https://substackcdn.com/image/twitter_name/w_96/mrkoot.jpg)
-
![Twitter avatar for @lukOlejnik](https://substackcdn.com/image/twitter_name/w_96/lukOlejnik.jpg)
-
-
![Twitter avatar for @artcrimeprof](https://substackcdn.com/image/twitter_name/w_96/artcrimeprof.jpg)
-
Do yourself a favour and read this thread. It is a wonderful journey.
![Twitter avatar for @cwjones89](https://substackcdn.com/image/twitter_name/w_96/cwjones89.jpg)
-
![Twitter avatar for @GalaxyKate](https://substackcdn.com/image/twitter_name/w_96/GalaxyKate.jpg)
-
![Twitter avatar for @switch_d](https://substackcdn.com/image/twitter_name/w_96/switch_d.jpg)
![](https://substackcdn.com/image/fetch/w_600,h_314,c_fill,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F8d687050-dc4e-450d-8ddc-fb4b0c5457fc_2311x1298.jpeg)
-
-
![Twitter avatar for @0xdea](https://substackcdn.com/image/twitter_name/w_96/0xdea.jpg)
![](https://substackcdn.com/image/fetch/w_600,h_314,c_fill,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2Fcebd7ffe-6212-499e-bcf1-6894fdd20e4c_2400x1256.jpeg)
-
![Twitter avatar for @itspeterc](https://substackcdn.com/image/twitter_name/w_96/itspeterc.jpg)
-
Highly recommend reading Seriously Risky Business today.
-
![Twitter avatar for @FedorovMykhailo](https://substackcdn.com/image/twitter_name/w_96/FedorovMykhailo.jpg)
![Image](https://substackcdn.com/image/fetch/w_600,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fpbs.substack.com%2Fmedia%2FFUzEz_wXEAAQ8LN.jpg)
-
I wouldn’t bet on it.
-
![Twitter avatar for @WolfieChristl](https://substackcdn.com/image/twitter_name/w_96/WolfieChristl.jpg)
![](https://substackcdn.com/image/fetch/w_600,h_314,c_fill,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F949797f1-8bdf-40b8-b0f0-823c2869f01d_1200x675.jpeg)
-
This is evil and incompetent. \o/
![Twitter avatar for @KibyDesign_](https://substackcdn.com/image/twitter_name/w_96/KibyDesign_.jpg)
-
Great stuff in here.