Today I spoke at Dakota State University
I am now banned from Dakota State University
Just kidding (I hope)
Thank you students, and faculty, and strange people from the internet who some how found the Discord server I was speaking in. I hope my schizo rant was beneficial in some capacity.
Also, thank you to Shden (no idea how to say your name) for asking me super specific malware development and Windows internal questions. It caught me off guard and I was not prepared to have a serious conversation in any capacity. It was a reminder that I don't remember shit and all I know how to do is spam pictures of kitty cats.
I am now banned from Dakota State University
Just kidding (I hope)
Thank you students, and faculty, and strange people from the internet who some how found the Discord server I was speaking in. I hope my schizo rant was beneficial in some capacity.
Also, thank you to Shden (no idea how to say your name) for asking me super specific malware development and Windows internal questions. It caught me off guard and I was not prepared to have a serious conversation in any capacity. It was a reminder that I don't remember shit and all I know how to do is spam pictures of kitty cats.
❤147🤣40🥰20😎7🔥4🤓2❤🔥1🎉1💯1🤝1🫡1
Yeah, so basically I was going to do this whole write-up on @BetterTelegram because people asserted it's (probably) malware.
There was this thing where one of it's affiliates, or something, offered me money to make a post about it. I made a really, really, really goofy and borderline satire advertisement that, shockingly, this person agreed upon. However, the actual developers of BetterTelegram got really sad when they saw the post.
They said they spent a long time working on it and my satirical "ad" made them look bad. Long story short-ish, I agreed to actually look at it. I don't give a fuck about Telegram so instead I decided to poke it with a stick to determine if it's malware.
I ended up pulling it apart, poking it with a stick, poking it with a slightly bigger stick, ... and I got bored pretty fast.
It's not malware.
It's a regular problem. It's boring. BetterTelegram states they're open source and you can view the source code to their application on GitHub. They weren't lying.
The installer it distributes from it's website is a generic installer. You can unironically open it with 7z GUI and look at what's inside of without executing it. The installer is boring stuff such as:
- The binary itself (inside of a 7z though, it's compressed)
- Dumb stuff it's dependent on, like libraries
- Images the file uses
After you rip out all of the installer stuff and get the actual binary you end up with a program written in NODE.JS.
If you're unfamiliar with NODE.JS, it's very easy to revert the binary back to its original source code. Discord is written in NODE.JS. You can sneeze, shit your pants, stumble into a dark and spooky room, and accidentally get the source code to Discord (or rather, as close as possible, but lets not get overly pedantic here, okay?)
After I bonked BetterTelegram with a stick designed for NODE.JS, I very quickly found it's source code which is identical to the source code they share on GitHub. It was boring.
Funnily enough, BetterTelegram does query the BetterTelegram domain, check to see if there are any updates, and if there are updates ... it downloads the latest libraries required ... boring.
BetterTelegram, being written in NODE.JS, uses some weird ass game library thingy for some of it's stuff. BetterTelegram works by injecting a library into Telegram. Basically, it functions like a plugin. The injection library it uses is called "ffxiv-teamcraft".
Yes, you read that correctly, the API it uses to inject the plugin is from a Final Fantasy XIV modding community.
It also uses an external application called "elevate.exe" to elevate itself if need be. However, this is from something else, it's on VirusTotal, it's ... just normal goopy program stuff.
The DLL it injects (the plugin) is also virtually identical to the one on their GitHub. The plugin DLL is the thing that actually does the OTR encryption stuff. I'm not a fuckin' cryptographer, so I can't state how good (or bad) their OTR encryption and/or implementation is. I'm not going to bother even trying to fuck with that shit.
BetterTelegram is an OTR thingy they're selling as a plugin for Telegram. I'm bored with it. Many people initially seemed spooked by it ... I had kind of hoped it would something a little spooky ... but nope.
I have literally nothing else to say.
There was this thing where one of it's affiliates, or something, offered me money to make a post about it. I made a really, really, really goofy and borderline satire advertisement that, shockingly, this person agreed upon. However, the actual developers of BetterTelegram got really sad when they saw the post.
They said they spent a long time working on it and my satirical "ad" made them look bad. Long story short-ish, I agreed to actually look at it. I don't give a fuck about Telegram so instead I decided to poke it with a stick to determine if it's malware.
I ended up pulling it apart, poking it with a stick, poking it with a slightly bigger stick, ... and I got bored pretty fast.
It's not malware.
It's a regular problem. It's boring. BetterTelegram states they're open source and you can view the source code to their application on GitHub. They weren't lying.
The installer it distributes from it's website is a generic installer. You can unironically open it with 7z GUI and look at what's inside of without executing it. The installer is boring stuff such as:
- The binary itself (inside of a 7z though, it's compressed)
- Dumb stuff it's dependent on, like libraries
- Images the file uses
After you rip out all of the installer stuff and get the actual binary you end up with a program written in NODE.JS.
If you're unfamiliar with NODE.JS, it's very easy to revert the binary back to its original source code. Discord is written in NODE.JS. You can sneeze, shit your pants, stumble into a dark and spooky room, and accidentally get the source code to Discord (or rather, as close as possible, but lets not get overly pedantic here, okay?)
After I bonked BetterTelegram with a stick designed for NODE.JS, I very quickly found it's source code which is identical to the source code they share on GitHub. It was boring.
Funnily enough, BetterTelegram does query the BetterTelegram domain, check to see if there are any updates, and if there are updates ... it downloads the latest libraries required ... boring.
BetterTelegram, being written in NODE.JS, uses some weird ass game library thingy for some of it's stuff. BetterTelegram works by injecting a library into Telegram. Basically, it functions like a plugin. The injection library it uses is called "ffxiv-teamcraft".
Yes, you read that correctly, the API it uses to inject the plugin is from a Final Fantasy XIV modding community.
It also uses an external application called "elevate.exe" to elevate itself if need be. However, this is from something else, it's on VirusTotal, it's ... just normal goopy program stuff.
The DLL it injects (the plugin) is also virtually identical to the one on their GitHub. The plugin DLL is the thing that actually does the OTR encryption stuff. I'm not a fuckin' cryptographer, so I can't state how good (or bad) their OTR encryption and/or implementation is. I'm not going to bother even trying to fuck with that shit.
BetterTelegram is an OTR thingy they're selling as a plugin for Telegram. I'm bored with it. Many people initially seemed spooked by it ... I had kind of hoped it would something a little spooky ... but nope.
I have literally nothing else to say.
❤75😁10👍3🥰3😢1🤓1🤝1
vx-underground
Yeah, so basically I was going to do this whole write-up on @BetterTelegram because people asserted it's (probably) malware. There was this thing where one of it's affiliates, or something, offered me money to make a post about it. I made a really, really…
Sat here in my undies, writing this post, trying this new thing called "nic salts". This nic salt stuff will put a fucking hole in your chest.
Anyway, this is 2nd thing I've reverse engineered the past few days that ended up being regular 'ol program goop. I want spooky goop.
Anyway, this is 2nd thing I've reverse engineered the past few days that ended up being regular 'ol program goop. I want spooky goop.
😍23❤10😢6🥰1
vx-underground
Sat here in my undies, writing this post, trying this new thing called "nic salts". This nic salt stuff will put a fucking hole in your chest. Anyway, this is 2nd thing I've reverse engineered the past few days that ended up being regular 'ol program goop.…
Nicotine salts, I guess it's different than vape juice? I dunno. The guy with pierced ears and funny hair at the store recommended it to me
🥰25🤔8🤯6🤣4❤3😱1😢1
This media is not supported in your browser
VIEW IN TELEGRAM
🤣76🤓15😁8🥰5❤2👍2😢1
This media is not supported in your browser
VIEW IN TELEGRAM
Got CC'd in a legal e-mail chain between a company being extorted and an extortion group.
I do not know why I am in this e-mail chain. I do not know who this company is.
I do not know where I am.
Another day of internet schizophrenia
I do not know why I am in this e-mail chain. I do not know who this company is.
I do not know where I am.
Another day of internet schizophrenia
🔥57🤣34❤13🥰6😁1😢1
vx-underground
Got CC'd in a legal e-mail chain between a company being extorted and an extortion group. I do not know why I am in this e-mail chain. I do not know who this company is. I do not know where I am. Another day of internet schizophrenia
Don't worry, Blavity. I won't say anything to anyone about this e-mail chain.
I am not an expert, but based on the response from the extortion group I do not think they care you're involving the FBI and Secret Service.
I am not an expert, but based on the response from the extortion group I do not think they care you're involving the FBI and Secret Service.
❤38🤣28🥰6👏1😢1
vx-underground
Big shout-out to this random NERD who infected themselves with malware while doing nerd stuff Bro was reading posts from FFmpeg, some 18+ VTuber, and Linux forum stuff. He didn't pay attention and detonated malware on his machine from a fake Microsoft Teams…
HOW ARE YOU GONNA UNIRONICALLY BROWSE ARCH LINUX FORUMS BUT DETONATE A FAKE MS TEAMS BINARY
DAWG, LOCK IN
DAWG, LOCK IN
😁82🥰22🤣21🤓6👍5🙏2❤1🎉1🤝1
Massive shout-out to the local governments of New York, Hawaii, Louisiana, and the homies at the Supreme Court of California.
It's 2025 and they're helping people get FREE ROBUX
It's 2025 and they're helping people get FREE ROBUX
🤣86❤18🙏9👏4😁4❤🔥1🔥1😢1🎉1🤝1
vx-underground
Massive shout-out to the local governments of New York, Hawaii, Louisiana, and the homies at the Supreme Court of California. It's 2025 and they're helping people get FREE ROBUX
The "FREE ROBUX" advertisements on this websites LOOKS like it's trying to implement the "ClickFix" malware masquerading and/or payload delivery method.
After you enter your Roblox name for your "FREE ROBUX" the website states the server is "overloaded" and you need to "manually bypass" the authentication, or whatever, so you need to "verify" you're a human
This all aligns perfectly with "ClickFix". All signs point to YES for a malware delivery campaign except there is one small problem... THEY FORGOT TO SET THE FUCKING DOWNLOAD LINK IN THE CAPTCHA BUTTON
Dawg, how the fuck are you going to deliver malware when your slop website doesn't actually deliver anything? If you're wondering why you don't have any infected machines, it's because YOU DIDN'T SET THE FUCKING DOWNLOAD BUTTON
After you enter your Roblox name for your "FREE ROBUX" the website states the server is "overloaded" and you need to "manually bypass" the authentication, or whatever, so you need to "verify" you're a human
This all aligns perfectly with "ClickFix". All signs point to YES for a malware delivery campaign except there is one small problem... THEY FORGOT TO SET THE FUCKING DOWNLOAD LINK IN THE CAPTCHA BUTTON
Dawg, how the fuck are you going to deliver malware when your slop website doesn't actually deliver anything? If you're wondering why you don't have any infected machines, it's because YOU DIDN'T SET THE FUCKING DOWNLOAD BUTTON
🤣109❤9😁8😢1
vx-underground
The "FREE ROBUX" advertisements on this websites LOOKS like it's trying to implement the "ClickFix" malware masquerading and/or payload delivery method. After you enter your Roblox name for your "FREE ROBUX" the website states the server is "overloaded" and…
I'm over here smashing the CAPTCHA button, begging these nerds for some free malw— er...... "Robux" and nothing happened. I thought I was clicking the button wrong. I am filled with disappointment.
😱44😢17🤣12❤5😁3
Here is a tip for noobs for reverse engineering malware stuff
Tip 1. When you get a file and you think it might be spooky, you need to determine what kind of file it is. You cannot rely on file extensions.
The easiest and most ghetto way (the way I do it) is opening the file with a text editor and looking at the first few bytes in the file
If the weird spooky file starts with "MZ" at the beginning, it's an executable binary (.exe, .DLL, .sys). If it starts with "PK" it's a compressed file (or maybe an Android file, long story). Anything else that looks readable is going to be weird stuff like malicious JavaScript, .Lnk files, HTA files, Python files, etc.
Knowing the file type is very important. This will help you determine what kind of stick you need to poke the spooky file with
Tip 1. When you get a file and you think it might be spooky, you need to determine what kind of file it is. You cannot rely on file extensions.
The easiest and most ghetto way (the way I do it) is opening the file with a text editor and looking at the first few bytes in the file
If the weird spooky file starts with "MZ" at the beginning, it's an executable binary (.exe, .DLL, .sys). If it starts with "PK" it's a compressed file (or maybe an Android file, long story). Anything else that looks readable is going to be weird stuff like malicious JavaScript, .Lnk files, HTA files, Python files, etc.
Knowing the file type is very important. This will help you determine what kind of stick you need to poke the spooky file with
❤104👍20🥰11💯7😎6🫡5🤓2😁1😢1
vx-underground
Here is a tip for noobs for reverse engineering malware stuff Tip 1. When you get a file and you think it might be spooky, you need to determine what kind of file it is. You cannot rely on file extensions. The easiest and most ghetto way (the way I do it)…
"why not use a hex editor or some other tool?"
I mean, you can. But a really quick and easy way to quickly and easily determine the file type is to use a read only application, like a text editor, to review the first few bytes of the file.
If you're not sure or confident in what you see then you use something else to review the file headers and stuff.
Since I unironically reverse engineer malware on Windows (generally speaking, not a good idea, but I'm around malware so much I don't give a fuck anymore), I just right click the file and select Open With Notepad++
I mean, you can. But a really quick and easy way to quickly and easily determine the file type is to use a read only application, like a text editor, to review the first few bytes of the file.
If you're not sure or confident in what you see then you use something else to review the file headers and stuff.
Since I unironically reverse engineer malware on Windows (generally speaking, not a good idea, but I'm around malware so much I don't give a fuck anymore), I just right click the file and select Open With Notepad++
🤣58❤24😎13👍4🥰2🙏2😢1🫡1
When I made my malware reverse engineering tip thingie, some noobs commented that file headers are complicated, or whatever. At first glance they seem kind of crazy but they're actually pretty shrimple.
For those who don't know, every executable file on your machine (with some exceptions, but we won't go there) have "headers". The word "head" here is the keyword. It's what is first. It's the "head" of the executable.
The "headers", or stuff that comes first, is just a bunch of mumbo jumbo your operating system reads to understand what the fuck it's doing and to understand what it's looking at.
Windows is different than Linux. We'll discuss Windows because that's all I know because I'm a Windows nerd.
Windows does a bunch of junk when files are executed (not just .exe files). We won't discuss it all because it's a bunch of nerd stuff. We'll focus exclusively on .exe files.
The Windows headers (called PE headers, an acronym for Portable Executable) are layered and are old and have historical context. There's multiple headers. Each "header" discusses different stuff about the .exe file.
You can think of headers as like shipping labels on a box that you receive in the mail. The shipping labels will describe stuff about the box like, size, height, weight, what could potentially be inside (such as batteries), blah blah blah. File headers do the same kind of
File headers on Windows will say stuff like:
- Is this a .exe, .dll, .sys, etc?
- Where the fuck is the actual code in this file?
- Where the fuck does the actual code stop (so it knows when to stop reading)?
- Where the fuck are the embedded images the code might use (called the resource section, for displaying icons)?
- How big is this fucking thing?
- When the fuck was this compiled?
- How old is this fucking thing?
- Is this fucking thing signed?
- What the fuck is it written in (mostly for .NET stuff)?
- What other fucking libraries does this thing depend on?
- Does this fucking thing share code with other things (for .dlls and stuff)?
... and a bunch of other stuff the computer might need to know.
Is all of this important to your computer? No, not really. But some of it is for silly stuff like "drivers". Some of it is metadata naturally included from compilers (the thing that made the .exe).
Does Windows actually say "fuck" a lot when trying to run .exe files? Yes, yes it does. Windows is very angry
Can you modify the file headers to trick Windows? Yes, this is done by things called "malware" or malicious software. You can lie to Windows and still make it run the .exe by confusing it's little brain (kind of, different story for a different day)
For those who don't know, every executable file on your machine (with some exceptions, but we won't go there) have "headers". The word "head" here is the keyword. It's what is first. It's the "head" of the executable.
The "headers", or stuff that comes first, is just a bunch of mumbo jumbo your operating system reads to understand what the fuck it's doing and to understand what it's looking at.
Windows is different than Linux. We'll discuss Windows because that's all I know because I'm a Windows nerd.
Windows does a bunch of junk when files are executed (not just .exe files). We won't discuss it all because it's a bunch of nerd stuff. We'll focus exclusively on .exe files.
The Windows headers (called PE headers, an acronym for Portable Executable) are layered and are old and have historical context. There's multiple headers. Each "header" discusses different stuff about the .exe file.
You can think of headers as like shipping labels on a box that you receive in the mail. The shipping labels will describe stuff about the box like, size, height, weight, what could potentially be inside (such as batteries), blah blah blah. File headers do the same kind of
File headers on Windows will say stuff like:
- Is this a .exe, .dll, .sys, etc?
- Where the fuck is the actual code in this file?
- Where the fuck does the actual code stop (so it knows when to stop reading)?
- Where the fuck are the embedded images the code might use (called the resource section, for displaying icons)?
- How big is this fucking thing?
- When the fuck was this compiled?
- How old is this fucking thing?
- Is this fucking thing signed?
- What the fuck is it written in (mostly for .NET stuff)?
- What other fucking libraries does this thing depend on?
- Does this fucking thing share code with other things (for .dlls and stuff)?
... and a bunch of other stuff the computer might need to know.
Is all of this important to your computer? No, not really. But some of it is for silly stuff like "drivers". Some of it is metadata naturally included from compilers (the thing that made the .exe).
Does Windows actually say "fuck" a lot when trying to run .exe files? Yes, yes it does. Windows is very angry
Can you modify the file headers to trick Windows? Yes, this is done by things called "malware" or malicious software. You can lie to Windows and still make it run the .exe by confusing it's little brain (kind of, different story for a different day)
❤83👍9🤣5🫡5🤓4💯2🥰1🤔1😢1
vx-underground
Got invited to do another talk at another University Getting paid in pizza again Easiest pizza of my life. Good game, nerds.
Oh. My. God.
I'm pizza farming IRL.
Another pizza dinner for my wife and I. God damn it feels good to be a gangster
I'm pizza farming IRL.
Another pizza dinner for my wife and I. God damn it feels good to be a gangster
❤🔥115🥰20❤14🤣9🤓2😢1