One of the problems I've had since I originally wrote mac-robber.py [1][2][3] seven years ago is that because of the underlying os.stat python library we couldn't get file creation times (B-times). Since the release of GNU coreutils 8.32 (or so), the statx() call has been available on Linux to provide the B-time, but Python out of the box doesn't yet support that call. Recently, though, I did some searches and discovered that for several years there has actually bin a pip package called pystatx that exposes the statx() call and allows us to get the B-time. So, I updated the script. It now tries to import statx and if it succeeds (probably only on relatively recent Linux distros where the pip package has been installed) it can now provide B-times. I also adjusted the formatting so the script will now give microsecond instead of millisecond resolution. I will probably write a python version of mactime at some point so that we can actually take advantage of the additional resolution.

These last two days, a lot has been talked about a "Doomsday 9.9 RCE bug'" in Linux [1]. We now have some additional details from Simone Margaritelli, who discovered and reported the vulnerabilities.

Occasionally, I tend to check in on what reflective DNS denial of service attacks are doing. We usually see steady levels of attacks. Usually, they attempt to use spoofed requests for ANY records to achieve the highest possible amplification. Currently, I am seeing these two records used (among others):

Since posting a diary about Vega-Lite [1], I have "played" with other queries that might be interesting and the first one that I wanted to explore since the DShield SIEM [2] capture and parse the iptables logs and store the Time-to-Live (TTL) for analysis.

A few months ago, I wrote a diary[1] about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may handle sensitive information. Cryptocurrency wallets are another category of applications that are juicy for attackers. I spotted again an interesting malware that mimics an Exodus wallet by displaying a small GUI:

In an earlier diary [1], I reviewed how using tools like DBSCAN [2] can be useful to group similar data. I used DBSCAN to try and group similar commands submitted to Cowrie [3] and URL paths submitted to the DShield web honeypot [4]. DBSCAN was very helpful to group similar commands, but it was also very useful when trying to determine whether commands from one honeypot were seen in another. How much overlap in attack data is there between honeypots? Is there any targeting based on the hosting location of the honeypot?

Since I’m interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don’t want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities.

Today, Microsoft released its scheduled September set of patches. This update addresses 79 different vulnerabilities. Seven of these vulnerabilities are rated critical. Four vulnerabilities are already being exploited and have been made public.