undefined | Better HN

0 pointscatsma211y ago0 comments

i did, in fact, read the article. you said "a simple script to download these repos". the variety of malware would make the script not so simple, and not so effective.

0 comments

Aurornis1y ago

> the variety of malware would make the script not so simple, and not so effective.

The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.

Scanning and identifying has already been done. That’s literally what the article is about.

It’s right in the second paragraph:

> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server

catsma21OP1y ago

yes, they identified spammy repos. you'd also need to identify which repos belong to which spammer groups, it's not just one person doing this (as mentioned in the article) -> they don't use the same malware. saying "sent to some discord server" is like saying "playing games on my nintendo". the malware is also obfuscated (as mentioned in the article) which makes identifying the home server harder with static analysis.

why don't we just send bad people to jail?

Aurornis1y ago

The web hook is in the templated script

From the article:

> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'

Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.

Discord then identifies the Discords matching those webhooks.

It’s not some hard static analysis problem. These are python scripts with a base64 encoded variable. I don’t understand why you’re making it out to be something other than what the article says.

catsma21OP1y ago

the article details how github is spammed by multiple people who read one guide. not every single one of the 1000 repos is THE SAME breed of malware. some overlap, maybe. but some is c#, some is rust, some is python. out of those that are python, some are obfuscated with this love/trust/joy obfuscator, some use pyarmor, some are compiled with nuitka. no, the guide does not instruct you which malware strain to use, only how to game github for traffic.

if it was that simple it would be a solved problem. i encourage you to give it a shot

1 more reply

j / k navigate · click thread line to collapse

0 comments

Aurornis1y ago

> the variety of malware would make the script not so simple, and not so effective.

The article is about using scripts to identify and download the malware. They identified over 1000 matching repos, which would contain Discord webhooks in the script.

Scanning and identifying has already been done. That’s literally what the article is about.

It’s right in the second paragraph:

> As soon as you download and launch any of these, all the data from your computer is collected and sent to some discord server

catsma21OP1y ago

why don't we just send bad people to jail?

Aurornis1y ago

The web hook is in the templated script

From the article:

> The "trust" value, when base64-decoded, turns out to be a discord webhook link: myhook = 'https://discord.com/api/webhooks/1050437982584324138/VJByvmB...'

Collect all the scripts matching the template. Extract the “trust” variable. Decode base64. Send to Discord with proof of how it was obtained.

Discord then identifies the Discords matching those webhooks.

catsma21OP1y ago

if it was that simple it would be a solved problem. i encourage you to give it a shot

1 more reply

j / k navigate · click thread line to collapse