Hello, welcome to the Monday, December 6, 2021 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And today I'm recording from Jacksonville, Florida.

Xavier today has a quick diary about a piece of malware that he found that uses the good old

UPX packer. UPPS is, well, not really

malicious. It's intended to be a quick way to compress binaries that are then able to

self-unpack as the user runs the binary. But of course, that's also quite helpful for

attackers. And over the years,

attackers have made small changes to the original UPX algorithm in order to create

intentionally incompatible implementations that make reverse analysis a tiny little bit more

difficult. I remember, I think it was like 15 years ago or so,

Tom Liston wrote like a little tool for us that he packed with UPX just to basically

arrive at a smaller binary. And back then, actually, some antivirus tools just flagged it

because it used UPX.

Well, Xavier walks you through how to analyze a binary that is packed with UPX.

Of course, often you can just essentially decompress it using one of the freely available UPX command line tools.

And ESAD took a look at tags against air gap networks, at least at hacks that have become

public, so where there is some detail available about how did hack exactly evolved.

Well, probably not a big surprise, but as far as techniques go in order to bridge

the air gap, there isn't much about blinking LED lights or the sound of spinning fans or any of

these very theoretical methods that, of course, always sort of make the news big times when a

researcher demonstrates

...