Hello, welcome to the Monday, February 17th, 2020 edition of the Santernat, StormCast.

My name is Johannes Ulrich.

I'm recording from Jacksonville, Florida.

One reason why I like the Unix-ish operating systems is that, well, you sort of get out of the box a bunch of real useful

command line utilities with the system. And, well, some of them are, of course, the popular

web browsers, W. Get and Curl. Now, a normal user would probably never really use

command line browser like WGet or curl

or even links as an example, but for a person like myself that likes to write little scripts

and such, really useful and of course also useful for malicious code to download additional components.

Now on Windows you typically don't have these browsers installed by default, but it's pretty easy to install them after the fact,

and there are pre-compiled binaries for Windows that in particular power users often find quite

useful, but so does malicious code. So we've got a quick diary here by Xavier. Xavi looked

a little bit at, well, can he find malware that sort of takes advantage of these more

Unix-ish kind of command line browsers like

Curl and W. Getney found a good number of them. Remember, on Windows you actually don't need

to install these command line browsers. There's, for example, Bits admin and a number of other

tools that can easily be used to download files via HTTP.

But, well, I guess a little bit laziness, a little bit probably also that the attacker

is just familiar with these Unix tools, that they will install them for you.

Pretty easy to spot these command line browsers based on the user agent. Yes, the attacker can change the user agent often easily, but if you do some additional

browser fingerprinting or such, it shouldn't be too hard to figure out that a user on your network

just download a file using one of these command line browsers and maybe a good reason to double check what's going on.

...