Hello, welcome to the Tuesday, August 28, 2018 edition of the Sandsenet Storms, Stormcast. My name is

Johannes Ulrich, and the I'm recording from Sundvolden, Norway. It can be quite difficult to

identify when a particular system was infected, in, if you're dealing with more sophisticated malware.

DDA, however, recently looked at an interesting example of H-Warm.

Now, this malware is certainly not sophisticated, so it doesn't really try to hide the date of infection very well.

In this particular case, it even adds a registry key with the date of infection and then

communicates that date back to the attacker.

Of course, before trusting any registry key like this, you have to make sure that the malware

is not putting a fake date in here.

No, in this case, you could verify this by reverse engineering the malware, figuring out

what it actually does with this registry key. You always tell our users and hopefully

practice ourselves not to open random files that we receive.

However, in many file browsers, you will see a preview, a thumbnail image of various file types

displayed without really having to click on anything.

And of course, this thumbnail is usually rendered using actual

vulnerable software like various PDF browsers or for HTML web browsers. So to protect users,

the popular Unix desktop environment, Knoam, came up with bubble wrap, which is essentially a sandbox

that's being used to render any thumbnails. Great feature, but if you're using the latest

version of Ubuntu or SendOS, it's actually turned off. According to the Ubuntu security

lead, one reason they turned it off was that they just didn't have the time

to audit the code. And they're afraid to actually introducing more vulnerabilities by allowing

an unproven security feature like Bubblewrap to be included in their distribution.

...