Malware – TestBlog

How Docker Is a Dick

You know Docker, that darling of the digerati? The application that is revolutionizing the DevOps world? That god damned motherfucking piece of ill behaved software that is as smug and patronizing as most everyone I’ve ever come in contact with who preaches the Gospel of Docker?

My anger, it is getting ahead of me. Sorry. But, yes, that Docker.

So I’m at work today, rabbiting away like I do and my next task is to install a Docker plug in for Artifactory. This is easy enough in that our Artifactory instance is already there. So I go about setting up a local Docker repository per the instructions on the wiki. Again, this is all monkey work.

There are a few items that aren’t clear to me, however, and I want to test the new repository anyway. To do this I need an installation of Docker. Conveniently enough Docker provides a page of instructions for Windows installations. I go through the steps and determine that my workstation is a suitable candidate for a Docker install. I’m good on the understanding of Docker’s key concepts. After all, I’ve had to sit through several iterations of why Docker is the best thing to ever happen to DevOps. It’s a container. I get that. It contains virtual machines. These are atomic things that can be passed around amongst friends, like a bong.

Finally, about a third of the way down the page we get to the actual installation. Nothing out of the ordinary here.

Visit the Docker Toolbox download page
Download the executable installer
Double-click the installer to launch

Excellent, we’re getting somewhere now.

The first thing one gets is the install dialog window:

The welcome dialog for the Docker installation executable

I select the “Next” button to proceed, per the instructions. The standard destination location dialog box pops:

The standard Windows Installer target location dialog.

This is good. I like to manage all of my workstation installs in D:\ProgramFiles. It gets around the stupid spaces in paths thing that Windows seems to encourage. It also gets around the even stupider special characters like ‘(‘ and ‘)’ that are in the default 32 bit installation path. And it is on the multi-terabyte drive instead of the anemic c:\ that the desktop support folks provide. So, again, this is good. I provide my custom path and continue by pressing ‘Next’.

On to the feature selection dialog:

Docker found my VirtualBox installation. It realized I had Kitematic installed. It didn’t realize I had Git installed though…and I missed that. I should have stopped right there and tried to figure out what Docker’s installer was trying to do and why it wanted to install Git.

But, being in a hurry and trusting that the Docker folks were benign, I clicked “Next”.

And that’s when I saw a dialog say “Uninstalling Git”.

And then I shit a brick.

Because Docker uninstalled Git (from D:\ProgramFiles\Git) and installed it at C:\Program Files\Git. And this isn’t a horrible thing, really. Normally. But my case isn’t normal. Because Git provides an excellent Windows port of the bash shell. I wrap that bash shell with ConEmu. ConEmu allows me to have a single interface to wrap any number of console/terminal applications. So I can run bash and cmd side by side. It’s nice. I promise.

But since Git has moved, ConEmu is gone. Since I’m a dumbass my main .bash_profile was in D:\ProgramFiles\Git. Which is gone. So the bulk of my bash configuration is also gone.

And now for the preachy bit…

I do installers for a living. I’m not the best by any means, but I think I have a general handle on how an installer should behave. An installer should NEVER uninstall any product that it is not directly responsible for. An installer can be chained to install other products. An installer can even do some manipulation of a different installer’s payload in certain, controlled circumstance. It can fail the install. It can toss out a dialog saying it found an installation and that I need to uninstall before re-running the installer. It can maybe, just maybe, even ask if I want to uninstall an application–and then wrap that process for me. But, again, NEVER should a product attempt to uninstall a different product.

That is malware.

And that’s what Docker is to me at this point. Malware. The actual product may just be the next DevOps messiah (we have one of those every few months) but I’ll never know it myself. If its installer executable cannot be arsed to behave itself, why should I think that the app installed–which runs a virtual machine with my workstation as host–won’t completely puke all over vital systems files?

Jesus. I’m still mad.

Is next: Duqu

A great intro to the next big security threat can be found here—ripped from the pages of Mefi as always. The architecture of this is just phenomenal. I wish I was half as good as the folks who put Stux/Duqu together.

Then again, I’d probably be rabitting for the NSA or somesuch and that’s not desirable. Because, like, if this isn’t a state-sponsored effort I’ll eat my hat.

Coding Horror: A Question of Programming Ethics

Brilliant!!

Coding Horror: A Question of Programming Ethics

Storm Enters Age of Empire

After just over a year, Storm has become an intractable part of the Internet environment. Over Valentine’s Day it accounted for up to 5% of all Internet traffic, coming to life after months of relative idleness. Read more in this accessible article:

Storm botnet takes advantage of Valentine’s Day

Son of Storm?

Dark Reading—CMP Technology’s offering for the occasional suit who thinks about security issues—runs down the three biggest bot-nets currently out there. Not a lot of technical analysis going on but interesting in a big picture sort of way. I’m still amazed that Rbot is still alive and kicking to the degree it is.

Public Service Announcement

I was a bit intrigued by a certain referrer in my log file who has been drifting at the bottom for the past week+ but suddenly shot up into the top 5 yesterday. The link ostensibly goes to http://tvsetmp3.com/ but gets redirected to http://ismymovies.com/. The page is constructed to look like it throws a system dialog box—if one were running XP in the default blue theme.

The dialog box asks you to download a codec to view the movie. The image is dressed up like a dialog box even going so far as to enabling you to drag it around. The ultimate clue being you cannot drag it outside the browser window’s boundaries. Clicking the “Cancel” area on the image map throws a Javascript dialog asking you to click “OK” to download the exe file. Clicking “Cancel” here throws another dialog that insists you click “OK” to download the exe file. Clicking “OK” brings you back to the previous “Click OK to download the codec” pop-up.

Clever. I never did go so far as to try to view the embedded Flash Video file underneath. I mean, it’s likely that there has to be a video file to cover the social engineering that just occurred if they did manage to get the fake codec installed on you machine. Still, they steer really hard to get you to the place where you download that putative codec.

Like I said. Clever. The social engineering continues to get better.

New Storm Variant

Storm takes on a new guise aimed at the paranoid set. This stuff is just incredibly genius…
Private Detective Scare is Storm Trojan

The Coming Storm

I’ve been following the ever-increasing Storm Worm phenomena since it’s arrival almost a year ago. I was originally impressed by the relative polish of its social engineering aspects. It has always seemed to me that all manner of phishing, social engineering, and general spam vectors have had some very obvious clues. It’s like the individual crafting the vector was dropping these signs as warnings to their clued-in brethren—as if it were all a practical joke on the n00bs.
Continue reading “The Coming Storm”