Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix -- "Security" Through Obscurity


  • Please log in to reply
8 replies to this topic

#1 foss_combofix

foss_combofix

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 08 July 2015 - 12:30 PM

I don't really understand the need for maintaining some kind of elitism regarding the security or opacity of Combofix. It's not secure from reversing at all (Took me 1.5 minutes to "reverse", if you can even call it that, after a quick glance at a PEiD scan) and it's not particularly well written. As I understand, the reason that Combofix is "closed source" (again, if it can even be called that) is that it prevents malware authors from tailoring malware to bypass it, but this is something of a red herring, as there are several very clear markers (NOT the filename) which can exclude Combofix from execution by hooking or injecting into certain userland (Win32 API) functions. Because any self-respecting piece of malware with administrative access can prevent the execution of Combofix trivially, it seems that the community at large would be benefited by an officially open-source combofix (if sUBs isn't too embarrased about the code comprising it! To quote: "Rich text formats (RTF) are unacceptable !!~n~nPlease save CFScript commands as a textfile, using Notepad.exe" "ERROR - Script format is incorrect").


Yes, I know it's "dangerous" for people who don't know what they're doing. Yes, I know users are generally morons. But I think that everyone would be better off if the damn thing was just made open source and actually given decent public documentation, eliminating much of the ignorance that makes it "dangerous" in the first place.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 08 July 2015 - 12:52 PM

Hello,

While I understand your annoyance, it really boils down to one thing; Combofix's developer offers his tool for free to help out in online malware removal and it is his wish that information about the inner workings of his tool be kept private. It is his right to request this and at BC we respect this request. That is really all there is to it. 


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 foss_combofix

foss_combofix
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 08 July 2015 - 01:17 PM

@Elise: I understand what you're saying. The inner workings aren't private though, not even slightly. Everything is "there;" the source is "open" and easily accessible -- it's just a matter of licensing and documentation.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 08 July 2015 - 01:55 PM

Yes, but that is the responsibility of the developer, think of it like this: the fact that your neighbor always leaves their door unlocked, doesn't mean they are inviting you to enter their house and rummage through their belongings. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 foss_combofix

foss_combofix
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 08 July 2015 - 02:10 PM

I'm not being invited to rob the place, but some unscrupulous burglar will anyway. Keeping out burglars is the purpose of the door, and whether you use a crappy screen door or a commercial grade bulletproof steel door, you wouldn't leave the door open if you're conscientious about your security. In the case of Combofix, there might as well not be one, and yet security is used as a pretense to limit publicly stated information about the workings of Combofix. To me, that sounds like an implicit admission that the emperor has no clothes.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,929 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:11 PM

Posted 08 July 2015 - 02:13 PM

Again, that is a point of debate, still debating it will change nothing because in the end this is the developer's choice. Everyone is free to use the tool or stay away from it. The developer has opted to keep detailed information on usage private and that really is all there is to it. :)


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 tsgtsc84

tsgtsc84

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 10 July 2015 - 11:07 AM

I never see the point in such an argument or debate, I'm a neurologist and use medication for my patients, there are drugs out there i.e., Pramipexole P/R that are currently under patent protection, I know how they work (same goes for Bleeping Computer with Combofix) but I do not divulge such information. While yes, it's true you can access the material online, but Boehringer won't say. Why should someone who gives a lot of their time writing software (for free) to help people with serious malware issues; don’t they have the right to privacy and to stipulate to whom can have access?


Edited by tsgtsc84, 10 July 2015 - 11:12 AM.


#8 xulaokeri

xulaokeri

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 11 July 2015 - 08:22 PM

Everything is "there;" the source is "open" and easily accessible -- it's just a matter of licensing and documentation.7.gif


Edited by xulaokeri, 11 July 2015 - 08:22 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:11 AM

Posted 11 July 2015 - 09:14 PM

Again, as noted by Elise above.

...Combofix's developer...it is his wish that information about the inner workings of his tool be kept private. It is his right to request this and at BC we respect this request. That is really all there is to it.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users