Open traktuner opened 3 months ago
I am currently testing the alpine image with my production backup setup. There are only a few quirks with the initial install. After logging in, the installation succeeds but the installer window does not terminate automatically - a container restart fixes the issue. Will look into that in the future, but for a first alpha it's OK i guess š
~~wine is on version 8.21 with the basaeimage-gui 3.19 - a base image for 3.20 is already in the works and then includes wine 9.0 unfortunately, there are no official compiled packages available for alpine, and building wine from source in alpine is a pain.~~ The newly released alpine baseimage with alpine 3.20 finally includes wine 9.0
Is the upload speed any faster using the Alpine build?
Is the upload speed any faster using the Alpine build?
The upload speed issue is related to the Backblaze app itself, not the underlying os. The Alpine image is just another choice for everyone. It's very fast and lightweight.
@JonathanTreffler All good from my side. All images tested, fixed a bug in startapp.sh where the installer UI is frozen. Alpine is a good addition in my opinion - very fast and lightweight.
Is the upload speed any faster using the Alpine build?
The upload speed issue is related to the Backblaze app itself, not the underlying os. The Alpine image is just another choice for everyone. It's very fast and lightweight.
It appears after a specific version (the one I had pinned in my fork), they added a check if itās a wine installation (at least thatās what it feels like, I need to load it into olly and step through it to verify this) if it is, they throttle the upload very heavily.
So the best way to solve the issue is to install that specific version and make the update folders unwritable so the client canāt be forced to update in the background.
@lps-rocks It seems so, yes. The problem is that they disabled the download of the installer exe from archive.org. So legally we have no option to "bundle" an older version with our container. It would be great if we could find out how Backblaze checks if it's a wine installation or not. If it checks for some files which need to be present for wine I guess we're out of luck.
@lps-rocks It seems so, yes. The problem is that they disabled the download of the installer exe from archive.org. So legally we have no option to "bundle" an older version with our container. It would be great if we could find out how Backblaze checks if it's a wine installation or not. If it checks for some files which need to be present for wine I guess we're out of luck.
More likely theyāre checking for drive models / serial numbers. Wine uses a fixed make / model / serial number. Thereās dozens of ways to fingerprint wine. Iāve got experience fingerprinting virtual environments from my time doing malware reverse engineering and trying to make undetectable sandboxes since malware often checks for those to avoid analysis.
Iāll see if I can find out what the mechanism is.
Thereās a number of online āold versionā sites that one can find the binary on. Iād just Google the SHA1/SHA2 hash to find a copy for download.
Thereās a number of online āold versionā sites that one can find the binary on. Iād just Google the SHA1/SHA2 hash to find a copy for download.
FYI I ran hybrid analysis on 9.0.0.749 (https://www.hybrid-analysis.com/sample/aa001e997c4a51ca44efb0488a8d10295e476c6e099203fda8f9d801bc569fb6/66c1ccc771aebcd42d0806e9) and it reports back that that one also has a Wine check included (wine_get_version
). This is an exe I downloaded from one of the "old version" sites I found, so it's possible that's unrelated malware š¤· Where could I find a known true hash of an old installer version?
The hashes for the 9.0.0.749 installer I have here are
install_backblaze (2).exe MD5 108689A85098E9CF2FB73BF32464B9F3
install_backblaze (2).exe SHA-1 91293BF4487C73C1E8B452DF03B2A2DE6F086BF2
install_backblaze (2).exe SHA-256 AA001E997C4A51CA44EFB0488A8D10295E476C6E099203FDA8F9D801BC569FB6
install_backblaze (2).exe SHA-512 ECC4DEB53C31730A0A21B6FA6313CAC128FE8125F071D041B43059D052AEF8D9B9A2F61799389D494ACDF8BFD727F9E2E77282D126FD6093D5C8D2B3B35E85CB
It was downloaded directly from backblaze around December last year. It looks like its the same as the version you ran hybrid analysis on.
@lps-rocks They definetely have some checks in place:
Environment Awareness
[Found a Wine emulator related string](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-d435d8f5e317f65ad98587c8926cfb5f)
details
"wine_get_version" (Indicator: "wine_get_version")
source
File/Memory
relevance
2/10
[Contains ability to determine disk drive type (API string)](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-4561f7428331873f3fcab5fc05403798)
details
Found reference to API "GetDriveTypeW" (Indicator: "GetDriveType"; File: "install_backblaze.exe")
Found reference to API "GetDriveTypeA" (Indicator: "GetDriveType"; File: "install_backblaze.exe")
Found reference to API "GetDriveTypeW" (Indicator: "GetDriveType"; Source: "00000000-00001324.00000000.120093.0049F000.00000002.mdmp")
source
File/Memory
relevance
1/10
ATT&CK ID
T1082 ([Show technique in the MITRE ATT&CKā¢ matrix](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#mitre-matrix-modal))
[Contains ability to find logical drives of the machine (API string)](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-958b7dcc327e07345551d2d6c079183a)
details
Found reference to API "GetLogicalDrives" (Indicator: "GetLogicalDrives"; File: "install_backblaze.exe")
Found reference to API "GetLogicalDrives" (Indicator: "GetLogicalDrives"; Source: "00000000-00001324.00000000.120093.0049F000.00000002.mdmp")
source
File/Memory
relevance
1/10
ATT&CK ID
T1082 ([Show technique in the MITRE ATT&CKā¢ matrix](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#mitre-matrix-modal))
[References device drivers used by rootkit malware](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-92d871b0effe029d449341bc0a7e2abc)
details
Found string "Z:\DosDevices\C:\??\Volume{815ead30-0000-0000-0000-501f00000000}" (Indicator: "\DosDevices\c:"; Source: "00000000-00001324.00000000.120093.036B0000.00000004.mdmp")
source
File/Memory
relevance
1/10
ATT&CK ID
T1014 ([Show technique in the MITRE ATT&CKā¢ matrix](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#mitre-matrix-modal))
(source: hybrid-analysis.com)
Hey, in this PR: