Usage in malware

[stevemk14ebr]

Garble is used extensively by malware, this make me sad 😢

Actors include (non-exhaustive):

• Russia (yikes)

[lu4p]

We can't do much about who uses our software and for which purpose.

If you have experience with reversing garbled binaries, we would like to hear are we making your job harder and by how much?

Anything we can improve?

Join our slack channel it's fun.

[stevemk14ebr]

Yea garble obfuscated binaries are more difficult to reverse than non, unfortunately. I was just pointing out that the software is being misused (extensively) you all can decide how that impacts your future decisions on implementing additional and more robust techniques for obfuscation in the future.

In an ideal world, threat actors would need to develop tooling like this themselves.

I'm honestly not sure if joining the slack would be too constructive, given I sort of believe this should at minimum have future development frozen for the good of all. (I will admit though it is technically neat)

[mvdan]

Out of curiosity, do you have any evidence for your claims?

In general I tend to disagree with the position that a piece of open source software should not exist because some bad people use it. I've seen the same for projects like Tor, end-to-end encrypted messaging apps, or simply encryption or security libraries.

What you say about bad actors might be true, but due to the nature of open source, there's not much we can reasonably do about it. I have seen software licenses that try to enforce "must not be used by X or for Y", but of course a bad actor would just ignore that.

Abandoning the project doesn't seem like a smart choice either. There are plenty of legitimate use cases here, like a company wanting to run proprietary Go code on user devices without leaking a lot of their code in the process. I personally think a tool like this is needed for Go to be successful in more areas of software development, like others such as tinygo.

[stevemk14ebr]

Q: do you have any evidence for your claims

Malware RE is my profession. I have no evidence I'm willing to share.

You're free to hold your own opinions, I did not mean to offend, simply inform you of the misuse. I agree it is not feasible to limit usage of open source, the only way to avoid misuse is to prevent publication at all.

[mvdan]

No offense taken :)

[lu4p]

As a sidenote I don't think garble being used in malware is necessarily a bad thing. If someone like you has a hard time reverse engineering a binary, it likely teaches you something about how to approach if someone actually tries to make behavior non obvious, making you better at your job. Is it actually reverse engineering if you can get nearly the complete source code back from a binary?

Also having good realistic open source tools available for the security/ pentesting community likely makes the world a safer place, even if it's just an example of what's possible.

Sophisticated threat actors have unlimited resources anyway and have better tools against reverse engineering available to them already.

If some unsophisticated threat actor who is using garble is able to install malware on your system or one of your customers, then what happens if someone who has actual resources tries to do the same?

[mvdan]

I'm not going to go as far as to say "bad actors could build something like garble themselves" because many years worth of effort went into it, and some aspects relating to integration with the Go toolchain require expertise. On the other hand, we don't sell this tool and we're fully transparent, meaning that if a bad actor is using this tool, anyone should be able to see what they used - even if that doesn't help much in reverse engineering.

If we ever sell any services like support or customized plugins, which we don't right now, I imagine we should be able to be more picky about who we do business with. For example, whether the user is a public business with a legitimate use case.

[pagran]

This discussion led me to a question: how do protectors work with antiviruses? (themida, vmprotect, enigma etc...)

[klauspost]

@stevemk14ebr To counter your point, I only use garble because the standard Go compiler output continues to be picked up by badly written malware detection software.

By your argument Go should be discontinued because it is "used extensively by malware".

[stevemk14ebr]

That's a straw man, and a separate thing entirely. Garble intentionally obfuscates logic.