The way in which malicious code is introduced continues to evolve by taking the old methods and improving the way in which the victims are deceived.
It seems that the Trojan horse idea is still quite useful today and in such subtle ways that many of us can go unnoticed and recently researchers from the University of Leiden (The Netherlands) studied the problem of publishing fictitious exploit prototypes on GitHub.
The idea of use these to be able to attack curious users who want to test and learn how some vulnerabilities can be exploited with the tools offered, makes this type of situation ideal for introducing malicious code to attack users.
It is reported that in the study A total of 47.313 exploit repositories were analyzed, covering known vulnerabilities identified from 2017 to 2021. Exploit analysis showed that 4893 (10,3%) of them contain code that performs malicious actions.
It is because of that users who decide to use published exploits are advised to examine them first looking for suspicious inserts and run exploits only on virtual machines isolated from the main system.
Proof of concept (PoC) exploits for known vulnerabilities are widely shared in the security community. They help security analysts learn from each other and facilitate security assessments and network teaming.
Over the last few years, it has become quite popular to distribute PoCs for example through websites and platforms, and also through public code repositories like GitHub. However, public code repositories do not provide any guarantee that any given PoC comes from a trusted source or even that it simply does exactly what it is supposed to do.
In this paper, we investigate shared PoCs on GitHub for known vulnerabilities discovered in 2017–2021. We discovered that not all PoCs are trustworthy.
About the problem two main categories of malicious exploits have been identified: Exploits that contain malicious code, for example to backdoor the system, download a Trojan, or connect a machine to a botnet, and exploits that collect and send sensitive information about the user.
In addition, a separate class of harmless fake exploits was also identified that do not perform malicious actions, but they also do not contain the expected functionality, for example, designed to trick or warn users who run unverified code from the network.
Some proofs of concept are bogus (i.e. they don't actually offer PoC functionality), or
even malicious: for example, they try to exfiltrate data from the system they are running on, or try to install malware on that system.To address this issue, we have proposed an approach to detect whether a PoC is malicious. Our approach is based on detecting the symptoms that we have observed in the collected data set, for
example, calls to malicious IP addresses, encrypted code, or included trojanized binaries.Using this approach, we have discovered 4893 malicious repositories out of 47313
repositories that have been downloaded and verified (that is, 10,3% of the repositories studied present malicious code). This figure shows a worrying prevalence of dangerous malicious PoCs among the exploit code distributed on GitHub.
Various checks were used to detect malicious exploits:
- The exploit code was analyzed for the presence of wired public IP addresses, after which the identified addresses were further verified against blacklisted databases of hosts used to control botnets and distribute malicious files.
- The exploits provided in compiled form have been checked with anti-virus software.
- The presence of atypical hexadecimal dumps or insertions in base64 format was detected in the code, after which said insertions were decoded and studied.
It is also recommended for those users who like to perform the tests on their own, take sources such as Exploit-DB to the fore, since these try to validate the effectiveness and legitimacy of PoCs. Since, on the contrary, the public code on platforms such as GitHub do not have the exploit verification process.
Finally if you are interested in knowing more about it, you can consult the details of the study in the following file, from which you I share your link.