Virtuous Malware

May. 8, 2022

On March 7th, 2022, node-ipc developer RIAEvangelist, Brandon Nozaki Miller, pushed a commit containing malicious code which were carefully obfuscated. The commit, signed off as “added ssl check”, added a Geo location check on the end-user’s IP address which, and if it successfully matched an Russian or Belarus IP, it would erase all files on the infected system.

The project owner and author of the malicious code made repeated attempts at hiding comments which brought up this new undesired behavior, deleting opened Issues on GitHub as well repeatedly as editing other GitHub users’ comments. The project owner outright denied adding the code on several occasions at first. However, when confronted with evidence from multiple people, they went on to acknowledge that the code did indeed have a Geo check, but made repeated claims it did not have a malicious effect on the targets. The project owner ultimately admitted to the allegations, claiming the deed was done because they couldn’t just stand by, not doing something for the cause.

Some has taken to dub these kinds of malicious programs as ProtestWare. While this description isn’t wrong per se, it fails to accurately describe acts such as those of the node-ipc creator – it’s malicious in nature and should be recognized as such. Terms such as malware, and virus does a far better job at telling the common user what it really is.


No matter what one might think of the Russia-Ukraine conflict, it should be understood that an attack such as this does little-to-nothing but inconvenience the common person. A creator which engages in this type of behavior should expect to be criticized and face backlash, at the absolute very least. Though, personally, I’m frankly amazed how someone who has evidently created and deliberately obfuscated malicious code, causing substantial damage to a subset of computers, still has their developer accounts intact.

GitHub’s site policy seem to say that the delivery of malicious code is not allowed, but it would seem as if that is not the case – at least not so long as it only targets the “bad side.” I would argue this is an unacceptable stance to take, but I would also argue that no sane user should utilize anything which MicroShaft has any involvement in. That’s simply my personal stance.

While one might argue the distribution of obfuscated malware in source code form is somehow acceptable, it’s far more difficult to excuse the distribution platform NPM’s complete lack of action. Distributing modules which deliberately ships malicious and destructive behavior simply cannot be excused. The fact that the developer’s Node module is still very much present and downloadable on NPM is alarming.


References

Gershon, A. (2022). Protestware, Politics, and Open Source Software. [online] Checkmarx Security. Available at: https://medium.com/checkmarx-security/protestware-politics-and-open-source-software-a29e2b4423fa [Accessed 1 May 2022].

Miller, B.N. (2022a). added ssl check · RIAEvangelist/node-ipc@847047c. [online] GitHub. Available at: https://github.com/RIAEvangelist/node-ipc/commit/847047cf7f81ab08352038b2204f0e7633449580 [Accessed 1 May 2022].

Miller, B.N. (n.d.). https://twitter.com/electriccowboyr. [online] Twitter. Available at: https://twitter.com/electricCowboyR [Accessed 1 May 2022].

Miller, B.N. (2022b). RIAEvangelist - Overview. [online] GitHub. Available at: https://github.com/RIAEvangelist [Accessed 1 May 2022].

npm. (n.d.). node-ipc. [online] Available at: https://www.npmjs.com/package/node-ipc [Accessed 1 May 2022].

Risk Based Security. (2022). Node-ipc and the Rise of ProtestWare. [online] Available at: https://www.riskbasedsecurity.com/2022/03/28/node-ipc-and-the-rise-of-protestware/ [Accessed 1 May 2022].

Sharma, A. (2022). BIG sabotage: Famous npm package deletes files to protest Ukraine war. [online] BleepingComputer. Available at: https://www.bleepingcomputer.com/news/security/big-sabotage-famous-npm-package-deletes-files-to-protest-ukraine-war/ [Accessed 1 May 2022].