Dave Zych

And if that someone happened to have admin privileges.

A cybersecurity archivist named Mira stumbled upon it while cataloging old Windows 9x-era tools. She ran it in a sandbox—a fully isolated virtual machine running Windows 98 SE. The executable icon was a generic MS-DOS box. Double-clicking did nothing for five seconds. Then a command prompt flickered open.

On its third run, the executable changed size. From 36,864 bytes to 36,872. Eight extra bytes. Mira hex-dumped the difference: a single IP address and a timestamp. The IP belonged to her host machine’s network adapter , even though the VM was supposedly NAT-isolated.

No one remembered who first uploaded it. The timestamp read 2003, but the file’s metadata had been wiped clean. What remained was a single text file and an executable so small it could fit on a floppy disk’s boot sector.

She never figured out how Woron Scan bridged the air gap. But she kept the file, encrypted on a USB drive labeled “DO NOT MOUNT.” Occasionally, late at night, she wondered if version 1.09 build 36 was still waiting—patiently—for someone to run it just one more time.

Woron Scan 1.09 36 – Free Access

And if that someone happened to have admin privileges.

A cybersecurity archivist named Mira stumbled upon it while cataloging old Windows 9x-era tools. She ran it in a sandbox—a fully isolated virtual machine running Windows 98 SE. The executable icon was a generic MS-DOS box. Double-clicking did nothing for five seconds. Then a command prompt flickered open. Woron Scan 1.09 36

On its third run, the executable changed size. From 36,864 bytes to 36,872. Eight extra bytes. Mira hex-dumped the difference: a single IP address and a timestamp. The IP belonged to her host machine’s network adapter , even though the VM was supposedly NAT-isolated. And if that someone happened to have admin privileges

No one remembered who first uploaded it. The timestamp read 2003, but the file’s metadata had been wiped clean. What remained was a single text file and an executable so small it could fit on a floppy disk’s boot sector. The executable icon was a generic MS-DOS box

She never figured out how Woron Scan bridged the air gap. But she kept the file, encrypted on a USB drive labeled “DO NOT MOUNT.” Occasionally, late at night, she wondered if version 1.09 build 36 was still waiting—patiently—for someone to run it just one more time.

Science is always better if you work together

If you read my previous post, Introducing Shience: What it is and how to use it [https://davidzych.com/introducing-shience-what-it-is-and-how-to-use-it/], you'll know that I was working on a C# port of Github's Scientist [https://github.com/github/scientist] library. It turns out Phil Haack [http://haacked.com/] of Github/Microsoft/

Introducing Shience: What it is and how to use it

Shience is a .NET library for carefully refactoring critical paths. It is built on .NET Core, currently targets .NET 4.5.1 and DNX Core 5.0, and is available on Github [https://github.com/davezych/shience] and Nuget [https://www.nuget.org/packages/shience/]. Keep in mind that it's