feat: alpine image

[traktuner]

Hey,
in this PR:

• new Dockerfile with alpine 3.20 base - only 180MB in size compared to 850MB for ubuntu (currently as an alpha version)
• update all baseimages to v4.6.4
• add ubuntu 24.04 image
• some adaptions to startapp.sh (change shebang from bash to sh)
• fixed the "installer UI frozen" bug when installing Backblaze for the first time (@lps-rocks thanks for this!)
• disable virtual desktop mode by default to fix a vanilla install problem (installer not visible), vd mode is now opt-in
• remove the "expose port" command from the Dockerfiles, because it is exposed by default in the baseimage
• update docs

[traktuner]

I am currently testing the alpine image with my production backup setup.
There are only a few quirks with the initial install.
After logging in, the installation succeeds but the installer window does not terminate automatically - a container restart fixes the issue.
Will look into that in the future, but for a first alpha it's OK i guess 😅

wine is on version 8.21 with the basaeimage-gui 3.19 - a base image for 3.20 is already in the works and then includes wine 9.0
unfortunately, there are no official compiled packages available for alpine, and building wine from source in alpine is a pain.
The newly released alpine baseimage with alpine 3.20 finally includes wine 9.0

[Dashboy1998]

Is the upload speed any faster using the Alpine build?

[traktuner]

Is the upload speed any faster using the Alpine build?

The upload speed issue is related to the Backblaze app itself, not the underlying os.
The Alpine image is just another choice for everyone. It's very fast and lightweight.

[traktuner]

@JonathanTreffler
All good from my side. All images tested, fixed a bug in startapp.sh where the installer UI is frozen.
Alpine is a good addition in my opinion - very fast and lightweight.

[lps-rocks]

Is the upload speed any faster using the Alpine build?

The upload speed issue is related to the Backblaze app itself, not the underlying os. The Alpine image is just another choice for everyone. It's very fast and lightweight.

It appears after a specific version (the one I had pinned in my fork), they added a check if it’s a wine installation (at least that’s what it feels like, I need to load it into olly and step through it to verify this) if it is, they throttle the upload very heavily.

So the best way to solve the issue is to install that specific version and make the update folders unwritable so the client can’t be forced to update in the background.

[traktuner]

@lps-rocks
It seems so, yes.
The problem is that they disabled the download of the installer exe from archive.org. So legally we have no option to "bundle" an older version with our container.
It would be great if we could find out how Backblaze checks if it's a wine installation or not.
If it checks for some files which need to be present for wine I guess we're out of luck.

[lps-rocks]

@lps-rocks It seems so, yes. The problem is that they disabled the download of the installer exe from archive.org. So legally we have no option to "bundle" an older version with our container. It would be great if we could find out how Backblaze checks if it's a wine installation or not. If it checks for some files which need to be present for wine I guess we're out of luck.

More likely they’re checking for drive models / serial numbers. Wine uses a fixed make / model / serial number. There’s dozens of ways to fingerprint wine. I’ve got experience fingerprinting virtual environments from my time doing malware reverse engineering and trying to make undetectable sandboxes since malware often checks for those to avoid analysis.

I’ll see if I can find out what the mechanism is.

There’s a number of online “old version” sites that one can find the binary on. I’d just Google the SHA1/SHA2 hash to find a copy for download.

[skius]

There’s a number of online “old version” sites that one can find the binary on. I’d just Google the SHA1/SHA2 hash to find a copy for download.

FYI I ran hybrid analysis on 9.0.0.749 (https://www.hybrid-analysis.com/sample/aa001e997c4a51ca44efb0488a8d10295e476c6e099203fda8f9d801bc569fb6/66c1ccc771aebcd42d0806e9) and it reports back that that one also has a Wine check included (wine_get_version). This is an exe I downloaded from one of the "old version" sites I found, so it's possible that's unrelated malware 🤷 Where could I find a known true hash of an old installer version?

[10Thirty]

The hashes for the 9.0.0.749 installer I have here are

install_backblaze (2).exe	MD5	108689A85098E9CF2FB73BF32464B9F3
install_backblaze (2).exe	SHA-1	91293BF4487C73C1E8B452DF03B2A2DE6F086BF2
install_backblaze (2).exe	SHA-256	AA001E997C4A51CA44EFB0488A8D10295E476C6E099203FDA8F9D801BC569FB6
install_backblaze (2).exe	SHA-512	ECC4DEB53C31730A0A21B6FA6313CAC128FE8125F071D041B43059D052AEF8D9B9A2F61799389D494ACDF8BFD727F9E2E77282D126FD6093D5C8D2B3B35E85CB

It was downloaded directly from backblaze around December last year. It looks like its the same as the version you ran hybrid analysis on.

[traktuner]

@lps-rocks
They definetely have some checks in place:

Environment Awareness
[Found a Wine emulator related string](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-d435d8f5e317f65ad98587c8926cfb5f)
details
"wine_get_version" (Indicator: "wine_get_version")
source
File/Memory
relevance
2/10

[Contains ability to determine disk drive type (API string)](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-4561f7428331873f3fcab5fc05403798)
details
Found reference to API "GetDriveTypeW" (Indicator: "GetDriveType"; File: "install_backblaze.exe")
Found reference to API "GetDriveTypeA" (Indicator: "GetDriveType"; File: "install_backblaze.exe")
Found reference to API "GetDriveTypeW" (Indicator: "GetDriveType"; Source: "00000000-00001324.00000000.120093.0049F000.00000002.mdmp")
source
File/Memory
relevance
1/10
ATT&CK ID
T1082 ([Show technique in the MITRE ATT&CK™ matrix](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#mitre-matrix-modal))

[Contains ability to find logical drives of the machine (API string)](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-958b7dcc327e07345551d2d6c079183a)
details
Found reference to API "GetLogicalDrives" (Indicator: "GetLogicalDrives"; File: "install_backblaze.exe")
Found reference to API "GetLogicalDrives" (Indicator: "GetLogicalDrives"; Source: "00000000-00001324.00000000.120093.0049F000.00000002.mdmp")
source
File/Memory
relevance
1/10
ATT&CK ID
T1082 ([Show technique in the MITRE ATT&CK™ matrix](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#mitre-matrix-modal))

[References device drivers used by rootkit malware](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#signature-92d871b0effe029d449341bc0a7e2abc)
details
Found string "Z:\DosDevices\C:\??\Volume{815ead30-0000-0000-0000-501f00000000}" (Indicator: "\DosDevices\c:"; Source: "00000000-00001324.00000000.120093.036B0000.00000004.mdmp")
source
File/Memory
relevance
1/10
ATT&CK ID
T1014 ([Show technique in the MITRE ATT&CK™ matrix](https://hybrid-analysis.com/sample/3ccc37fecdbd0eda98afd89f32bc7abf58083a9af22c5c5f289a0306c0ff8036/66cc351b59adf5d6b90f9f4c#mitre-matrix-modal))

(source: hybrid-analysis.com)