Slashdot Mirror

← Back to Stories (view on slashdot.org)

New C# Ransomware Compiles Itself at Runtime (bleepingcomputer.com)

Posted by msmash on from the out-in-the-wild dept.

From a report: A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

3 of 122 comments (clear)

  1. Re:Cross-platform? by xxxJonBoyxxx · · Score: 5, Interesting

    >> does it work with Mono

    OK, I'll bite. It might work. The implementation uses the "CSharpCodeProvider class" which is included in the handy-dandy ".NET Framework ICodeCompiler compiler execution interface" installed on most Windows boxes. However, Mono also implements ICodeCompiler (http://docs.go-mono.com/index.aspx?link=T%3ASystem.CodeDom.Compiler.ICodeCompiler). The question would be, "why bother" since you'd have to write multi-OS ransomware (covering Mac/Windows/some Linux OS's) anyway to take full advantage of Mono.

    I ran into this "anyone can compile C# programs" ability myself a while back when one of my new dev VDIs was locked down to the point that no one could install Visual Studio. So...I just pulled down a portable text editor and then compiled the C# code I wanted through the local .NET Framework tools: the result was instant custom C# programs without having anything more than normal end user "no install" permissions. (You could easily do something similar with gcc or whatnot on Linux too; if the goal is to lock up the current user's files, then anything running as yourself ought to do it.)

    Regards,

  2. Excessively Complex by jsrjsr · · Score: 3, Interesting
    The key feature is the encrypted source code. The procedure is:
    1. Decrypt source code
    2. Compile source code to an in-memory assembly [behind the scenes the .NET framework calls Assembly.Load()]
    3. Run a method on a class in the assembly

    Seems like it would be easier and just as effective to use an encrypted binary instead. Then the procedure would be:

    1. Decrypt binary image
    2. Call Assembly.Load()
    3. Run a method on a class in the assembly

    I would certainly not trust a piece of downloaded code that included code to do either, so I'm not sure the first one has any additional advantages as malware.

  3. Re:Really? by The+MAZZTer · · Score: 3, Interesting

    The main problem with trying to detect if a program is compiling code dynamically is there are legitimate reasons to do it.

    I made an app once with the goal of allowing me to map Wii Remote functionality to PC controls. To make it dynamic, I wanted a scripting engine. Since .NET can compile code at runtime, and I was making my app in .NET, it made sense to make the scripting in .NET as well. Worked pretty well!

    I could see a game engine using this capability or one like it to power its own scripting language. It really helps when the programmers making game scripts don't have to compile the logic into the full game engine every time they change something. Currently .NET is slower than native so this isn't really done. Unity uses .NET, but not sure if the implementation they use with Mono has this capability or not.