Slashdot Mirror

← Back to Stories (view on slashdot.org)

New C# Ransomware Compiles Itself at Runtime (bleepingcomputer.com)

Posted by msmash on from the out-in-the-wild dept.

From a report: A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

22 of 122 comments (clear)

  1. Modify it to delete Windows and install Linux by jfdavis668 · · Score: 1, Flamebait

    Solve the problem at one stroke.

    1. Re: Modify it to delete Windows and install Linux by Anonymous Coward · · Score: 1

      yes, making the computer unusable was its purpose so what you proposed will work too

    2. Re: Modify it to delete Windows and install Linux by jpaine619 · · Score: 1

      You windows fanboys are hilarious..

    3. Re:Modify it to delete Windows and install Linux by Anonymous Coward · · Score: 1

      >But there isn't any ransomware on Linux even though it's perfectly possible to exist.

      https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures

    4. Re:Modify it to delete Windows and install Linux by mark-t · · Score: 1

      One would have thought it was obvious.... don't run a webserver as root.

      --
      File under 'M' for 'Manic ranting'
    5. Re: Modify it to delete Windows and install Linux by TeknoHog · · Score: 1

      I'm a £inuk$ fanboi, spelled thusly because of all the money it saves and lets me make.

      --
      Escher was the first MC and Giger invented the HR department.
    6. Re:Modify it to delete Windows and install Linux by goose-incarnated · · Score: 1

      There is nothing about Linux that prevents ransomware targetted for that platform from functioning correctly. Hell it wouldn't even need to provide its own crypto, it could just use the in kernel dm-crypt stuff.

      Malware can do the same on Windows - why would Windows malware need to provide its own crypto? Why can't it use the Windows cryptographic services?

      Listen, if you don't know what the Windows API provides, then perhaps you're too ignorant to contribute to a discussion on which OS is better. You have reasons for your arguments, but because you don't know shit your reasons are probably stupid too.

      IOW, STFU and let the adults talk.

      --
      I'm a minority race. Save your vitriol for white people.
    7. Re:Modify it to delete Windows and install Linux by HiThere · · Score: 1

      Well, my first thought was "I don't have C# installed, so I'm safe", but a very small bit of contemplation said "If it will work with C#, why not with Java?". It would be a real pain to need to use the internet from a separate partition than from my compilers.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    8. Re:Modify it to delete Windows and install Linux by HiThere · · Score: 1

      Well, as this requires the MSWind libraries, this exploit wouldn't touch me. But that doesn't mean something analogous isn't possible. I've got Python and Ruby installed, and both of those have eval methods. And the commands to execute the compilation on both of them have execute from command line options. I may need to be even pickier about which sites I allow to execute JavaScript.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    9. Re:Modify it to delete Windows and install Linux by sproketboy · · Score: 1

      I NEED MOD POINTS NOW!!

  2. Re:Cross-platform? by cstacy · · Score: 4, Funny

    So does it work with Mono, too?

    Of course. Mono is a virus.

  3. Re:Cross-platform? by xxxJonBoyxxx · · Score: 5, Interesting

    >> does it work with Mono

    OK, I'll bite. It might work. The implementation uses the "CSharpCodeProvider class" which is included in the handy-dandy ".NET Framework ICodeCompiler compiler execution interface" installed on most Windows boxes. However, Mono also implements ICodeCompiler (http://docs.go-mono.com/index.aspx?link=T%3ASystem.CodeDom.Compiler.ICodeCompiler). The question would be, "why bother" since you'd have to write multi-OS ransomware (covering Mac/Windows/some Linux OS's) anyway to take full advantage of Mono.

    I ran into this "anyone can compile C# programs" ability myself a while back when one of my new dev VDIs was locked down to the point that no one could install Visual Studio. So...I just pulled down a portable text editor and then compiled the C# code I wanted through the local .NET Framework tools: the result was instant custom C# programs without having anything more than normal end user "no install" permissions. (You could easily do something similar with gcc or whatnot on Linux too; if the goal is to lock up the current user's files, then anything running as yourself ought to do it.)

    Regards,

  4. Really? by cstacy · · Score: 1

    I don't quite understand how this was "discovered". It's source code, not something that has been found infecting anyone's computer in the wild. It looks like a proof-of-concept, and it's also trivial and isn't any kind of new idea. Any programming language that has any kind of "eval" or "compile" functionality could do this, including for example Shell Scripts, Perl, Python, ..the list goes on..., Lisp. That's why the program is about two lines long.


    malware = "abcdefnsaiassur123"; // "delete("*") which is the actual malware
    eval malware.decryptString("probablytrumpsfault") // secret key varies

    Just include the above code in some program that you can get someone to download from some place they should not be downloading software, and Wow Amazing!

    The slightly more interesting version of this is that the program could just as well download the malware over the internet and run it, rather than have it included in a big long string.

    Assuming you're going to let someone download and run programs like this, only way to prevent this is to scan the executable and see if it makes any calls to the handy "eval" type function, and refuse to run it. This analysis could get tricky, depending on the language being used and the interpreter/compiler runtime implementation.

    NEWS FLASH: In general, downloading malware is a bad idea! You may not be able to detect it before running it.

    I don't get this article, really. I guess it's just some security vendor stating the obvious in order to get their name in the press?

    You should not be running untrusted code outside of some security container. Such containers should be built-in to the OS. "HotPornoPromise wants to access your files, Okay?" OBTW all software is untrusted code. Eventually people will comprehend this.

    1. Re:Really? by The+MAZZTer · · Score: 3, Interesting

      The main problem with trying to detect if a program is compiling code dynamically is there are legitimate reasons to do it.

      I made an app once with the goal of allowing me to map Wii Remote functionality to PC controls. To make it dynamic, I wanted a scripting engine. Since .NET can compile code at runtime, and I was making my app in .NET, it made sense to make the scripting in .NET as well. Worked pretty well!

      I could see a game engine using this capability or one like it to power its own scripting language. It really helps when the programmers making game scripts don't have to compile the logic into the full game engine every time they change something. Currently .NET is slower than native so this isn't really done. Unity uses .NET, but not sure if the implementation they use with Mono has this capability or not.

  5. Excessively Complex by jsrjsr · · Score: 3, Interesting
    The key feature is the encrypted source code. The procedure is:
    1. Decrypt source code
    2. Compile source code to an in-memory assembly [behind the scenes the .NET framework calls Assembly.Load()]
    3. Run a method on a class in the assembly

    Seems like it would be easier and just as effective to use an encrypted binary instead. Then the procedure would be:

    1. Decrypt binary image
    2. Call Assembly.Load()
    3. Run a method on a class in the assembly

    I would certainly not trust a piece of downloaded code that included code to do either, so I'm not sure the first one has any additional advantages as malware.

    1. Re:Excessively Complex by Anonymous Coward · · Score: 1

      The embedded source code can be modified at run time to result in different binaries which may
      make detection by AV harder.

      But then AV may just detect the source code by signature, but again they may not be looking into
      non executable memory regions.

  6. Compile ? by randalware · · Score: 1

    where is the compiler ?

    I read the article. I can see the string hiding technique, which should be scanable.

    so if they are sending source code, there has to be a compiler/interpreter installed, right ?

    --
    This is my opinion based on what little I know and understand of the rumors and lies Thanks, Randal
    1. Re:Compile ? by Anonymous Coward · · Score: 1

      .NET includes compiler functionality in standard assemblies. Full .NET includes standard support for various dynamic and scripting languages built-in, and C# isn't that complex to parse or compile compared to them - so why not?

      It is, however, a bit of a gimmick and I'm not sure why you would bother writing malware this way.

  7. Unity Mobile games have started doing that as well by Anonymous Coward · · Score: 1

    Star Wars Galaxy of Heroes does this as well. I foresee that it will become a common practice to protect mobile games against reverse-engineering and proxying

  8. Yes! by Gravis+Zero · · Score: 2

    Finally, some open source ransomware! I had held off on downloading ransomware because everything was always closed source bullshit but now, I'll have my data held hostage with the software freedom I demand! ;)

    --
    Anons need not reply. Questions end with a question mark.
  9. Re:Apparently YOU care soyboy unidentifiable ac by JustAnotherOldGuy · · Score: 1

    Ha ha, look at this clown impersonating APK and doing a perfect job.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  10. Re:Cross-platform? by AHuxley · · Score: 1

    Different OS have different AV and third party software. Connection alerts. https://www.obdev.at/products/...
    Software detecting requests for any software to get persistently installed https://objective-see.com/prod...
    That adds to the complexity when trying to make software work on different OS.
    Malware can try and see if an OS has such software and not install to try and not get detected.
    Thats more complexity to look after over different OS.

    --
    Domestic spying is now "Benign Information Gathering"