Oh crap... PB ransomware

[BarryG]

Interesting article from 2015 about ransomware that used PureBasic's "Rnd" function (their words):

https://threatvector.cylance.com/en_us/ ... mware.html

So I tried removing all "Random()" calls in my exe to see if it reduced my false-positives, but nope.

[tj1010]

Interesting article from 2015 about ransomware that used PureBasic's "Rnd" function (their words):

https://threatvector.cylance.com/en_us/ ... mware.html

So I tried removing all "Random()" calls in my exe to see if it reduced my false-positives, but nope.

Okay let's see what VirusTotal shows for a PB program that uses CryptRandom after injecting itself in to an instance of chrome.exe or explorer.exe after using UACME UAC bypass methods; this should show massive detection if primitive ransomware is so bad.....

https://www.virustotal.com/gui/file/6e2 ... /detection

5/67.................................... somebody hypin

[DeanH]

I have over 2,000 schools in Australia using my Bookmark library management system, written in PureBasic. A few schools in the state of Queensland (they have to use Symantec) recently reported a virus to me. The cyber security sections of two state different education departments contacted me on Monday the 25th. They both independently checked the update file and proclaimed it clean. I have run every program and the update file through VirusTotal. Anywhere from 2 to 6 AV systems report a virus, the other 50 do not. Typical false positive. The programs are packed into a lzh archive for distribution. My virus total report is at:

https://www.virustotal.com/gui/file/729 ... /detection

So far it has only been a few schools, hopefully it will not turn into a bunch.

[BarryG]

I have over 2,000 schools in Australia using my Bookmark library management system, written in PureBasic.

Congrats! I live in QLD myself.

[Fred]

Cool info

[DeanH]

The false positives keep flowing. I have since had reports about Kapersky, AVG and Sophos from my users. I have not heard from anyone with Microsoft Defender or McAfee or Trend. The Kapersky people got back to me within hours and verified there is no virus. Have not heard anything from AVG and Symantec other than acknowledgement of my submission. Nothing from Sophos. I do not think it is the PureBasic signature. I tried removing the signature using code published on this forum by CELTIC88 (sorry, can't figure out how to put in the link) but I still have false positives. I have tried rearranging source code as others have suggested. I have come up with a tricky way to download a compressed archive without detection but when a file is de-compressed it would still be picked up.

[BarryG]

I wonder if it's due to some included library that the malware is using. Perhaps we need to make a list of what commands or modules we're using, to compare if there's a common denominator? Such as HeX0R's Registry module (viewtopic.php?p=488711#p488711). Because if a virus is using that module to access the Registry, then my app will get flagged for using it, too. That's what I think is happening. Do you think comparing info like this may help? Should I start a new thread about it?

[C87]

Has anyone tried running a program throwing false positives in a SandBox?

[BarryG]

Has anyone tried running a program throwing false positives in a SandBox?

Why?

[Sicro]

Perhaps we need to make a list of what commands or modules we're using, to compare if there's a common denominator?

This tool could help to find out what the virus scanners complain about the EXE files created by PureBasic: pestudio

[tj1010]

What is a "sandbox"? If you're talking about Windows programs like Sandboxie all the third party logging stuff for it is way out of date and snapshots of the virtual volume are mostly useless for malware analysis.

What anti-virus vendors call a sandbox isn't a sandbox it's just an API wrapper and heuristics with their SSDT and DKOM stuff. Which is why malware still gets through them by using custom packers then exploits.

I actually made a PB malware and ran it through Virus Total and only 5 out of 67 detection, and there was no obfuscation at all on the binary.. The other VirusTotal submission here only got heuristic signatures which is most likely from entropy from a packer or xor stub...

This is a non problem I've seen plenty of PB malware going back years.. The fact you can use 1980s methods to propagate malware means it's the security industry not the malware developer that is the problem..

[DeanH]

I agree with tj010, but I believe these companies are not going to change. Government organizations and commercial institutions and companies are going to continue to use and mandate them. I can't go out and tell the Education Department of Queensland to stop using Symantec because it produces false positives in software that only 120 of their schools use. So it comes back to how can we, as developers, reduce the increasing incidence of false positives in PB compiled programs. I, myself, have found that sometimes simply rearranging source code can stop a false-positive trigger. Doesn't always work, though.

Does anyone have any experience at setting up a virtual windows system for clients? Like Thinfinity or Cameyo. I am investigating if it is possible to cloud-base my PB written library application using something that allows users to go to a URL, log in, and run the Windows program through a browser without having to re-write the entire system.

[HanPBF]

Unfortunately citrix or similar software doesn't help as the security risk remains in the virtual desktop.

Streaming to HTML5 canvas makes sense; but You then have only upload and download of files.
No direct files access or direct database access.

The best solution is to build a web single page application.

...Windows program through a browser without having to re-write the entire system

Yes, I read this; anyway client-server (2-tier) is dangerous in many ways.
The attacking possibilities are ubiquitous.

Yes, a web app can be attacked, too.
So, keep it simple. The one framework needed is VanillaJS. Or client side components like mentioned Tabulator.
Not to forget SpiderBasic.

[skywalk]

Check out the spike in purebasic.com traffic around the time of this article.

[tj1010]

Check out the spike in purebasic.com traffic around the time of this article.

VirusTotal detection show nothing on actual PB malware that tries to throw flags.. MS SmartScreen and Defender do nothing on a fully patched Windows 10 Pro 1909(latest "public" ring) box..

So people who just barely manage to make primitive malware are going to topple the security industry by viewing the PB forum more?