Oh crap... PB ransomware

[copperd]

For my distributed LabVIEW actor framework I wrote a dll in PureBasic for encrypted communications using BigInt module (SSE2) and the RSA cipher module for initial key exchange and AES256 for data sharing. I suspect this is what the person was using?

I sent the dll to virus total to see if anything hit on it and it came back clean. https://www.virustotal.com/gui/file/3a6 ... d3/details


*Code not completed or fully tested

Code: Select all

XIncludeFile("bigint.pbi")
XIncludeFile("cc2rsa.pbi")

ProcedureCDLL AttachProcess(Instance)
  Global.Cc2RSA::RSAKeyPair KP
  Global.i AESKey 
  AESKey = AllocateMemory(32)
EndProcedure

ProcedureCDLL RSAGenerateKey(bits.i=2048)
  Cc2RSA::GenerateKeyPair(KP, bits)
EndProcedure

ProcedureCDLL RSAClearKey()
  BigInt::SetValue(KP\PublicExponent, $0)
  BigInt::SetValue(KP\SecretExponent, $0)
  BigInt::SetValue(KP\Modulus, $0)  
EndProcedure

ProcedureCDLL RSALoadKey(PublicExponent.i, SecretExponent.i,Modulus.i)
  BigInt::SetHexValue(KP\PublicExponent, PeekS(PublicExponent, -1, #PB_Ascii ))
  BigInt::SetHexValue(KP\SecretExponent, PeekS(SecretExponent, -1, #PB_Ascii ))
  BigInt::SetHexValue(KP\Modulus, PeekS(Modulus, -1, #PB_Ascii ))  
EndProcedure

ProcedureCDLL RSAGetKey(PublicExponent.i, SecretExponent.i,Modulus.i)
  PokeS(PublicExponent, BigInt::GetHex(KP\PublicExponent), 8191, #PB_Ascii )
  PokeS(SecretExponent, BigInt::GetHex(KP\SecretExponent), 8191, #PB_Ascii )
  PokeS(Modulus, BigInt::GetHex(KP\Modulus), 8191, #PB_Ascii )
EndProcedure

ProcedureCDLL RSAProcess(textdata.s, Mode.i, result.i)
  Protected.BigInt::BigInt data1, data2
  BigInt::SetHexValue(data2, textdata)
  Cc2RSA::RSAProcessRaw(data1, data2, KP, Mode)
  PokeS(result, BigInt::GetHex(data1), 8191, #PB_Ascii )
EndProcedure

ProcedureCDLL AESGenerateKey()
  OpenCryptRandom()
  CryptRandomData(AESKey, 32)
  CloseCryptRandom()
EndProcedure

ProcedureCDLL AESClearKey()
  FillMemory(AESKey, 32, $00, #PB_Byte )
EndProcedure

ProcedureCDLL AESGetKey(AESKeyOut.i)
  KeyHex.s = ""
  For x = 0 To 31
    KeyHex + RSet(Hex(PeekB(AESKey+x), #PB_Byte), 2, "0")
  Next
  PokeS(AESKeyOut, KeyHex, 64, #PB_Ascii )
EndProcedure

ProcedureCDLL AESLoadKey(AESKeyIn.i)  
  For x = 0 To 31
    PokeB(AESKey+x, Val("$" + PeekS(AESKeyIn + ( x * 2 ), 2, #PB_Ascii )))
  Next  
EndProcedure


ProcedureCDLL AESEncrypt(DataIn.i, Dataout.i, iv.i)
    OpenCryptRandom()
    CryptRandomData(iv, 16)
    CloseCryptRandom()
    AESEncoder(DataIn, Dataout, StringByteLength(PeekS(DataIn, -1, #PB_Ascii), #PB_Ascii), AESKey, 256, #PB_Cipher_CBC)
    PokeS(Dataout, Str(         StringByteLength(PeekS(DataIn, -1, #PB_Ascii), #PB_Ascii) ), -1, #PB_Ascii)
EndProcedure

[DeanH]

Just a further followon. The false positive reports from my users has dropped off to about zero. I did end up submitting the update files to several AV systems: Kapersky, Symantec, AVG, BitDefender, Trend, Sofos. Kapersky replied within hours and dealt with it promptly. The rest either sent automated replies that took days for a response or I heard nothing.

I have since recompiled everything and today (9 Jan 2020) submitted it to Virus Total again. The results are at

https://www.virustotal.com/gui/file/62c ... /detection

https://www.virustotal.com/gui/file/21c ... /detection

This time the number of false detections is way down. Odd that Microsoft appears on the 2nd report for a small program. Have the AV vendors dealt with the false positives for PureBasic programs? Maybe. Fingers crossed!

An experiment.
My system's files are distributed to users via a compressed archive file in lzh format. It is generated using Lha32. As an experiment I compressed the files using the BriefLZ packer in PB. I renamed the result Bmupdate.txt. No false positives!

https://www.virustotal.com/gui/file/d70 ... /detection

Of course, when the programs in the BriefLZ archive were unpacked, then FP's were detected.

[tj1010]

I'm actually curious now... How do people get the idea malware in PB just started happening? I seen it used on a large botnet over a decade ago and there wasn't even a forum post about it...

[BarryG]

How do people get the idea malware in PB just started happening?

It's not about that. It's about the anti-virus companies now detecting almost ANY PureBasic exe as malware by default; even if the app is just "End" or just opens a window. These types of simple "do-nothing" exes didn't trigger false-positives a decade ago.

[tj1010]

How do people get the idea malware in PB just started happening?

It's not about that. It's about the anti-virus companies now detecting almost ANY PureBasic exe as malware by default; even if the app is just "End" or just opens a window. These types of simple "do-nothing" exes didn't trigger false-positives a decade ago.

Why would they start doing it now and not 11 years ago when it was used on endpoints for botnets? I think people assume they just make signatures out of common byte and IAT patterns without looking at what they do...

[BarryG]

Why would they start doing it now and not 11 years ago

I'm guessing because that new (and deadly) PureLocker virus came out late last year, so the anti-virus companies have taken more notice and are clamping down hard on PureBasic exes now. Remember, every PureBasic exe has that dreaded "Neil Hodgson" data signature in it. I wish we could remove it somehow. Fred?

[tj1010]

Why would they start doing it now and not 11 years ago

I'm guessing because that new (and deadly) PureLocker virus came out late last year, so the anti-virus companies have taken more notice and are clamping down hard on PureBasic exes now. Remember, every PureBasic exe has that dreaded "Neil Hodgson" data signature in it. I wish we could remove it somehow. Fred?

Can we get the name of the AV vendor that is detecting static PB lib code as malware? All the VT results in this thread contradict the crisis posts in this thread.. My sample had no obfuscation and plenty of file scanning and encrypting and only got five heuristics signatures that just about everything gets..


TorLocker is a six year old ransomware that had a PB PE.. Nothing came of it.. The ~2010 botnet endpoint PEs were way more advanced and resulted in no crisis, by the way...

I know actual malware researchers and none of them consider ransomware spreading via stolen and patched exploits as advanced.. If you store sensitive information on an unpatched windows box with close-to-vanilla policies that's just cause someone who isn't qualified is maintaining your infrastructure..

[BarryG]

I know actual malware researchers and none of them consider ransomware spreading via stolen and patched exploits as advanced

Well, here's some descriptions from other security researchers:

"Ransomware-as-a-service": https://www.pandasecurity.com/mediacent ... e-servers/

"[PureBasic] offers [malware] adversaries several advantages": https://threatpost.com/purelocker-ranso ... ks/150229/

"A sophisticated threat that only targets certain computer drives": https://www.trendmicro.com/vinfo/us/sec ... nts-emerge

"PureLocker ransomware appears to have links to some of the most prolific cyber-criminal operations active in the world today": https://www.zdnet.com/article/this-unus ... r-servers/

Sounds pretty advanced to me.

Can we get the name of the AV vendor that is detecting static PB lib code as malware?

Sure. As shown below, my app is detected by 23 vendors, including names like Avast, Avira, F-Secure, Kaspersky, McAfee, Microsoft Defender, and Symantec. I've also had a customer contact me yesterday about Norton anti-virus, where he said: "Norton grabbed every single copy of [app] and quarantined it in a way that defies restoration. It's behavior I haven't seen with any other product, including pen test suites that are full of malware. Luckily I was able to turn AV off, get latest installer from backup and whitelist installation folder."

These are not small names like Fred said in another post; they're the big guns that cannot be ignored. I have to contact them all to get my app white-listed, and it's annoying because I'll have to do it with every app update. My plan is to scale down updates to maybe just twice a year instead.

Also of note is that before PureLocker came along, the same exe below would only show 2 or 3 false-positives. Don't you think that says it all? The anti-virus companies have altered their detection routines and are now flagging my previously-safe exe as malicious. VirusTotal has a "Re-analyze" button: you need to use it a day or two after uploading your exe and not rely on the first VirusTotal scan that you do. This will show what's been detected since your initial VirusTotal scan, because their results are not set in stone. I even tried compiling my exe with an older PureBasic as a test, but it didn't help and I still got lots of false-positives. This isn't fun for me at all.

I'm happy that you're not suffering false-positives problems, but please remember: just because Person A's exe doesn't get flagged badly, doesn't mean Person B's won't. Every exe is different. I'm obviously one of the very unlucky ones.

A parting question: would you run my exe after seeing the scan results below? Of course not. That's what I have to live with.

[nsstudios]

Does anyone know if the situation is any better now?
Also, how can antiviruses pinpoint PB specifically?
To my understanding, PB generates machine code, right?
So what's the difference between a e.g., C executable and PB one?
Is there anything Fred could do to prevent a single malware from jeopardizing everything made in PB, and PB itself as a language as a result?
A scripting language I used to use in the past at one point started getting flagged by everything as a trojan, and it never stopped, so I'd really hate for PB to suffer the same fate because of certain immoral people.

[BarryG]

how can antiviruses pinpoint PB specifically?

Because all PureBasic executables have the "Neil Hogdson" signature in them (a series of known bytes), so they're easily detectable as compiled with PureBasic, as opposed to compiled with C. The ransomware coded with PureBasic, called PureLocker, didn't help things.

Does anyone know if the situation is any better now?

Not for me. My exe, tested just now, gets 14 VirusTotal malware flags. I wish I knew how to remove the NH signature to test the results without it.

[Little John]

I wish I knew how to remove the NH signature to test the results without it.

Did you try to patch the EXE file by overwriting the string "Neil Hogdson" by another string of the same length, e.g. "Good morning" or "xxxxxxxxxxxx"? Or would that make the EXE unusable?

[BarryG]

overwriting the string "Neil Hogdson" by another string

It's not a literal string. It's made up of bytes somewhere that identifies as NH to exe analysers, but I don't know what they are.

[Michael Vogel]

Hm, Neil Hodgson is also not seen in the english wikipedia article of scintilla but can be found here...

[Kiffi]

@BarryG: Neil Hodgson

@All: See also https://www.purebasic.fr/english/viewto ... =7&t=64919

[Little John]

Thank you, Kiffi!