Oh crap... PB ransomware

[Erich]

https://yro.slashdot.org/story/19/11/12 ... er-servers

To the guys who write these ransomware platforms, who are probably even on this forum somewhere: Could you not use languages like Go instead?

Now Purebasic programs will be flagged by Antivirus even more.

[RSBasic]

[BarryG]

Wow! Detailed info:

https://www.intezer.com/blog-purelocker ... t-servers/

PureBasic will definitely get more exposure from this, but perhaps not in a good way.

[DK_PETER]

Wow! Detailed info:

https://www.intezer.com/blog-purelocker ... t-servers/

PureBasic will definitely get more exposure from this, but perhaps not in a good way.

It will get both. ANY language can be used in truly annoying ways. I'm amazed if it hasn't been done before in Purebasic
sometime in the past..
In the meantime Purebasic will get a lot more exposure - in a good way.

[NicTheQuick]

The ransomware then secure-deletes the original files in order to prevent recovery.

Wasn't there a user recently who wanted to know how to wipe files securely?

[StarBootics]

Very sad news

[Tenaja]

I had to have been used before, since most av's flag so many programs we are writing. I've had to add whitelists to every av I've used.

[Fred]

That's definitely not good exposure and antivirus will raise the bar against PB exec for sure

[wombats]

Ugh, I hate this. PureBasic is so awesome and shouldn't be used for criminal purposes.

[oreopa]

There have been a few strange posts in the past about this sort of thing - or at least it sounded a lot like it. Users with 1 or so posts asking questions that just didn't seem right. It's very hard to determine the legitimacy of a users question, unless they are around for a while. I'm all for all sorts of hacking - black/white/pink/rasta hat... but only out of a proof of concept interest.

Ransomware is a sucky concept - but as far as I know it's pretty hard to be caught with it if you are not downloading and executing everything like a lunatic.

It's not PB's "fault" it is a good dev envirnoment for malware. That just shows it is simply a good dev environment. You can make anything.

[Justin]

I don't use AVs and have little idea about signatures, etc...
But why this?:

AV vendors have trouble generating reliable detection signatures for PureBasic binaries

It would be easier to detect if it was written in plain c using some free compiler?
What makes pb exes diffrent?

[skywalk]

The statement is too nebulous.
There was mention of telemetry api's compiled into visual studio app's. I thought pb would have those also if the compiler is compiled in VS 2013/15.

[HanPBF]

I have banned PureBasic from my developments being always afraid of possible antivirus problems.
Even more, tomorrow I gonna have to ban PureBasic completely from my office PC.
That makes me sad...


Also my question: "Is there anything making PB's exes special separate from being very efficient?"
Sometimes I wonder if antivirus detection thinks "a program can not be that small" or something similar...

[HanPBF]

Hmmmh...
If I have the source and make it public to the internal users and assume that there is no malware in PureBasic itself, is this a real big problem in an Intranet environment?

Some colleagues often ask me to send them links to file shares so they can click on it and explorer opens immediately.
And I always answer: no, I will not send You clickable links.
Those are the things (from other senders) that are dangerous and not the knife who built the wood carving, correct?

[BarryG]

I have banned PureBasic from my developments being always afraid of possible antivirus problems.
Even more, tomorrow I gonna have to ban PureBasic completely from my office PC.

What? Why? PureBasic isn't infected or has malware. An executable compiled with it is. What you're saying is like banning Excel because someone made a bad spreadsheet.

Sometimes I wonder if antivirus detection thinks "a program can not be that small"

No, it's not that: I (and others) have tested this before by adding extra bloat to their exes, making them between 10 MB and 150 MB in size. And there's lots of other small exes (under 1 MB) written in other languages that don't get flagged. I have plenty of them on my PC.

One of my apps recently got flagged with 13 "viruses" (in reality: false positives) by VirusTotal. I was using the 32-bit compiler of PureBasic. I compiled the same app with the 64-bit version and only got 2 false positives. Says a lot.

Adding version info to your PureBasic exe can reduce false positives. My example app above didn't have it at first, and had about 4 extra false-positives until I added it.

Don't get too hung up on digitally signing your exes, either: there's another current ransomware (Megacortex) who's exe is digitally signed to a company in Australia. So, signing doesn't provide protection or "prove" that an exe is safe at all.

PureLocker requires admin rights to run, which nobody should really be doing anyway; plus it uses code from other ransomware apps, so it will soon be easy for AV to detect because the other code signatures are well-known.

There's no reason to ditch PureBasic over this.