New C# Ransomware Compiles Itself at Runtime

From a report: A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

Modify it to delete Windows and install Linux

[jfdavis668]

Solve the problem at one stroke.

Re: Modify it to delete Windows and install Linux

[Anonymous Coward]

yes, making the computer unusable was its purpose so what you proposed will work too

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TeknoHog]

I'm a £inuk$ fanboi, spelled thusly because of all the money it saves and lets me make.

Re:

[goose-incarnated]

There is nothing about Linux that prevents ransomware targetted for that platform from functioning correctly. Hell it wouldn't even need to provide its own crypto, it could just use the in kernel dm-crypt stuff.

Malware can do the same on Windows - why would Windows malware need to provide its own crypto? Why can't it use the Windows cryptographic services?

Listen, if you don't know what the Windows API provides, then perhaps you're too ignorant to contribute to a discussion on which OS is better. You have reasons for your arguments, but because you don't know shit your reasons are probably stupid too.

IOW, STFU and let the adults talk.

Re:

[Anonymous Coward]

>But there isn't any ransomware on Linux even though it's perfectly possible to exist.

https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/erebus-linux-ransomware-impact-to-servers-and-countermeasures

Re:

[mark-t]

Linux (and for that matter all Unix OS's) has, and has always had, a mitigation strategy in place to counter that style of attack. In practice, the only systems that could hope to negatively impact are those that are administrated by people who didn't give a damn about system security in the first place.

Re:

[mark-t]

One would have thought it was obvious.... don't run a webserver as root.

Re:

[HiThere]

Well, my first thought was "I don't have C# installed, so I'm safe", but a very small bit of contemplation said "If it will work with C#, why not with Java?". It would be a real pain to need to use the internet from a separate partition than from my compilers.

Re:

[HiThere]

Well, as this requires the MSWind libraries, this exploit wouldn't touch me. But that doesn't mean something analogous isn't possible. I've got Python and Ruby installed, and both of those have eval methods. And the commands to execute the compilation on both of them have execute from command line options. I may need to be even pickier about which sites I allow to execute JavaScript.

Re:

[sproketboy]

I NEED MOD POINTS NOW!!

Re:Cross-platform?

[cstacy]

So does it work with Mono, too?

Of course. Mono is a virus.

Re:Cross-platform?

[xxxJonBoyxxx]

>> does it work with Mono

OK, I'll bite. It might work. The implementation uses the "CSharpCodeProvider class" which is included in the handy-dandy ".NET Framework ICodeCompiler compiler execution interface" installed on most Windows boxes. However, Mono also implements ICodeCompiler (http://docs.go-mono.com/index.aspx?link=T%3ASystem.CodeDom.Compiler.ICodeCompiler). The question would be, "why bother" since you'd have to write multi-OS ransomware (covering Mac/Windows/some Linux OS's) anyway to take full advantage of Mono.

I ran into this "anyone can compile C# programs" ability myself a while back when one of my new dev VDIs was locked down to the point that no one could install Visual Studio. So...I just pulled down a portable text editor and then compiled the C# code I wanted through the local .NET Framework tools: the result was instant custom C# programs without having anything more than normal end user "no install" permissions. (You could easily do something similar with gcc or whatnot on Linux too; if the goal is to lock up the current user's files, then anything running as yourself ought to do it.)

Regards,

Re:

[AHuxley]

Different OS have different AV and third party software. Connection alerts. https://www.obdev.at/products/... [obdev.at]
Software detecting requests for any software to get persistently installed https://objective-see.com/prod... [objective-see.com]
That adds to the complexity when trying to make software work on different OS.
Malware can try and see if an OS has such software and not install to try and not get detected.
Thats more complexity to look after over different OS.

Really?

[cstacy]

I don't quite understand how this was "discovered". It's source code, not something that has been found infecting anyone's computer in the wild. It looks like a proof-of-concept, and it's also trivial and isn't any kind of new idea. Any programming language that has any kind of "eval" or "compile" functionality could do this, including for example Shell Scripts, Perl, Python, ..the list goes on..., Lisp. That's why the program is about two lines long.

malware = "abcdefnsaiassur123"; // "delete("*") whic

Re:Really?

[The MAZZTer]

The main problem with trying to detect if a program is compiling code dynamically is there are legitimate reasons to do it.

I made an app once with the goal of allowing me to map Wii Remote functionality to PC controls. To make it dynamic, I wanted a scripting engine. Since .NET can compile code at runtime, and I was making my app in .NET, it made sense to make the scripting in .NET as well. Worked pretty well!

I could see a game engine using this capability or one like it to power its own scripting language. It really helps when the programmers making game scripts don't have to compile the logic into the full game engine every time they change something. Currently .NET is slower than native so this isn't really done. Unity uses .NET, but not sure if the implementation they use with Mono has this capability or not.

Excessively Complex

[jsrjsr]

The key feature is the encrypted source code. The procedure is:

1. Decrypt source code
2. Compile source code to an in-memory assembly [behind the scenes the .NET framework calls Assembly.Load()]
3. Run a method on a class in the assembly

Seems like it would be easier and just as effective to use an encrypted binary instead. Then the procedure would be:

1. Decrypt binary image
2. Call Assembly.Load()
3. Run a method on a class in the assembly

I would certainly not trust a piece of downloaded code that included code to do either, so I'm not sure the first one has any additional advantages as malware.

Re:

[Anonymous Coward]

The embedded source code can be modified at run time to result in different binaries which may
make detection by AV harder.

But then AV may just detect the source code by signature, but again they may not be looking into
non executable memory regions.

Compile ?

[randalware]

where is the compiler ?

I read the article. I can see the string hiding technique, which should be scanable.

so if they are sending source code, there has to be a compiler/interpreter installed, right ?

Re:

[Anonymous Coward]

.NET includes compiler functionality in standard assemblies. Full .NET includes standard support for various dynamic and scripting languages built-in, and C# isn't that complex to parse or compile compared to them - so why not?

It is, however, a bit of a gimmick and I'm not sure why you would bother writing malware this way.

Unity Mobile games have started doing that as well

[Anonymous Coward]

Star Wars Galaxy of Heroes does this as well. I foresee that it will become a common practice to protect mobile games against reverse-engineering and proxying

Yes!

[Gravis Zero]

Finally, some open source ransomware! I had held off on downloading ransomware because everything was always closed source bullshit but now, I'll have my data held hostage with the software freedom I demand! ;)

Re:

[JustAnotherOldGuy]

Ha ha, look at this clown impersonating APK and doing a perfect job.