Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

New C# Ransomware Compiles Itself at Runtime (bleepingcomputer.com) 122

From a report: A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.
This discussion has been archived. No new comments can be posted.

New C# Ransomware Compiles Itself at Runtime

Comments Filter:
  • Solve the problem at one stroke.
    • yes, making the computer unusable was its purpose so what you proposed will work too

    • by HiThere ( 15173 )

      Well, my first thought was "I don't have C# installed, so I'm safe", but a very small bit of contemplation said "If it will work with C#, why not with Java?". It would be a real pain to need to use the internet from a separate partition than from my compilers.

    • I NEED MOD POINTS NOW!!

  • I don't quite understand how this was "discovered". It's source code, not something that has been found infecting anyone's computer in the wild. It looks like a proof-of-concept, and it's also trivial and isn't any kind of new idea. Any programming language that has any kind of "eval" or "compile" functionality could do this, including for example Shell Scripts, Perl, Python, ..the list goes on..., Lisp. That's why the program is about two lines long.


    malware = "abcdefnsaiassur123"; // "delete("*") whic

    • Re:Really? (Score:4, Interesting)

      by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Thursday April 26, 2018 @05:14PM (#56510035) Homepage

      The main problem with trying to detect if a program is compiling code dynamically is there are legitimate reasons to do it.

      I made an app once with the goal of allowing me to map Wii Remote functionality to PC controls. To make it dynamic, I wanted a scripting engine. Since .NET can compile code at runtime, and I was making my app in .NET, it made sense to make the scripting in .NET as well. Worked pretty well!

      I could see a game engine using this capability or one like it to power its own scripting language. It really helps when the programmers making game scripts don't have to compile the logic into the full game engine every time they change something. Currently .NET is slower than native so this isn't really done. Unity uses .NET, but not sure if the implementation they use with Mono has this capability or not.

  • Excessively Complex (Score:4, Interesting)

    by jsrjsr ( 658966 ) on Thursday April 26, 2018 @04:15PM (#56509653)
    The key feature is the encrypted source code. The procedure is:
    1. Decrypt source code
    2. Compile source code to an in-memory assembly [behind the scenes the .NET framework calls Assembly.Load()]
    3. Run a method on a class in the assembly

    Seems like it would be easier and just as effective to use an encrypted binary instead. Then the procedure would be:

    1. Decrypt binary image
    2. Call Assembly.Load()
    3. Run a method on a class in the assembly

    I would certainly not trust a piece of downloaded code that included code to do either, so I'm not sure the first one has any additional advantages as malware.

  • where is the compiler ?

    I read the article. I can see the string hiding technique, which should be scanable.

    so if they are sending source code, there has to be a compiler/interpreter installed, right ?

    • by Anonymous Coward

      .NET includes compiler functionality in standard assemblies. Full .NET includes standard support for various dynamic and scripting languages built-in, and C# isn't that complex to parse or compile compared to them - so why not?

      It is, however, a bit of a gimmick and I'm not sure why you would bother writing malware this way.

  • Star Wars Galaxy of Heroes does this as well. I foresee that it will become a common practice to protect mobile games against reverse-engineering and proxying

  • by Gravis Zero ( 934156 ) on Thursday April 26, 2018 @05:57PM (#56510203)

    Finally, some open source ransomware! I had held off on downloading ransomware because everything was always closed source bullshit but now, I'll have my data held hostage with the software freedom I demand! ;)

You know you've landed gear-up when it takes full power to taxi.

Working...