We created undetectable by online antivirus ransomware to show how to protect against it
Image source – freepik.com
Any casual user today knows that there is a threat in every file which is attached to SCAM emails.
We also know how to check files for viruses using our preinstalled antivirus or online antivirus check services, where 50-70 antiviruses are scanning the file in the cloud and deliver us a clear answer, is there anything malicious within the file.
What you didn’t know, most antiviruses are 0% effective against even non-obfuscated malicious files, which are not compiled into a dumb executable for Windows.
Table of Contents
Disclaimer: Any tools or files created during the research are not intended to apply to any real-life attacks and are only used for research awareness purposes.
It is not rocket science to write your crypto malware or even fully functioning ransomware as we did for research purposes.
If you are a professional developer working in your office or just a hobby Python developer and working on your home project, check your environment and ensure its maximum isolation. Otherwise, you are risking getting a trivial malware infection.
The Cooltechzone research team created a very primitive but still working ransomware malware script, which, even without any additional obfuscation, was not detected by many named antiviruses.
As you see on the screenshot below, there are 0 antiviruses that have detected malicious part in our Python script. The same situation is with Windows Defender – which has no clue about intentions or our newly written Python application.
It is worth mentioning that no one antivirus available on Virustotal was not able to detect encoder or ransomware-related functions in our script.
Merely meaning, if started on the system with preinstalled Python, there are no chances to detect it.
We didn't stop on that and decided to check the executable version of our script, which we compiled on Windows 10 using an open-source framework, even non-related to the creation of obfuscated malware.
I think nobody expected that, but there are only 28 antiviruses of 70 available detected the malware. By the way, there are only two of 28 antiviruses that identified the purpose of the malware:
Since the following list of top-range antiviruses failed the task, I would reconsider using them alone as a solution:
I should admit that Windows Defender was always trying its best. Even if it miscategorized our malicious executable, it was able to detect it and block it very quickly.
Since it could be quickly done by anybody, who can google, I will present in a glance the process and results of development.
Here are script will check files available on the target folder and check their extension according to provided instructions. If the file extension in the script matches one in an actual file, then the function for encryption and renaming will be executed. This will happen recursively and very quickly.
I didn't find specific numbers, but it is a fact that most malware detected in the wild is usually created using widespread languages like C++ or C – those are most popular anyway.
But trends seem to be changing with time – there are much more traces and exotic samples of different purpose malware written in Perl, .NET or Powershell, JavaScript, and of course, our favorite today – Python.
One recent study also found becoming popular malware written on Go, which is absolutely genius. This language is cross-platformed and could be used for Android, but also Windows and many other popular operating systems.
This relates to Dlang too. Even if not being so much popular as Go, this is a very non-typical malware language but still evolving.
I like to use open-source data and statistics from online tools – they are usually very objective because of a large number of input from different countries, so ideal for assessments of global situations.
We have looked at the Virustotal statistics and found a few interesting facts.
If you didn’t get it yet, US users check files for viruses 80x times more often than Russian users.
I wonder, maybe it is because Russians are writing those viruses, so no need to check – they know exactly what is inside.
It is expected to see .exe files on top because they are most likely causing false-positive detection by Windows Defender. It is better to check it twice than just miss and fire something terrible on your workstation.
The second place of our chart is not that distinct, but we can see a trend in mobile applications there. Yet quite strange, DLL files are around the same amount.
The third place is expected and going to PDF files, which are most likely distributed through emails… I mean legitimate emails.
As we see, the portion of other file extensions is not impressive, even for .docx or .doc, which surprised me a lot.
To ensure you minimize the risk of virus infection, you need to follow basic rules.
With a vast number of different languages for programming and developers of those scripting and programming languages tending to cross-platform functionalities, we are reaching the point where we can't really control the risk related to one or another language.
What we can do is check all the stuff and prey on antivirus developers that are aware of the new language and malware development capabilities.
Stay tuned and watch around!
Leave a comment