Follow us

Evolving non-standard viruses languages will get you in a trap

We created undetectable by online antivirus ransomware to show how to protect against it

Published: October 18, 2021 By Dmytro Cherkashyn

Woman on the laptop with access denied notification

Image source – freepik.com

Any casual user today knows that there is a threat in every file which is attached to SCAM emails.

We also know how to check files for viruses using our preinstalled antivirus or online antivirus check services, where 50-70 antiviruses are scanning the file in the cloud and deliver us a clear answer, is there anything malicious within the file.

What you didn’t know, most antiviruses are 0% effective against even non-obfuscated malicious files, which are not compiled into a dumb executable for Windows.

Disclaimer: Any tools or files created during the research are not intended to apply to any real-life attacks and are only used for research awareness purposes.

What did we discover?

It is not rocket science to write your crypto malware or even fully functioning ransomware as we did for research purposes.

Cooltechzone Crypto Ransomware screensaver

If you are a professional developer working in your office or just a hobby Python developer and working on your home project, check your environment and ensure its maximum isolation. Otherwise, you are risking getting a trivial malware infection.

The Cooltechzone research team created a very primitive but still working ransomware malware script, which, even without any additional obfuscation, was not detected by many named antiviruses.

As you see on the screenshot below, there are 0 antiviruses that have detected malicious part in our Python script. The same situation is with Windows Defender – which has no clue about intentions or our newly written Python application.

Virustotal result of malicious python ransomware

It is worth mentioning that no one antivirus available on Virustotal was not able to detect encoder or ransomware-related functions in our script.

Merely meaning, if started on the system with preinstalled Python, there are no chances to detect it.

Virustotal result of malicious python ransomware with top antiviruses

We didn't stop on that and decided to check the executable version of our script, which we compiled on Windows 10 using an open-source framework, even non-related to the creation of obfuscated malware.

I think nobody expected that, but there are only 28 antiviruses of 70 available detected the malware. By the way, there are only two of 28 antiviruses that identified the purpose of the malware:

  • Alibaba and
  • ESET-NOD32

Virustotal – only 28 of 70 antiviruses detected malicious part

Since the following list of top-range antiviruses failed the task, I would reconsider using them alone as a solution:

  • Acronis
  • DrWeb
  • Comodo
  • Kaspersky.

Reknown antiviruses didn’t detect the malicious script

I should admit that Windows Defender was always trying its best. Even if it miscategorized our malicious executable, it was able to detect it and block it very quickly.

Windows Defender didn’t recognize the type of malware but detected it

How did we do it?

Since it could be quickly done by anybody, who can google, I will present in a glance the process and results of development.

  1. As with any nice ransomware, we want that user to be scared and can't do anything else on his workstation but only read our message. The next part of the code is responsible for firing the screensaver without an option to close it other than a reboot of the system.

Initializing screensaver for ransomware

  1. We will give our victim only 10 hours to pay a ransom, so we need a timer to count down his last hours.

Initializing timer

  1. This part of the script is responsible for the most crucial function – encryption.

Initializing encryption for ransomware

  1. It didn't yet do anything malicious but will start with this peace.

Here are script will check files available on the target folder and check their extension according to provided instructions. If the file extension in the script matches one in an actual file, then the function for encryption and renaming will be executed. This will happen recursively and very quickly.

Initializing file encryption

  1. The last part of the process, which will distinct over ransomware from an encoder, is a function to upload the decryption key to our Command and Control server.

Initializing screensaver for ransomware

What do statistics for antiviruses say?

I didn't find specific numbers, but it is a fact that most malware detected in the wild is usually created using widespread languages like C++ or C – those are most popular anyway.

But trends seem to be changing with time – there are much more traces and exotic samples of different purpose malware written in Perl, .NET or Powershell, JavaScript, and of course, our favorite today – Python.

One recent study also found becoming popular malware written on Go, which is absolutely genius. This language is cross-platformed and could be used for Android, but also Windows and many other popular operating systems.

This relates to Dlang too. Even if not being so much popular as Go, this is a very non-typical malware language but still evolving.

I like to use open-source data and statistics from online tools – they are usually very objective because of a large number of input from different countries, so ideal for assessments of global situations.

We have looked at the Virustotal statistics and found a few interesting facts.

  1. The eastern part of our planet does not that care about viruses. According to the below diagram, Russian users made only 230k submissions for the last week, where US users are more suspicious of files and checking much more, up to 17,9 million files during the week.

Russian users didn’t check files a lot according to Virustotal

US users check a lot of files according to Virustotal

If you didn’t get it yet, US users check files for viruses 80x times more often than Russian users.

I wonder, maybe it is because Russians are writing those viruses, so no need to check – they know exactly what is inside.

  1. On average, getting up to 2 million files for check every day, only half of them are unique. It is challenging to say why it is so, but I am assuming that this relates to the file's hash and not other parameters. Few script-kiddies renaming the same executable don't change the hash of it, but for the casual user, it will look like a new one.

Statistics of file checks for 7 days on Virustotal

  1. Last but not least, file types distribution.

It is expected to see .exe files on top because they are most likely causing false-positive detection by Windows Defender. It is better to check it twice than just miss and fire something terrible on your workstation.

The second place of our chart is not that distinct, but we can see a trend in mobile applications there. Yet quite strange, DLL files are around the same amount.

The third place is expected and going to PDF files, which are most likely distributed through emails… I mean legitimate emails.

As we see, the portion of other file extensions is not impressive, even for .docx or .doc, which surprised me a lot.

File types are mostly checked for viruses on Virustotal

First steps to protect yourself from exotic viruses?

To ensure you minimize the risk of virus infection, you need to follow basic rules.

  1. Use any reliable anti-malware app. While it is difficult to recommend any specific one, it is much better to have at least any.
  2. Always check unknown email attachments in the presence of malware using cloud or client-based services. Learn how to protect yourself from phishing.
  3. Use ads or pop-up windows blocker for your browser. The ads blocker can't prevent malware infection but will definitely limit the automatic execution of scripts built-in in a malicious website.
  4. Keep all your software updated. It relates not only to Windows or Defender itself but also to a web browser, mail client, and other Internet applications.
  5. Ensure your Internet privacy. It is highly recommended to use a reliable VPN for Internet access to avoid identity theft and exposure of your own IP address.

Conclusion

With a vast number of different languages for programming and developers of those scripting and programming languages tending to cross-platform functionalities, we are reaching the point where we can't really control the risk related to one or another language.

What we can do is check all the stuff and prey on antivirus developers that are aware of the new language and malware development capabilities.

Stay tuned and watch around!

Editor-in-Chief
Dmytro Cherkashyn
Being a passionate security expert from Ukraine, Dmytro has passed through various security domains for the last 12 years, starting with the physical security of nuclear facilities and coming to operational technology cybersecurity for critical infrastructure in Germany.

Leave a comment

click to select