Oh crap... PB ransomware

For everything that's not in any way related to PureBasic. General chat etc...
User avatar
DK_PETER
Addict
Addict
Posts: 880
Joined: Sat Feb 19, 2011 10:06 am
Location: Denmark
Contact:

Re: Oh crap... PB ransomware

Post by DK_PETER »

Fred wrote:That's definitely not good exposure and antivirus will raise the bar against PB exec for sure :(
I'm right there with Barry G.

This kind of destructive usage can't be prevented unless you create a language without file access and extremely limited network access of any kind. (Render it completely useless).
There will always be extreme a**holes who want to use a language for dark purposes. It is nothing new and has been there from the good old amiga and dos days.
The language isn't at fault, the programmer is. It isn't the language that gets a negative exposure it is how it is used and the software they created with it.
Yes...We might get some extra work to whitewash our software, but it is already necessary to do so in many cases.
Everything that can be misused, will be misused without exception. (Which actually really means everything).
And even though the "exposure' seems bad, Purebasic will be examined and tried out by a lot of good guys too.
“Tell me and I forget. Teach me and I remember. Involve me and I learn.”
— Benjamin Franklin
Current configurations:
Windows 10, Intel 6800K, GeForce Gtx 1060, 32 gb ram.
Windows 10, Amd Ryzen 9 5950X, GeForce 3070, 128 gb ram.
User avatar
skywalk
Addict
Addict
Posts: 3554
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: Oh crap... PB ransomware

Post by skywalk »

I am incredulous.
This is not the 1st and only virus written in PureBasic. Nor the last.
How many viruses written in C/C++, ASM, VB6, VBA?

The real story is PureBasic is a professional cross platform language that flies under the radar of the programming world.

When I'm asked by blown away customers, "What language did you write that in?", I have to say "umm, C, Basic, and some Assembly." Otherwise, the conversation goes into another dimension.
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
HanPBF
Enthusiast
Enthusiast
Posts: 544
Joined: Fri Feb 19, 2010 3:42 am

Re: Oh crap... PB ransomware

Post by HanPBF »

@BarryG

I wrote two entries in forum: one titled paranoia, another one titled "think first"... :wink:

At my office, things get abandoned due to paranoia; that was my concern.

Size of exe: good -> no reason for false positive here. I also bloated the exe which helped (sometimes...).
64bit was not false positive, 32bit was (at my site...).

Version info: will check this.

Digitally Signing: forgot this but is needed at my site; will check this, too.
PureLocker requires admin rights to run
Save at my place here -> no user has admin rights!
Good hint!!!
There's no reason to ditch PureBasic over this.
Was not my intention and would be wrong, correct!

At the end: You gave lots of information here so -> thanks a lot for that!!!


Garbage Collection -> I will open another thread for this (rust's borrowing simulated).
But garbage collection is a way to level up security to prevent memory leaks, isn't it?
All can be misused; but do we get more security or stability when using garbage collection?
I mean that as an example where all "main" languages switched to, like C#, Java.
I know -> performance is worse and C/C++ are not garbage collected.

Code: Select all

... I have to say "umm, C, Basic, and some Assembly." Otherwise, the conversation goes into another dimension.
I saw a project years ago where the guys levelled up .Net exe to silverlight and said management, they are doing a completely new web infrastructure.
I predicted immediately that silverlight gonna die!

At the end I think saying PureBasic is C is not a big lie; the concepts and performance is the same.
The syntax is a little easier and we have nearly all batteries included usng PureBasic (like python).

At my office here, I can not argument any local program anymore; web is ubiquitous.
I use JavaScript with web components and web socket and the V8 engine/compiler is fantastic.
SpiderBasic is simply not needed.
User avatar
Mijikai
Addict
Addict
Posts: 1032
Joined: Sun Sep 11, 2016 2:17 pm

Re: Oh crap... PB ransomware

Post by Mijikai »

There are only very few AV companies that have proper engines and detect malware somewhat reliable.
Anyway imho this is an AV issue and not an Language issue.
BarryG
Addict
Addict
Posts: 1718
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

DK_PETER wrote:The language isn't at fault, the programmer is
It's wrong that they named it "PureLocker" as though PureBasic were bad and some sort of black hat coding tool. :evil: Would they have called it "PowerLocker" if it were written in PowerBasic, or "VBLocker" if written in Visual Basic .NET? I doubt it.

On the bright side (every cloud has a silver lining?) most articles call it "this unusual new ransomware", which could be testament to the power of PureBasic - they've never seen anything like it, and only PureBasic makes it possible! :lol: Maybe in my app's advertising I should say it's powered by the same tool used as the fearsome "PureLocker" virus! :wink:
User avatar
tj1010
Enthusiast
Enthusiast
Posts: 589
Joined: Mon Feb 25, 2013 5:51 pm
Location: US or Estonia
Contact:

Re: Oh crap... PB ransomware

Post by tj1010 »

I'm not even a malware researcher and I've gotten many modules off honeypots written in PB over the years.. Devs likely aren't PB fans just needed rapid PE generation and API access prototyping; Go, Python, and Rust have a lot of abstraction you have to work around.

If it's using Windows API and store or one of the static libs here there is probably a unlock tool already... These devs tend to not know how stack and heap works so key sniffing works.. All Ransomware is file keys encrypted with server key associated with HWID or even master key local with keygen..
The truth hurts.
User avatar
skywalk
Addict
Addict
Posts: 3554
Joined: Wed Dec 23, 2009 10:14 pm
Location: Boston, MA

Re: Oh crap... PB ransomware

Post by skywalk »

HanPBF wrote:At my office here, I can not argument any local program anymore; web is ubiquitous.
I use JavaScript with web components and web socket and the V8 engine/compiler is fantastic.
SpiderBasic is simply not needed.
Yes, more and more development is heading to the browser. Even Chrome has decided to enable local file access.
Still, it does not come without the startup delays and open code(if not webassy'd) and is not acceptable for intense control system app's and threading and high speed database access.
SpiderBasic is acceptable for prototyping and would be even better if it compiled to WebAssembly.
However, what is stopping PureBasic from compiling to WebAssembly directly with LLVM?
The nice thing about standards is there are so many to choose from. ~ Andrew Tanenbaum
Little John
Addict
Addict
Posts: 4007
Joined: Thu Jun 07, 2007 3:25 pm
Location: Berlin, Germany

Re: Oh crap... PB ransomware

Post by Little John »

BarryG wrote:It's wrong that they named it "PureLocker" as though PureBasic were bad and some sort of black hat coding tool. :evil: Would they have called it "PowerLocker" if it were written in PowerBasic, or "VBLocker" if written in Visual Basic .NET? I doubt it.
My thoughts exactly!

That name was obviously chosen by Intezer:
[u]Intezer[/u] wrote:We have named this ransomware PureLocker because it’s written in the PureBasic programming language.
If I were Fred, I'd write a mail to Intezer, kindly asking them to choose a different name -- because "PureLocker" doesn't make much sense, and is potentially damaging to the business of Fantaisie Software.
Please excuse my flawed English. My native language is PureBasic.
Search
RSBasic's backups
User avatar
Tenaja
Addict
Addict
Posts: 1829
Joined: Tue Nov 09, 2010 10:15 pm

Re: Oh crap... PB ransomware

Post by Tenaja »

Justin wrote: What makes pb exes diffrent?
Anonymity through obscurity. Or obfuscation by obscurity.

PB is used by so few people that in most lists of computer languages, PB does not exist.
User avatar
Mohawk70
Enthusiast
Enthusiast
Posts: 399
Joined: Thu May 11, 2006 1:04 am
Location: Florida, USA

Re: Oh crap... PB ransomware

Post by Mohawk70 »

Erich wrote:https://yro.slashdot.org/story/19/11/12 ... er-servers

To the guys who write these ransomware platforms, who are probably even on this forum somewhere: Could you not use languages like Go instead?

Now Purebasic programs will be flagged by Antivirus even more. :x
I was just about to post this with a similar comment. Reading here now
https://www.computing.co.uk/ctg/news/30 ... -purebasic
User avatar
Tenaja
Addict
Addict
Posts: 1829
Joined: Tue Nov 09, 2010 10:15 pm

Re: Oh crap... PB ransomware

Post by Tenaja »

Now Purebasic programs will be flagged by Antivirus even more. :x
I'm not sure this is mathematically possible! 100 percent of all av I've used has flagged 100 percent of the code I've written, and none of it has been malicious.
User avatar
Derren
Enthusiast
Enthusiast
Posts: 309
Joined: Sat Jul 23, 2011 1:13 am
Location: Germany

Re: Oh crap... PB ransomware

Post by Derren »

DK_PETER wrote:This kind of destructive usage can't be prevented unless you create a language without file access and extremely limited network access of any kind.
How about using an OS that does prevent randomly download software from accessing files etc.
Linux has the X-permission that prevents scripts from being executed, unless specifically activated and Android requires apps to request permission for a specific type of action, like access to files, the internet or the address book. For some time now, you can even deny specific permissions to any app (in the past, if you didn't want to allow it, all you could to was not to install the app)

Windows could finally put something like this into their systems. Especially for the likes of "lockey" and other macro viruses that hide in Office documents. It would be easy to check what a macro in a word or excel file does and display a warning if the macro tries to access files, for example.
It's beyond me, why they don't this.


PS: How can you even know if a program was written in PB?
Dude
Addict
Addict
Posts: 1907
Joined: Mon Feb 16, 2015 2:49 pm

Re: Oh crap... PB ransomware

Post by Dude »

Derren wrote:How can you even know if a program was written in PB?
Different tools exist that show it. Here's one: https://mitec.cz/exe.html
User avatar
Danilo
Addict
Addict
Posts: 3010
Joined: Sat Apr 26, 2003 8:26 am
Location: Planet Earth

Re: Oh crap... PB ransomware

Post by Danilo »

Derren wrote:PS: How can you even know if a program was written in PB?
Many compilers generate some startup-code at the entry-point of the application,
so the first few bytes at the app-entry-point are probably always the same for a
specific compiler.
You could also take a fingerprint of some compiled functions inside .obj/.exe files.
If you take a fingerprint of functions like "PB_FreeString@4" or "PB_ReAllocMem" (just as an example)
and you would check the excutable area inside .exe for this fingerprint, you could find this fingerprint
if the program was written using PB.
All the PB library functions inside .obj/.lib have a fingerprint and get linked into your executable.
BarryG
Addict
Addict
Posts: 1718
Joined: Thu Apr 18, 2019 8:17 am

Re: Oh crap... PB ransomware

Post by BarryG »

Erich wrote:Now Purebasic programs will be flagged by Antivirus even more
My exe today: https://i.imgur.com/uAttPUp.png

What can we do about this? I'm lost. What's the point when we can't win the fight?
Last edited by BarryG on Sun Nov 17, 2019 10:18 pm, edited 1 time in total.
Post Reply