Oh crap... PB ransomware

[DK_PETER]

That's definitely not good exposure and antivirus will raise the bar against PB exec for sure

I'm right there with Barry G.

This kind of destructive usage can't be prevented unless you create a language without file access and extremely limited network access of any kind. (Render it completely useless).
There will always be extreme a**holes who want to use a language for dark purposes. It is nothing new and has been there from the good old amiga and dos days.
The language isn't at fault, the programmer is. It isn't the language that gets a negative exposure it is how it is used and the software they created with it.
Yes...We might get some extra work to whitewash our software, but it is already necessary to do so in many cases.
Everything that can be misused, will be misused without exception. (Which actually really means everything).
And even though the "exposure' seems bad, Purebasic will be examined and tried out by a lot of good guys too.

[skywalk]

I am incredulous.
This is not the 1st and only virus written in PureBasic. Nor the last.
How many viruses written in C/C++, ASM, VB6, VBA?

The real story is PureBasic is a professional cross platform language that flies under the radar of the programming world.

When I'm asked by blown away customers, "What language did you write that in?", I have to say "umm, C, Basic, and some Assembly." Otherwise, the conversation goes into another dimension.

[HanPBF]

@BarryG

I wrote two entries in forum: one titled paranoia, another one titled "think first"...

At my office, things get abandoned due to paranoia; that was my concern.

Size of exe: good -> no reason for false positive here. I also bloated the exe which helped (sometimes...).
64bit was not false positive, 32bit was (at my site...).

Version info: will check this.

Digitally Signing: forgot this but is needed at my site; will check this, too.

PureLocker requires admin rights to run

Save at my place here -> no user has admin rights!
Good hint!!!

There's no reason to ditch PureBasic over this.

Was not my intention and would be wrong, correct!

At the end: You gave lots of information here so -> thanks a lot for that!!!


Garbage Collection -> I will open another thread for this (rust's borrowing simulated).
But garbage collection is a way to level up security to prevent memory leaks, isn't it?
All can be misused; but do we get more security or stability when using garbage collection?
I mean that as an example where all "main" languages switched to, like C#, Java.
I know -> performance is worse and C/C++ are not garbage collected.

Code: Select all

... I have to say "umm, C, Basic, and some Assembly." Otherwise, the conversation goes into another dimension.

I saw a project years ago where the guys levelled up .Net exe to silverlight and said management, they are doing a completely new web infrastructure.
I predicted immediately that silverlight gonna die!

At the end I think saying PureBasic is C is not a big lie; the concepts and performance is the same.
The syntax is a little easier and we have nearly all batteries included usng PureBasic (like python).

At my office here, I can not argument any local program anymore; web is ubiquitous.
I use JavaScript with web components and web socket and the V8 engine/compiler is fantastic.
SpiderBasic is simply not needed.

[Mijikai]

There are only very few AV companies that have proper engines and detect malware somewhat reliable.
Anyway imho this is an AV issue and not an Language issue.

[BarryG]

The language isn't at fault, the programmer is

It's wrong that they named it "PureLocker" as though PureBasic were bad and some sort of black hat coding tool. Would they have called it "PowerLocker" if it were written in PowerBasic, or "VBLocker" if written in Visual Basic .NET? I doubt it.

On the bright side (every cloud has a silver lining?) most articles call it "this unusual new ransomware", which could be testament to the power of PureBasic - they've never seen anything like it, and only PureBasic makes it possible! Maybe in my app's advertising I should say it's powered by the same tool used as the fearsome "PureLocker" virus!

[tj1010]

I'm not even a malware researcher and I've gotten many modules off honeypots written in PB over the years.. Devs likely aren't PB fans just needed rapid PE generation and API access prototyping; Go, Python, and Rust have a lot of abstraction you have to work around.

If it's using Windows API and store or one of the static libs here there is probably a unlock tool already... These devs tend to not know how stack and heap works so key sniffing works.. All Ransomware is file keys encrypted with server key associated with HWID or even master key local with keygen..

[skywalk]

At my office here, I can not argument any local program anymore; web is ubiquitous.
I use JavaScript with web components and web socket and the V8 engine/compiler is fantastic.
SpiderBasic is simply not needed.

Yes, more and more development is heading to the browser. Even Chrome has decided to enable local file access.
Still, it does not come without the startup delays and open code(if not webassy'd) and is not acceptable for intense control system app's and threading and high speed database access.
SpiderBasic is acceptable for prototyping and would be even better if it compiled to WebAssembly.
However, what is stopping PureBasic from compiling to WebAssembly directly with LLVM?

[Little John]

It's wrong that they named it "PureLocker" as though PureBasic were bad and some sort of black hat coding tool. Would they have called it "PowerLocker" if it were written in PowerBasic, or "VBLocker" if written in Visual Basic .NET? I doubt it.

My thoughts exactly!

That name was obviously chosen by Intezer:

We have named this ransomware PureLocker because it’s written in the PureBasic programming language.

If I were Fred, I'd write a mail to Intezer, kindly asking them to choose a different name -- because "PureLocker" doesn't make much sense, and is potentially damaging to the business of Fantaisie Software.

[Tenaja]

What makes pb exes diffrent?

Anonymity through obscurity. Or obfuscation by obscurity.

PB is used by so few people that in most lists of computer languages, PB does not exist.

[Mohawk70]

https://yro.slashdot.org/story/19/11/12 ... er-servers

To the guys who write these ransomware platforms, who are probably even on this forum somewhere: Could you not use languages like Go instead?

Now Purebasic programs will be flagged by Antivirus even more.

I was just about to post this with a similar comment. Reading here now
https://www.computing.co.uk/ctg/news/30 ... -purebasic

[Tenaja]

Now Purebasic programs will be flagged by Antivirus even more.

I'm not sure this is mathematically possible! 100 percent of all av I've used has flagged 100 percent of the code I've written, and none of it has been malicious.

[Derren]

This kind of destructive usage can't be prevented unless you create a language without file access and extremely limited network access of any kind.

How about using an OS that does prevent randomly download software from accessing files etc.
Linux has the X-permission that prevents scripts from being executed, unless specifically activated and Android requires apps to request permission for a specific type of action, like access to files, the internet or the address book. For some time now, you can even deny specific permissions to any app (in the past, if you didn't want to allow it, all you could to was not to install the app)

Windows could finally put something like this into their systems. Especially for the likes of "lockey" and other macro viruses that hide in Office documents. It would be easy to check what a macro in a word or excel file does and display a warning if the macro tries to access files, for example.
It's beyond me, why they don't this.


PS: How can you even know if a program was written in PB?

[Dude]

How can you even know if a program was written in PB?

Different tools exist that show it. Here's one: https://mitec.cz/exe.html

[Danilo]

PS: How can you even know if a program was written in PB?

Many compilers generate some startup-code at the entry-point of the application,
so the first few bytes at the app-entry-point are probably always the same for a
specific compiler.
You could also take a fingerprint of some compiled functions inside .obj/.exe files.
If you take a fingerprint of functions like "PB_FreeString@4" or "PB_ReAllocMem" (just as an example)
and you would check the excutable area inside .exe for this fingerprint, you could find this fingerprint
if the program was written using PB.
All the PB library functions inside .obj/.lib have a fingerprint and get linked into your executable.

[BarryG]

Now Purebasic programs will be flagged by Antivirus even more

My exe today: https://i.imgur.com/uAttPUp.png

What can we do about this? I'm lost. What's the point when we can't win the fight?