Jump to content

Are my AutoIt exes really infected?


Recommended Posts

Hi,

We've been using AutoIt v.3.3.6.1 to compile our .au3 scripts because the online virus scanner "virustotal.com", that scans the uploaded file using different scanners and gives you a report showing the results, have seemed to report fewer false positives on executables when using the old 3.3.6.1 compiler instead of more recent, higher versions of AutoIt. 

We compile using AutoIt2Exe without UDF compression and sign them using our code-signing certificate from a trusted vendor.

It has been a while since we compared scanning the same .au3 script compiled with different versions, and I was just wondering if version 3.3.6.1 still is the "safest" version or if people here have another preference for which AutoIt version / compiler that causes the least number of false positives?

Edited by DHL
typo and added fact that we use a cert to sign our exes
Link to comment
Share on other sites

I've never had any of my compiled execs flagged and I'm using the latest version. So, anything we tell you would depend on which unreliable AV you're using that's flagging them.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

  • Moderators

Same here, I routinely write and compile scripts in corporate environments, and have lately found myself doing a lot of AutoIt/PowerCLI cross scripting. Never any issues with the latest version and any of the major business AV suites out there. I'm sure I have run under just about everything in the top three sections of the magic quadrant:

https://solutionsreview.com/endpoint-security/gartner-2017-epp-magic-quadrant/

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

do you mean 'without UDF compression'  OR  'without UPX (UCL) compression'? 

and have you tried just hashing your exe and uploading that to see if you are really popping for a signature?  or commenting out the whole thing, and uploading an exe that does a bunch of nothing to see if its all compiler flags, or if someone really did detonate you in a sandbox and you tripped heursitics.  If that last thing happened you need to bear in mind that all AutoIt exes look like 90% the same, so it really is on the author to perform their due diligence in getting it whitelisted.

That being said, I drop scripts all over monoliths in regulated environments, the last script I got flagged on was Carbon Black and that's because i was running the powershell invoke-obfuscation module, so that's hardly AutoIts fault.

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

  • 1 month later...

Just contacted Bullguard a few days ago. It detected a UPX compiled script on a friends machine. I only bring it up so that you all can be aware. Bullguard is quick to update, and their customer support is fantastic, so I am willing to bet they fixed it by now. (its been just under a week)
It does look like this problem has gotten better over the years though. The noticeable difference is that I can now run my favorite antimalware programs without have to worry about one hitting Autoit by accident.

EDIT
I most often use Avast, ClamWin (I know, I know, but its worth doing just in case when poop hits the fan...), Spybot, and a few less effective ones that can still catch unusual problems that even the big guns can miss. Its rare, but it happens. Only Avast is allowed to run in the background of course.

Edited by Draygoes
Added details...
Spoiler

 

"If a vegetarian eats vegetables,What the heck does a humanitarian eat?"

"I hear voices in my head, but I ignore them and continue on killing."

"You have forced me to raise the indifference warning to beige, it's a beige alert people. As with all beige alerts please prepare to think about the possibility of caring."

An optimist says that giving someone power DOESN'T immediately turn them into a sadist. A pessimist says that giving someone power doesn't IMMEDIATELY turn them into a sadist.

 

 
Link to comment
Share on other sites

I must admit, I'm getting really tired of the false positives and constantly having to fight av vendors to get my scripts whitelisted.

I coded a simple hello world script.

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
MsgBox(0,"Hello","World")

6 Detections
https://www.virustotal.com/#/file/2cf504b59fd1e185d45519e03a4fe47866db9f84d4a68cad7850d78a660b060a/detection
 

My website's reputation is suffering because of this. I'm thinking about leaving AutoIt for good and learning some other language like c#. I know I'm still going to have to fight them, no matter what language I pick, but this is getting ridiculous. What are your thoughts?

getpubthumb.png

Edited by BetaLeaf

 

 

Link to comment
Share on other sites

The only one that is laughable is SOPHOS who claims their ML identified it via heuristics.  The others have just correctly identified something that shares 98% of its code with identified malware. It may be lazy grading, but I'd like to see more compiler directives (like UPX=N, to try and accomodate them rather than expecting the reverse).

I'm down to 4 with just directives.

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_UseX64=n
#AutoIt3Wrapper_Run_Tidy=y
#AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
MsgBox(0, "Hello", "World")

helloworld(down to 4).PNG

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

down to 3 - weird that Qihoo and SentinelOne fall off and DrWeb comes back.  They wouldnt have arbitrary checks they try and pass off as Machine Learning...thats unheard of in the infosec community.   If you only score a 3/67 and you are not a large vendor or carrying a signed exe in your pocket, then you are doing great.  (You want to see something fun, put the pragma directives in place of the wrapper_ and watch all of the them start changing again, it's r-e-t-a-r-d-e-d and does not change when your language of choice changes) 

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Icon=C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_UseX64=n
#AutoIt3Wrapper_ShowProgress=y
#AutoIt3Wrapper_Res_SaveSource=y
#AutoIt3Wrapper_Res_Fileversion=3.0
#AutoIt3Wrapper_Run_Tidy=y
#AutoIt3Wrapper_AU3Check_Parameters=-d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
MsgBox(0, "Hello", "World")

helloworld_downto3.PNG

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

6 hours ago, BetaLeaf said:

I must admit, I'm getting really tired of the false positives and constantly having to fight av vendors to get my scripts whitelisted.

See post #160 in this thread, VirusTotal is a joke and completely unreliable. Stop flogging the dead horse, it's not going to rise from the dead.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Link to comment
Share on other sites

5 hours ago, BrewManNH said:

See post #160 in this thread, VirusTotal is a joke and completely unreliable. Stop flogging the dead horse, it's not going to rise from the dead.

I'm not flogging a dead horse, my customers are. There are some who will only validate their existing beliefs. (Confirmation Bias/The Backfire Effect)

 

 

Link to comment
Share on other sites

I think it's fair to say that VirusTotal is a dead horse. 

Does your customer have full/enterprise versions of AV that are also triggering, if so which vendors?  Does IDS trip when they download the file? Does it get quarantined by the ESA if sent as an attachment? Does the EDR lose its shit when it executes?  Or "just this one website doesnt tell me its clean."?

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

That might be the most YOLO app security strategy I have ever heard of in my 15 years of infosec.

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

22 minutes ago, iamtheky said:

That might be the most YOLO app security strategy I have ever heard of in my 15 years of infosec.

Look ik virus total is crap, I'm saying my customers don't. I'm just trying to figure out why something as simple as a hello world script gets flagged, which was answered by @BrewManNH

Edited by BetaLeaf

 

 

Link to comment
Share on other sites

i was agreeing. customer service issues with the ill informed sucks.

and software signing should not help with the ML and heuristic detections (as those should be detonations/behavioral and signing wouldnt change that),  though I have no faith those arent triggering on something static.

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

  • 1 month later...

Webroot SecureAnywhere is on the warpath. All the EXEs I have written and being quarantined. None of them are malicious. They are finding some common signature bytes and blacklisting everything. Does anyone know links to Webroot to complain?

Link to comment
Share on other sites

id start with support, but you may want to also make sure you are compiling in the most AV friendly manner like with upx off.

https://www.webrootanywhere.com/servicewelcome.asp

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

  • 4 weeks later...

We are using the latest version of TrendMicro OfficeScan XG and it's not starting to flag my AutoIT .exe as Trojan's.  I was told that I would have to submit my exe to Trend for verification BUT the .exe would have to be digitally signed. 

Is anyone else seeing this?

Edited by antmar904
Link to comment
Share on other sites

  • 1 month later...
  • Melba23 changed the title to Are my AutoIt exes really infected?
  • Melba23 pinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...