Sign in to follow this  
Followers 0
crashdemons

[Concluded] AutoIt program malicious

9 posts in this topic

#1 ·  Posted (edited)

I have had one of my programs that was compiled in AutoIt Script called into question for using functions related to the SCM and 'messing' with registry keys.

The script I wrote and compiled does not edit the registry or anything I have listed above.

The program is a Yahoo! proxy/filter but that is not being called into question.

However, Having my application critically examined makes me question why some of these actions are necessary in my compiled program.

I would not have posted this thread unless I had serious questions not handled by the "Are my AutoIt Exe's Really Infected?" thread.

----------------------------------------------------------------------

AutoIt Script version 3.2.10.0

AutoIt3Wrapper GUI 1.9.2 (Non-ANSI mode)

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

Sure, the only files I didn't include were standard UDF's

[EDIT: yahfilter_src.zip previously attached, now removed. ]

- _richedit_912.au3 is attached in a below post.

Not exactly happy about making posting it publically, but what else am I supposed to do for verification? :|

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Hi,

RichEdit,, isn't that a com object based udf?

Edited by smashly

Share this post


Link to post
Share on other sites

I have had one of my programs that was compiled in AutoIt Script called into question for using functions related to the SCM, for registering a COM object and 'messing' with registry keys.

Called into question by who or what, and if it was a "who" what's their basis for questioning? AutoIt doesn't expose any native methods for interacting with the Service Control Manager, which uses RPC.

The AutoIt interpreter EXE is kind of a Swiss-Army variable-sword, so I could understand reservations about having it available. Your case seems to be that of your compiled script being condemned because of what the script interpreter could do. I guess that depends on the party's policy about scripting hosts, i.e. as long as one is presuming you've got users who are savvy enough to use a script, that one is equally concerned about CSCRIPT.EXE and WSCRIPT.EXE, and REG.EXE and shell execution of REG files.

The AutoIt interpreter is available to anyone with an Internet connection, so no real difference between a compiled script, an arbitrary AU3 script or any EXE in the world unless you've got your users locked down regarding Internet access. And flash drives. And CDROMs. Hell, let's just say locked down to only approved EXEs; if you've got to look at every compiled executable as if it might have a malevolent djinni inside you've either got to lock down to that degree or trust your malware protection.


Yes yes yes, there it was. Youth must go, ah yes. But youth is only being in a way like it might be an animal. No, it is not just being an animal so much as being like one of these malenky toys you viddy being sold in the streets, like little chellovecks made out of tin and with a spring inside and then a winding handle on the outside and you wind it up grrr grrr grrr and off it itties, like walking, O my brothers. But it itties in a straight line and bangs straight into things bang bang and it cannot help what it is doing. Being young is like being like one of these malenky machines.

Share this post


Link to post
Share on other sites

The file "_RichEdit_912.au3" is not provided. Rich Edit controls do expose a COM interface and the Rich Edit control isn't always registered on the system. It's possible whatever library you are using to provide the RichEdit functions is doing something you aren't aware of. You'll have to post that file to be sure.

Share this post


Link to post
Share on other sites

#7 ·  Posted (edited)

@DaveF

- the issue seems to be pressing enough to have a couple of my YahFilter mirror's suspended until the issue is resolved/explained in full.

@All -

One part of evidence supplied to be was a list of includes made by the compiled program, which were found to be called in the program later.

Along this list were ADVAPI32 imports such as "OpenSCManager...", and "AdjustTokenPriveleges"

- part of why my application is called into question is why are they imported if they aren't used, and if they aren't being used, why are they called in the program?

I don't have the original screenshot on-hand so I looked up the imports myself - I'll try to post the original later if it shows anything different/useful.

@Valik - That could be one issue

_RichEdit_912.au3

Edit: typo

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Share this post


Link to post
Share on other sites

AutoIt is an interpreter. Every compiled script is a full interpreter. Every compiled script contains the implementation to every single AutoIt function. Things your script doesn't use are not stripped (And don't ask, the answer is no, they will not be stripped, no matter how much you beg). Somewhere in AutoIt's code, some of these "alarming" functions are used to implement one or more of AutoIt's features. AutoIt does a lot of complicated things behind the scenes to make things simple for you guys to use. The amount of code and the complexity of the code to implement some of the most used features in the language would probably amaze some of you since AutoIt makes it all so simple. There are also some clever and innovative things in AutoIt to solve problems that have no conventional solution. That doesn't mean AutoIt is doing anything malicious.

But here's something malicious for you. Tell these over-sight morons to learn to do their job. The level of incompetence demonstrated to you which prompted this thread is just astounding. The import table, seriously? People look at that as an indicator of anything? Do they not realize I can make the import table say what I want it to say? The people that are flagging issue with your script should be fired for incompetence immediately. They do not know what they are doing and I can not stress that enough.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Just as a follow-up to what ended up happening after my discussions with the parties involved eventually broke down:

+ My site was never returned (host required the original reporter to retract the notice, which he refused.)

+ A couple of file-sharing accounts closed on the same basis. (2 different sites, not at the same time)

I still love AutoIt very much, despite the shortsighted views of some running those sites.

I consider this topic morally closed as I wrote a decent application that was prejudiced by others for hilarious reasons - I got my answer though: get a decent website before hosting something worthwhile.

Thanks for the replies!

Edited by crashdemons

My Projects - WindowDarken (Darken except the active window) Yahsmosis Chat Client (Discontinued) StarShooter Game (Red alert! All hands to battlestations!) YMSG Protocol Support (Discontinued) Circular Keyboard and OSK example. (aka Iris KB) Target Screensaver Drive Toolbar Thingy Rollup Pro (Minimize-to-Titlebar & More!) 2D Launcher physics example Ascii Screenshot AutoIt3 Quine Example ("Is a Quine" is a Quine.) USB Lock (Another system keydrive - with a toast.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0