The right thing in the wrong hands

From Total Malware Info

By Vitaly Kiktenko, Virus Analyst.

Even the best things, created to make people’s life easier can be easily turned into evil when appear in the wrong hands. People create specialized scripting languages that are intended for solving different automation tasks, but you never know who and how will use your tool…

AutoIt is one of such, it is a simple scripting language created for testing, installation and configuration automatization purposes. The distinguishing feature of this language was very powerful set of functions for Windows GUI manipulations. It can simulate keystokes, mouse movements and window commands (maximize, minimize, wait for, etc.) in order to automate any windows based task. This tool became very popular among system administrators and testers, because it saved hours of work for them. Recently it became also popular among malware writers. It is ideal tool for developing malware that uses manipulations with software interface to bypass security warnings or for working with IM-messengers interface for sending infected messages. AutoIt has a complete set of functions for working with file system and registry, it also has an utility that converts AutoIt scripts into standalone executable files and this makes it a perfect tool for malware creation.

Examples of such malware are IM-Worm.Win32.AutoIt or the recent IM-Worm.Win32.Sohanad.ar. This worm uses Yahoo Messenger software to spread itself via Yahoo IM network. This worm simulates user input in messenger dialogs and sends messages, that contain links to the worm bodies for download. In such a way the worm’s actions can be recognized by security software as normal user activity and it will not produce any warnings. Even if there would be any warnings, it is no problem for malware author to automatize positive user responses on them. Working with external’s software interface is much more effective then using built-in clients for email or other message transfer protocols from the stealth point of view, because it is much harder for the security software to recognize mailcious activity as it outcomes from non-malicious user applications.