Code posted to Pastebin.com over the weekend outlines a framework developed by someone within Anonymous, aimed at creating customized malicious software. Pitched as open source Malware, AnonWare, is said to be always changing, improving, and evading.
The code, written in C#, is only a framework for Malware development. Passive examination shows that it is not malicious on its own. However, the comments left inside the framework’s code, clearly demonstrate how to achieve that result with the basic skeleton provided.
“…welcome to a new age of malware…one where AV software can't pick out the latest tweaks of malware…one where the malware is open source and always changing, improving, evading…one where AnonWare is only the beginning…you can stop AnonWare...but you can't stop what's to come…Expect Us. Expect the Future…,” a note left with the code says.
In response to emailed questions, AnonDev, the coder behind AnonWare, offered a little more information.
AnonWare was created “...to provide a simple, basic piece of malware that beginning or intermediate virus writers could use to simplify the process. No need to reinvent the wheel,” the email explained.
“Ultimately, I would love for it to become the de-facto standard for open source viruses…really hoping that people start sending in code improvements so that AnonWare can begin to reach this goal.”
“Actually, I coded it in a couple days…extremely surprised that it got 118 views so far [on Pastebin]; was expecting like 2 views per hour…hope [people] spread it on social networks, IRC and the like so we get more usage, testing, and improvements.”
AnonWare can be configured for usage on Windows XP, Windows Vista, or Windows 7. In addition, the framework is using runtime compilation instead of downloading executables. This will allow the code to bypass some of the application signing requirements imposed by Microsoft.
It’s unknown if this framework will gain any momentum within Anonymous. While methods such as Web exploitation and DDoS are commonly used by the loosely associative group, Malware development and distribution is not.
However, Ryan Cleary, an ex-supporter of Anonymous, was arrested and charged with controlling and allowing others to access a botnet earlier this summer. Botnets only exist because custom Malware such as this.
We’ve asked a few security vendors to look at the source and share their thoughts. Once we hear back from them, we will update this article. [Updates below]
Further information on #RefRef is here.
"I've looked at the code, it's really unimpressive. It's essentially an ad-hoc C# compiler, that pulls source code from a user specified domain," explained a threat researcher at Sophos.
"The comments on the code are quite surprising, it seems to indicate either a distinct lack of knowledge, laziness or amaturism. In essence, this framework, as it is, will download and compile source code from a user-specified domain [and] the created file is named assemble.exe (this is hardcoded at the moment, but will eventually be psuedo-random, based on the code + comments). It's all quite primitive at the moment and doesn't offer any kind of encryption or obfuscation. I'm just writing detection for the compiled exe at the moment, but we'll be sure to keep an eye on it."
"I think by far the most interesting parts of this code snippet are the comments made by the author. The author doesn't seem to be aware of the fact that malware has been evolving and morphing on a regular basis for years now," said Pierre-Marc Bureau, the senior researcher at ESET.
"A good example is the blog post we have just published. There is a new version of Win32/PSW.OnlineGames.OUM released every day, for the purpose of evading antivirus detection. There has been malware frameworks being used by malicious actors for many years too. The Butterfly kit (detected by ESET as Win32/Peerfrag), SpyEye and Zeus are only examples of such frameworks. As for the functionalities of the code, I could not find anything that would teach malware authors any trick they didn't already know."