Dangerous self-compiling malware

Antivirus programs work by comparing files that you download or run to known malicious software. When you run an executable, your antivirus will scan it before it is executed.

This is effective — for most viruses.

Runtime compilation is a method that allows text to be compiled and executed as code at runtime.

If you are familiar with Python you might have seen the eval function, which allows you to send a string to the Python interpreter. This is not entirely the same because Python is interpreted rather than compiled, but it is a good example to explain the concept.

Example of eval in python

C#, on the other hand, is an example of a compiled programming language. The average virus is a program, possibly written in a language like C#, compiled into an assembly that contains lines of code that will ultimately put the victim at risk or steal something from the victim’s machine, and can be easily scanned and compared to other malicious programs, and therefore detected and removed.

But what if I told you that you could make a virus that contained no malicious code?

That’s right — well, sort of.

This article by black wasp demonstrates runtime compilation with C# (in summary it’s pretty easy to do)

If you had a program that downloaded encrypted text from a server, decrypted it and compiled the code into the memory at runtime, the executable wouldn’t contain any malicious code and therefore would not be seen as a threat. The code it downloads, however, would be a different story. It could be highly malicious but wouldn’t be detected if the program uses secure encryption like AES to cipher the text.

In 2018 a cryptovirus much like the notorious wannacry ransomware was observed that encrypted the victim’s files and demanded 0.14 bitcoin for decryption, which would have been worth about £700.

Ransom note, courtesy of bleeping computer

Normally, the cryptovirus code would have been recognized and the threat would have been neutralized, however because of the use of runtime compilation, the virus went undetected.

While there are not many documented cases of the use of this technique in malware, I’m interested to see whether this technique is seen in future malware analyses.

student programmer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store