AutoIt Increasingly Employed by Malware Developers

AutoIt, the BASIC-like automation language for Windows programmers, is becoming a favored tool among malware developers for the same reasons it attracts legitimate users: it’s free, flexible and easy to use.

AutoIt, the BASIC-like automation language for Windows programmers, is becoming a favored tool among malware developers for the same reasons it attracts legitimate users: it’s free, flexible and easy to use.

Trend Micro TrendLabs’ Kyle Wilhoit wrote in today’s Security Intelligence Blog that there’s been an increase in “nefarious AutoIt tool code” — including keystroke loggers and remote-access Trojans — being uploaded to hacker hangouts like Pastebin and Pastie.

The freeware has been around since 1999, when it was introduced to create macros for Microsoft Windows programs. It was restructured in recent years to resemble BASIC scripting language and simulates keystrokes and mouse movements. A standalone application that doesn’t require a lot of runtime, AutoIt is commonly used to automate common tasks, such as backups and disk defrags, and create graphical user interfaces.

However, malware developers are increasingly manipulating the code to create such works as a variant of the DarkComet remote-access Trojan now in the wild that installs a backdoor on a victim’s machine, communicating over port 1604, and disables the Windows Firewall and then access to the Windows Registry, according to Wilhoit.

The security researcher believes this may be just the beginning of a threat trend.

“The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in,” he wrote. “This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language.

“In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.”

He recommends enterprises frequently conduct AV scans to flag malicious code and block sites like Pastebin.

Suggested articles


  • Jussi on

    Man, that is not an easy to read font on a Windows machine using Chrome as the browser. I would have a better chance reading it in Wingdings =/
    • Brian Donohue on

      We resolved this problem with a fix last week. Try clearing your cache and deleting your cookies and please let me know if the problem persists.
  • Larry on

    This should be an article about how incredible AutoIt is, rather than the alarmist view it portrays. The AutoIt community prides itself on how mature the product is and does not tolerate virus inquiries. Questions about game automation are even curtailed. AutoIt is used prolifically by IT departments and individuals world wide to help those entities be efficient and profitable. So much goodness goes unreported while the errant goof gets some unwarranted recognition.
  • czardas on

    I use AutoIt with the intention to develop educational software and I object to the language being singled out because it has a less steep learning curve. Not all professionals have the time to devote to learning a complicated programming languages. Education is the key. If you don't trust the author, or website, do not download the software It doesn't matter what language it's written in.
  • JLogan3o13 on

    I agree completely with Larry - this post was about as unhelpful as it was uninformative. Just because some twit is using the language for unethical reasons is not an excuse to malign the language as a whole. As the author clearly has 0 knowledge of programming, it should be pointed out that ANY language can be used in a bad way. It comes down to the Programmer, NOT the language he programs in. Uninformed articles like this one by people who are obviously not related to the industry or the product simply lead to AV companies overreacting; they block EVERYTHING related to the language, instead of investing the time to refine their definition libraries appropriately.
  • Anonymous on

    The real crackers have the ability to use more sophisticated programming languages. This is article is about some bored teenagers who if did have access to your system wouldn't know what to do with it. If enough malicious code is written using AutoIt then AV databases will mature and this pointless article will fade into the past. It serves no purpose other than to make AutoIt appear as a threat to the internet community. It seems that the author thinks that people make a habit of downloading software from unreliable sources but if that is the case then they probably don't know difference between AutoIt and C++ which makes them just as vulnerable to the latter case.
  • Anonymous on

    I also think this article is written by an ignoramus individual who failed to do their research properly. The fact is that interpreted languages being exploited by malware writers isn't anything new. The level sophistication in these malicious scripts is the equivalent to that of a compilation of batch and Vbscripts. The obfuscation although it does have legitimate purposes only serves to make the signatures of potentially malicious compiled executables more detectable. In fact I've written a script with a little as 20 lines of AutoIt then obfuscated the code only to determine that several AV's would in fact flag the binary as being an encrypted threat. This is an insult to the AutoIt community when singled out for the same reason is such a great tool. The author cold have done his research and wrote an article about interpreted languages in general.
  • Volly on

    I find the author acting irresponsible in the one-sided view of the AutoIt language. Why not suggest AutoHotkey? WinBatch? There are many languages out there that are easy to code in, scalable, and free to use. The AutoIt community fights hard against users who attempt to use AutoIt in a way that is unethical. Read our rules to our support forum here: This researcher the author references: who is he? What training does this researcher have? What qualifications? I fail to see how I can take the person he quotes seriously.
  • willichan on

    This article is a waste of space. I can't help but wonder if the author isn't one of those sorry loosers that got banned from the AutoIt forums, and wants to poke back.
  • Weighted_Cube on

    Obviously you guys haven't understood what the author is trying to say. She said there was a increase of malware code using the Autolt programing language. As it says the reason is that its easy, and flexible and easy to use, not saying this software is really bad and i don't like its community but it isn't. I find Autolt an amazing tool to use. But please understand what this post is for, its not useless because its JUST reporting the sudden increase of malware coding using this language and it may increase in the future -Weighted_Cube IT Technic
    • czardas on

      With a handle like Weighted_Cube I thought you might appreciate my AutoIt loaded dice :) I'm sure the author has the bext intentions, but I have to agree with Larry too: AutoIt seems to get a lot of bad publicity. The fact that it's easy to learn does encourage amateurs to use it for all kinds of reasons. As far as virus creation is concerned (I have never tried to create one BTW), writing one in AutoIt would be one of the worst choices you could make considering all the bad publicity the language gets.
  • Joshua on

    Good article. I've seen Autoit used in malware during my personal experiences, particularly in a Conficker worm variant.
  • czardas on

    Nobody is denying AutoIt has been used to create viruses. I have also seen similar scripts. I still believe the threat is less serious than with more powerful languages - especially those which are web based. To run an AutoIt compiled script on your computer, you generally have to persuade your AV to allow it to run, if the AV didn't already delete it during download. While I understand the need for AV companies to protect users, too many false positives is not a good advertisement. Such things can also be a nuisance and counter-productive to user creativity IMO. The need for languages like AutoIt is apparent to me in the sense that people with knowledge outside of programming can easily learn to write programs that IT professionals would struggle to create themselves. Not all user needs are met by software companies and no programmer is an expert in every field.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.