AutoIt, the BASIC-like automation language for Windows programmers, is becoming a favored tool among malware developers for the same reasons it attracts legitimate users: it’s free, flexible and easy to use.
Trend Micro TrendLabs’ Kyle Wilhoit wrote in today’s Security Intelligence Blog that there’s been an increase in “nefarious AutoIt tool code” — including keystroke loggers and remote-access Trojans — being uploaded to hacker hangouts like Pastebin and Pastie.
The freeware has been around since 1999, when it was introduced to create macros for Microsoft Windows programs. It was restructured in recent years to resemble BASIC scripting language and simulates keystrokes and mouse movements. A standalone application that doesn’t require a lot of runtime, AutoIt is commonly used to automate common tasks, such as backups and disk defrags, and create graphical user interfaces.
However, malware developers are increasingly manipulating the code to create such works as a variant of the DarkComet remote-access Trojan now in the wild that installs a backdoor on a victim’s machine, communicating over port 1604, and disables the Windows Firewall and then access to the Windows Registry, according to Wilhoit.
The security researcher believes this may be just the beginning of a threat trend.
“The increased usage of AutoIt is likely attributed to the fact that AutoIt is scalable, very similar to Basic, and is outrageously easy to code in,” he wrote. “This ease of use takes the learning curve off learning more complex languages such as Python. This opens up a wide array of possibilities to hackers that may not otherwise expose themselves to a scripting language.
“In addition, the ability to host code on Pastebin, natively compile, and run applications in stand-alone executable files makes it very quick to develop in. Finally, the ability to natively support UPX packing in AutoIt makes obfuscation easy for AutoIt applications.”
He recommends enterprises frequently conduct AV scans to flag malicious code and block sites like Pastebin.