1
iArrow
2y

!serious

Would you go with Rust or C/C++ to build Malware (rootkits, Ransomware kind) ? Why ? 🤔

Comments
  • 7
    What does malware do?

    Right. Exploiting bugs, funky behaviour, everything in between occult and black magic.

    Why would you use a language like Rust which tries to prevent that by design for that....

    Joke tag missing?
  • 12
    C if you want to accidentally write malware
  • 1
    @IntrusionCM Duh, because not to infect the host computer compiling the malware. xD
  • 0
    @IntrusionCM

    How come prevent it ? I'm sorry I'm missing the point 🤔 can you explain please?
  • 1
    @iArrow

    https://doc.rust-lang.org/book/...

    E.g. rust tries to prevent overflows.

    You could write everything in unsafe mode, but all in all you want to create behaviour that is erratic, but rust was designed to prevent that.

    So... Go with C. You want erratic behaviour. You want to do unsafe stuff.

    You want to melt shit, not try to prevent meltdown
  • 3
    @IntrusionCM Because you want your malware to work in the way and only in the way you intended. You don't want it e.g. to choke on unexpected input or suffer from race conditions with multithreading.
  • 1
    You probably have to use some assembler to exploit the bug. After that probably any compiled, normal language will work. But i would prefer C.
  • 5
    @IntrusionCM

    The malware doesn't need to have things like buffer overflow to work. malware needs this things in the software the malware attacks, but not in the malware itself.
  • 1
    I would go with rust
  • 3
    i would go with neither because there's more than enough malware already, the world doesn't need more.
  • 0
    @IntrusionCM

    I understood what you meant, but who will include the exploit itself in the malware, I mean sure they do that but rarely happens, I would focus on another ways to get the Initial Access then deploy the malware anyway
  • 0
    It's not a matter of exploiting some bugs, just a normal malware with some AV evasion techniques.
  • 0
    @mikeRanting

    Can you share your reason if possible?
  • 3
    @iArrow He knows that, but it is not about that, it is about: for malware to work a certain way, it need to access the same things that could make itself be explitable. I know this is hard to grasp, but Rust was specifically designed to remove the exploitable parts of compiled software that traditional tools like C/C++ allow one to do, even when writing things in unsafe code. This is also another good reason why Rust is not used also in other places like Game development, these areas both contain fucky, dark, and magical behaviour which Rust prevents.

    This is not the case for everything though, and I would argue that for a lot of things that could affect and perform exploits you could still use Rust. But traditionally I will stick to C and C+. I already write malware accidentally with it :D
  • 1
    @AleCx04 Rust has the "unsafe" escape hatch where you can do any dirty stuff you need to do. It's just that it's not only confined to these areas, it's also grepable.
  • 0
    Interesting
    Then C/C++ it is 👍🏻
    Thanks guys
  • 0
    @Fast-Nop I know, I also mentioned that esse!
  • 2
    @iArrow

    If you don't intend to actually exploit the attack vector in your software, and rather just use your software as payload, why do you care what it is written in so long the target host has the ability to run it?
  • 0
    @CoreFusionX

    Tbh I don't have a favorite one, I actually have experience only in C/C++, I heard a lot of the recent malware been written in Rust, I'm curious
  • 1
    Hmmmmmmmm.

    So it seems to me that I misunderstood the term malware.

    Or better phrased: My definition of malware was too specific.

    Sorry @iArrow .

    For me malware would be a program exploiting erratic behaviour too cause as much damage as possible.

    I overlooked the ransomware next to the rootkit in your post.

    If you want to cause erratic behaviour to generate an attack vector, I think rust isn't a smart choice.

    But ransom ware usually doesn't need that. Especially not on Windows system.

    Just let the user click the email link or use one of the myriads of bugs in COM / Script parsing / Print spooling / Exchange / ... for remote code execution and / or privilege escalation.

    So we're looking (at least in my fucked up brain) more at software that doesn't need an attack vector, but rather needs to be executed and then does "shit".

    Then Rust makes sense to me.

    Call me old fashioned, but I was rather stuck on rootkits for which you usually need to poke the kernel or other stuff that lies deep in the OS - and which is hard to poke. User mode root kits exist, yes - but then someone needs to have fucked it up badly (at least in Linux, in Windows not so much).

    TLDR: i was focused on doing damage in the sense of poking the kernel for segfaults, writing faulty firmware damaging devices etc - not running a software after an attack vector was exploited.
  • 0
    @IntrusionCM

    Np man, it's okay
    Regarding Rust I heard it's produced large size programs, in this situation it wouldn't be so great? 🤔
    Let's say writing a rootkit
  • 0
    @iArrow Nah, Rust binaries can be easily trimmed down
  • 2
    @iArrow That's because by default, it statically links e.g. its standard library while for C/C++, that is already on the system. However, with proper linking options such as optimising for size, setting release mode, stripping symbols etc, you can get a hello world down to around 1MB.

    In the age of printer drivers spanning like 500MB, who is really going to notice?
  • 2
    @iArrow

    Rust compiles static by default, hence all dependencies are linked into the binary - which makes redistribution easy. Though the binary is larger, there are quite a lot of tweaks one could do to generate a smaller binary (compiler flags, custom build rust stdlib,... )

    The thing is... Most people who are dumb enough to click and execute unknown shit from the internet would not realize if it's 3 MB or 6 MB...

    You can misuse friends or families as guinea pigs if u wanna try social engineering xD

    In one of the companies I worked we / IT created an IMAP box containing all the good stuff.

    E.g. mails containing well crafted Amazon / eBay / PayPal pages with specifically designed mail adresses so the mail address domain wasn't visible on a regular HD resolution...

    Some of these mails got triple checked with external help - yes, they were that good.

    Next to mails were interesting review links / phone calls...

    E.g. customer complaining about returning staff - claiming to be dumb, phoning back and forth with burner phone, then sending the support an email with an supposed link to the Amazon Page / Shop Page / ...

    Yep. Of course the link goes to a site that contained all kinds of kinky stuff that your computer should never see.

    Review links the same thing, but different: Customer complaining he was getting a review link, which is - despite many vendors actively doing this - against policies of e.g. Amazon, back forth, sending review link to support, again all kinds of kinky stuff...
  • 1
    @Fast-Nop Just tried it myself and damn, you're right. 1 MB for hello world is super eccessive though. No chance in hell a simple println needs all that machinery. Doesn't strip do dead code elimination after the fact? If not is there a unix tool that does that? Seems like something that would exist
  • 1
    @Fast-Nop

    You are right 😂👍🏻
  • 0
    @IntrusionCM

    Well crafted payload 😂👌🏻
    I wish I got a job as SOC Analyst, this would be interesting 🔥
  • 1
  • 2
    @Fast-Nop @iArrow Turns out with either lto="fat" or lto="thin" a hello world program is only around 250 KB. I'm sure you could get it even smaller with -ffunction-sections and --gc-sections but I haven't had much luck getting flags to gcc via cargo. ld flags are "easy" enough with rustflags ["-C", "link-arg=-Wl,--gc-sections"]
  • 1
    @12bitfloat

    Interesting 🤔
    Not so bad after all! 👏🏻
  • 1
    @12bitfloat Try linking a C hello world statically - that comes out at IIRC 500kB or so. It's only much smaller because you usually don't link the standard libary statically.

    The Rust approach of static linkage will become an issue though because it means short term ease of deployment at the expense of long term maintenance hell.
  • 0
    @Fast-Nop Just tried a puts hello world with `gcc main.c -O3 -static -static-libgcc -flto` and it comes in at around 120 KB, which is a bit more what I would expect (still can't believe Rust can't prune all that -- or I'm sure it can, it just doesn't yet)
  • 2
    @12bitfloat I just tried the same with GCC and got 880kB. readelf reveals that e.g. the whole malloc stuff is included although puts(), unlike printf, doesn't need that. Stripping gets only down to 800kB.

    That's because libc is not optimised for static linkage. There are e.g. assert messages and stuff in there, and that pulls in malloc(), fprintf() and more. Sure, that is not used, but it's in the fixed startup code that doesn't know it won't be necessary later.
  • 1
    @IntrusionCM You're misunderstanding what malware is. It doesn't matter what language and how safe it is, as long as it does what it suppose to do. @happygimp0 Glad someone said it. Intrusion is thinking about protecting binaries against malware but op is about making malware. Malware can do lots of things hijack a binary, get some passwords, delete files, etc...
Add Comment