AutoIt is reportedly becoming a more popular programming language for malware authors. Could you explain why this is the case, and whether defending against AutoIt-based malware differs from any other type?
Ask the Expert
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
To clarify, AutoIt is a legitimate system administration tool for scripting and automating the Windows graphical user interface (GUI). This automation allows pop-up windows to be clicked on to close application notification boxes or approve changes being made to a system. These functions are often difficult to perform with other scripting tools or programming languages.
While malware using AutoIt script is just as effective as any other malware, it may be more difficult to make complex malware using solely AutoIt -- but it's not impossible. Given the ease of programming, budding malware authors often use it as an entry language to more complex and advanced methods.
Since the core AutoIt executable code is used for legitimate system administration tasks, detecting malicious activities or network traffic based solely on a signature in the files can be challenging.
Fortunately, similar to other modern malware, AutoIt-based attacks can be detected by antivirus software on client systems. For antivirus software using signatures, a signature for AutoIt-based malware could be developed, as well as a behavioral pattern that could be blocked.
However, if your organization uses Web applications to upload and share text online, such as Pastebin, detecting malware can be tricky, especially if there are legitimate reasons to download code from such applications. If you place alerts on AutoIt scripts being downloaded from Pastebin, you may be able to detect malicious activity on the network. Alternately, hosting legitimate AutoIt scripts on an internal system can help you avoid false positives.
This was first published in November 2013