AutoHotkey Malware

[roysubs]

In light of things like this, I'd really like a way (if possible) to clamp down on AutoHotkey so that it is only possible to run *my* .ahk scripts.
https://www.bleepingcomputer.com/news/s ... w-a-thing/

I don't think something like this would be too complex(?), but it would have to be an external helper tool that looks for any .ahk processes that do not conform to some criteria. i.e. "Only scripts run from a folder of my choice are valid", "Only scripts that have an approved naming convention are allowed", "Only a fixed list of scripts with exact name and path are allowed". For example, here are the only two scripts currently running on my computer, and maybe I can restrict it to *only* allow these scripts and nothing else.

This would give really great peace of mind not only when using AutoHotkey, but in general as a way to pro-actively prevent malicious AutoHotkey malware from getting onto the system.

Has anyone ever built something like this, or do you think that something like this could be feasible?

[nnnik]

There are several techniques to achieve something like this.
The only way to do this is by only running scripts that you want it to run. Scripts that you have allowed to run.
Most Autohotkey malware though will be in compiled form - and at that point there is pretty much nothing we can do and it's your AVs task.
Checking if a specific running executeable might be Autohotkey is not easy, it is not something that can be achieved at all tbh.

[SOTE]

In light of things like this, I'd really like a way (if possible) to clamp down on AutoHotkey so that it is only possible to run *my* .ahk scripts.
https://www.bleepingcomputer.com/news/s ... w-a-thing/

I don't think something like this would be too complex(?), but it would have to be an external helper tool that looks for any .ahk processes that do not conform to some criteria. i.e. "Only scripts run from a folder of my choice are valid", "Only scripts that have an approved naming convention are allowed", "Only a fixed list of scripts with exact name and path are allowed". For example, here are the only two scripts currently running on my computer, and maybe I can restrict it to *only* allow these scripts and nothing else.

This would give really great peace of mind not only when using AutoHotkey, but in general as a way to pro-actively prevent malicious AutoHotkey malware from getting onto the system.

Has anyone ever built something like this, or do you think that something like this could be feasible?

I'm wondering if we need to more thoroughly think through such a request or are perhaps overreacting. If you were using VBScript (can be compiled with tools like VbsEdit), WinBatch, or Python and read an article about some piece of malware written several months ago in your favorite scripting language, would you be writing to Microsoft, Island Lake Consulting (owns WinBatch), or the Python Software Foundation that they need to clamp down on their scripting/programming language for the personal convenience or comfort of one or a few people?

Basically, that is the job for Anti-Virus or Malware software and teams, to specifically look at adware, malware, bad code, or backdoors in code and not usually for the developers. And in the case of AutoHotkey, the source code and "compiler" is open for all to inspect. Any odd code can be brought to everyone's attention, and by referencing the particular source code that was found. That's one of the great advantages of open source vs closed source.

In the case of Microsoft and somewhat to their credit, they do make Windows Defender. But there are several reasons for it, and among them is that Microsoft source code is closed and 3rd parties are writing code to interact with their OS. Thus people can be less sure of what is actually going on with the OS or various interactions with different programs, so 3rd party security software is needed for safety.

If a person finds real evidence (which can be done using numerous software tools or even AutoHotkey scripts) of actual software (to include various websites) that are doing some suspicious activity or making odd connections to a particular geographical location or IP address, you can always submit it for inspection to your Anti-Virus maker, Microsoft, or write to their Internet Service Provider.

However, I do think that individuals among the AutoHotkey community can make various types of "process inspectors" to look for malware, backdoors, or software doing suspicious activity, but that would very much be on a voluntary and individual basis. There have been AutoHotkey programs like AHKWall (https://autohotkey.com/boards/viewtopic.php?f=6&t=45977) and Process Monitor & WhiteList (https://autohotkey.com/boards/viewtopic.php?f=6&t=41325). Seems like a good place to start, if a person is so inclined.