Malware reported in an AHK executable I created

[Too Old For This]

Hello,

I have to introduce myself by stating I consider myself to be barely literate when it comes to AHK. I've only ever used it to create hotkeys and hotstrings. But I received a notification from Windows Defender (or whatever MS is calling it this week) that it found Win32/Wacatac.B!ml on my system. The only affected file was an executable that I had compiled some time ago from AHK source code that I had written using ahk2exe. Windows deleted the executable.

My concern is that some of the hotkeys in that source were shortcuts for long, randomly-generated passwords. I find it difficult to believe that any of them could have been compromised, but I'm wondering if anyone else here has experienced anything like this and what you think I ought to be doing or not doing in response.

I did search the forums for "wacatac" but I only came up with two hits in one thread from last year that didn't seem relevant. I don't know if I should just go ahead and recompile the AHK and keep using it, or if I need to change any of those passwords, or create a completely new source; I just don't know how to proceed. I also wonder what if anything I can do to prevent this from happening in the future. I tend to be quite cautious about clicking on links, opening files, etc. but I guess I'm the one who somehow made the malware able to access my system.

I'm grateful for any ideas, advice, suggestions, etc., that anyone can provide. Thank you.

[gregster]

We can't know what is exactly going on on your system, and if potentially it got infected by malware.
what does virustotal say, if you upload the file? More than the usual few false-positives?

But AHK scripts and especially (compressed, but also uncompressed) AHK exes traditionally suffer a lot from false-positives of antivirus softwares, compare for example https://www.autohotkey.com/boards/viewtopic.php?f=17&t=62266
So if you think it might be one, please report and submit it to Microsoft, to hopefully improve their algorithms for the future.

[mikeyww]

I can offer my own views & experiences here. This would apply to any such malware alert, not just relating to AHK.

First, some of the alerts are false positives, though it does not mean that you should ignore them.
Second, Defender presumably eradicated the existing malware.
Third, you can whitelist your directory of scripts so that they are not scanned. There is always some risk in doing so, but you won't get false alerts that way. You have to decide based on the tradeoffs. If you do it, never put or install any other programs into that directory, or any of its subdirectories. Use it only for your trusted scripts.
Fourth, it's a good idea to change the actual account passwords. The next best step would be monitoring your account logins, but that would require more work and would be less effective. Avoid having two accounts with the same password. I use an encrypted password manager and mostly random and different passwords these days-- passwords that the password manager generates for me, so that they are long, complex, and not real words or word combinations.
Fifth, run a complete malware scan of your computer. You can use Defender, Malwarebytes, or a similar program. None of the programs is perfect and will catch all malware. The key is to run something rather than nothing.
Sixth, avoid opening e-mail attachments and clicking links from untrusted sources. I get a bunch of phishing messages in a week's time. I carefully inspect every link and e-mail sender before I click on it. There are clever people who are effectively impersonating PayPal, banks, and other groups. When in doubt, instead of a click, go to the company's web site yourself (type the URL manually), and take action from there. For example, if I receive an e-mail message "from PayPal" informing me of an important notice at my account, I manually navigate to the site and log in, rather than clicking an e-mail link.
Seventh, do not reply to spam, ever. Do not unsubscribe or respond. Instead, just use a spam filter in combination with Delete.
Eighth, for important accounts such as banks, where the stakes can be high, use two-factor authentication (2FA). It's almost impossible to crack (nothing is impossible), because you have to have both a device and a password to gain access. With most implementations of 2FA, the passwords often also change randomly every minute or so. I don't think I've ever heard of a 2FA hack, though it's possible.
Ninth, if you receive a phone call from "security fraud department", etc., never provide your personal details to them, unless you have a clear and convincing way to verify the caller first. You can ask for their phone number, and then call them back if the number looks legitimate and matches other sources of information. For example, for a bank, you can call the bank's published phone number to follow up on any fraud issues. A legitimate company should never initiate the contact and then ask you to provide your personal information.

If you do all of this, you should be in good shape.

[Too Old For This]

@gregster Thank you for that information. This is something else which I am unfamiliar with. Since Windows deleted the "infected" executable, do I recompile it and submit that? Because if the infection did in fact take place, it might not be resident in the recompiled version.

[mikeyww]

I think the idea of the submission is that you want to submit the script that you compiled yourself, such that you know that the file is OK. You are submitting a clean file that the company should analyze to understand and then whitelist in its approach. With this in mind, I think you would actually want to recompile the script and submit the clean version. The company does not need an infected file, because it presumably already had that-- or so it thought.

Also: keep backups of your data! I have a local mirror, local incremental backups, and multiple cloud versions. I have used all three, at various times and depending on the occasion and need!

[Too Old For This]

@mikeyww Thanks for your thoughts as well. And I think your statement about Windows deleting the file applies when it comes to my question about submitting the executable to MS. I've just seen your subsequent post, though, and I will submit the recompiled version. I also use Macrium Reflect daily for image backups.

After I got the alert I ran a full scan with both Defender and Malwarebytes and both reported no threats then.

I actually do more of what you suggest already: 2FA for example, and long random passwords. I use AHK for some of them, though, because it's quicker to type the shortcut than it is to go looking them up in my password manager when I'm in and out of the apps several times a day.

[gregster]

Depending on the antivirus program and its settings, the file in doubt might only be quarantined in a special folder and not deleted.
The antivirus logs and settings should give some indications.

[mikeyww]

Good point.

I, too, have some scripts containing passwords-- lucky so far, I guess!

If your disk is not encrypted, you might want to keep the script in an encrypted container. If someone steals your computer or disk, the script would then be difficult to extract.

Another approach if you use a script like that but somehow have a protected area on your computer is to use #Include, so that the script containing the passwords does not appear in your main script. Whether that helps or is just extra work may depend on your circumstances.

[Spawnova]

Just as some extra assurance, this is a false positive, and I myself get the wacatac variants quite often when compiling my scripts.

Using compression such as Mpress or Upx seem to significantly increase the rates of false positives.

[mikeyww]

I suspect that you are right, but how are you sure?

[Spawnova]

You can never be absolutely sure I suppose, but windows has flagged an exe that I may have just compiled as so and so virus, then I just compile it again and it's fine, later I will make changes and compile it again and it may now detect is as another random virus or it may not, I'm not sure how microsofts anti virus flags these things but there is no consistency at all.

I've been using AutoHotKey a very long time and I've always had problems with false positives, especially when compressing the executable. Some of the most common false positives they report are Wacatac, Unwaders and Fuery.

Here's an example, below is 3 lines of code

Code: Select all

f1::
msgbox % "This is a messagebox in AutoHotKey"
exitapp

I've compiled this once with no compression, and another time with Mpress, here are the results of virus total.

So whenever windows tells me my script is a virus, I just ignore it. =P

[AHKStudent]

The more things the exe contains the more likely it will have a match in their database.

Even people that use straight C++ to build programs get these false positives.

Nir Soft used to update his list, he stopped 13 years ago because the large amount of false positives (see his note). His programs are not built with ahk or any other scripting language and I got false positives on some of the utility tools he has unrelated to passwords and so on. He is just one example of many of developers that use straight c++ or Java etc. that deal with this problem.

https://www.nirsoft.net/false_positive_report.html

[mikeyww]

Thanks for all of those details!

[Too Old For This]

[img]C:\Users\pstvp\Desktop\Submission Results.jpg[/img]

False positive. Thanks to all who assisted me.

[gregster]

[img]C:\Users\pstvp\Desktop\Submission Results.jpg[/img]

False positive. Thanks to all who assisted me.

Thank you for the feedback!

To upload pictures to the forums, scroll down in the full editor, choose the Attachments tab, then Add files, and then place inline (this last step is optional).

[Too Old For This]

Submission Results.jpg (42.63 KiB) Viewed 2364 times

Just to complete the record. Thanks for the help on uploading images.

[The-Anonymous]

I did search the forums for "wacatac"

I did the same, and I'm lucky I found this.