Writing malware in scratch

Is is possible to create malware in scratch?

Let’s face it, probably not, but that won’t stop me from trying.

There is one programming language that rises above all others. While almost all programming languages require libraries, the ability to type and a basic understanding of syntax, not so for scratch, the free and block based programming language from MIT. It is designed to offer young children a taste of basic programming, but without a lot of the difficulties of a programming language where you have to write things, and with the ability to get a some basic visual output very quickly.

This isn’t, however, to say that programs written in scratch are always basic – in fact, quite the opposite. Some people have created incredible things in scratch. If you can create raycasted first-person shooter with online multiplayer then you can create pretty much everything – and that should include malware. After all, scratch does run on JavaScript, and you can compile a scratch program. And even if you can’t create malware in scratch itself, as everything runs on JavaScript it may well be possible to inject malicious code into a scratch file, to then have the scratch application run it.

So, what am I qualifying as malware, to see if I’m being successful? I’ll be frank, I’m not entirely sure. I’m going to try a lot of things – but stealing some stuff and getting it to call back to a URL is probably the best I’m going to get. Some attempt at basic PrivEsc, even if it only works on computers with massive flaws, will work for me. Bonus points as well for getting it to download and run something more serious from the internet, as quite possibly the world’s worst malware dropper.

I’m also not going to do an analysis of how well this would work in the real world because it would not. Like at all. The program version of scratch isn’t even supported anymore as it’s all web based so the installbase for this is going to be infinitesimally small.

Code injection

I decided to look at injecting code after having a look at scratch’s very limited feature set. I created some commands just so I’d have an idea of where the execution happens, and then saved the .sb3 file. Once you save a scratch file, you can open it up in 7zip (other compression tools are available) and see what’s inside it. You can see you have a couple sound files, some SVG files and a JSON file. This JSON file was probably going to be the most interesting from our perspective so I decided to have a look. Inside the JSON file was a lot of information, but the main thing was to find the commands that I put into it. 
I threw the JSON into http://jsonviewer.stack.hu/, to make it easier to read, and then searched for “Hmm…” as that’s what the character says in the program. The bit of the code that relates to this immediately showed up but this left me with another problem, which is that I didn’t understand anything at all. Half of the program has these weird strings in them, can I coudn’t tell if these were obfuscated or something that I just don’t understand.


I decided to put that on the backburner and work on a way of putting these files back into a format scratch can read. Turns out, the sb3 file is just a zip file with a different extension, so I set up a script to zip up the contents of a folder and put it in the scratch format. I also thought it’d be nice to put it in a slightly more human readable format, as it was all in one line before. Fortunately it accepted this new formatting, although if you made any changes it would put it back into one line.

After having done this, I realised I was more out of my depth than I’d thought.

I googled how scratch works (which I arguably should have done before), and found out that while it runs on JavaScript, you can only specify certain commands. Not only that, but there is no way to extend this functionality without using a modified version of the editor. The scope of the base commands are also way too basic to do anything worthwhile.


I then gave up. It was interesting, and I might revisit this eventually. Hey, this might prove as a warning to someone who tries the same thing.


Popular posts from this blog