Writing malware in scratch
Is is possible to create malware in scratch?
Let’s face it, probably not, but that won’t stop me from trying.
There is one programming language that rises above all others. While almost all programming languages require libraries, the ability to type and a basic understanding of syntax, not so for scratch, the free and block based programming language from MIT. It is designed to offer young children a taste of basic programming, but without a lot of the difficulties of a programming language where you have to write things, and with the ability to get a some basic visual output very quickly.
So, what am I qualifying as malware, to see if I’m being successful? I’ll be frank, I’m not entirely sure. I’m going to try a lot of things – but stealing some stuff and getting it to call back to a URL is probably the best I’m going to get. Some attempt at basic PrivEsc, even if it only works on computers with massive flaws, will work for me. Bonus points as well for getting it to download and run something more serious from the internet, as quite possibly the world’s worst malware dropper.
I’m also not going to do an analysis of how well this would work in the real world because it would not. Like at all. The program version of scratch isn’t even supported anymore as it’s all web based so the installbase for this is going to be infinitesimally small.
I decided to look at injecting code after having a look at scratch’s very limited feature set. I created some commands just so I’d have an idea of where the execution happens, and then saved the .sb3 file. Once you save a scratch file, you can open it up in 7zip (other compression tools are available) and see what’s inside it. You can see you have a couple sound files, some SVG files and a JSON file. This JSON file was probably going to be the most interesting from our perspective so I decided to have a look. Inside the JSON file was a lot of information, but the main thing was to find the commands that I put into it.
I threw the JSON into http://jsonviewer.stack.hu/, to make it easier to read, and then searched for “Hmm…” as that’s what the character says in the program. The bit of the code that relates to this immediately showed up but this left me with another problem, which is that I didn’t understand anything at all. Half of the program has these weird strings in them, can I coudn’t tell if these were obfuscated or something that I just don’t understand.
I decided to put that on the backburner and work on a way of putting these files back into a format scratch can read. Turns out, the sb3 file is just a zip file with a different extension, so I set up a script to zip up the contents of a folder and put it in the scratch format. I also thought it’d be nice to put it in a slightly more human readable format, as it was all in one line before. Fortunately it accepted this new formatting, although if you made any changes it would put it back into one line.
After having done this, I realised I was more out of my depth than I’d thought.
I then gave up. It was interesting, and I might revisit this eventually. Hey, this might prove as a warning to someone who tries the same thing.