100 million and one reasons to hate VB and VBScript

100 million and one reasons to hate VB and VBScript

Summary: I hate Microsoft's Visual Basic programming language and by extrapolation I also hate VBScript. You know, VBScript, a VB subset language that a 17-year-old hacker used to compromise 100 million or so credit card numbers from Target and Neiman Marcus. Yes, that VBScript.

TOPICS: Security, Software

[I've made additional notes at the end of the article since the post originally went live. KH]

It was a simple VBScript program that allowed 17-year-old Sergey Taraspov to grab 100 million plus credit card numbers from Target and Neiman Marcus stores. Those 100 million credit card holders are good enough reason for me to place VB on the endangered species list. I hated VB before all that but now these compromises give me more fuel for my campaign to rid us all of VB's curse.

It's true that I seem to have a lot of pet peeves: Bitcoin, overhyped technology, Kickstarter, disposable technology, buzzwords, corporate speak, offshore outsourcing, anything trending, and stuff that should have gone away that still lingers. Visual Basic (VB) and Visual Basic Scripting (VBScript) are two of the lattermost. For the purposes of this post, I'm lumping VB and VBScript into the collective term, VB. Live with it.

VB is a bad language. It doesn't look like BASIC and it doesn't look like C. It's weird. It has an odd syntax that I just can't stomach.

If you read programming forums, people will say things like, "No programming language is better than any other". Except for being 100 percent false, that sentence is valid. C-like languages are better. BASIC was good as a learning language but it was inefficient. FORTRAN was difficult for some people to learn because it's very non-intuitive. BASIC is more human in its syntax.

C and C-based languages are heavy lifters. When you think along those lines, think C++, C#, Java, PHP, Perl, and so on. I don't know where the Visual Basic ecosystem came from but it needs to return immediately. Sorry, Alan Cooper, in my humble opinion your time working on this horrible language was ill spent. I hope you got paid a lot of money for developing it. We didn't need VB then and we certainly don't need it now. Please make it go away.

Visual Basic has had a good run, depending on how you view the term good, that is. It's time for it to go away in favor of good stuff like PowerShell, C#, and just about every other known language.

I've heard and hoped for the past few years that VB is going away but that has yet to happen. Can you name any dead programming languages? I can't really think of any. It seems that no matter how bad a programming language is, it will find an audience who keeps it alive way past its expiration date. VB is way past its 'Best if used by' date. It was never a great language and now it just seems downright silly to keep breathing life into it.

While I'm not going to list out all of VB's disadvantages to you, I will say that the BlackPOS malware that Sergey Taraspov wrote in fewer than 400 lines of code could have been written in a less wordy C-based language in probably 80 lines.

Anyone want to take the challenge? Just for academic purposes?

But then again, Sergey isn't totally to blame here. Sure, he wrote BlackPOS and yes, he sold it but is it his fault that those stores use Windows-based POS systems? I'm just asking. If those POS systems had been say, oh, I don't know, Linux-based POS systems, would the same thing have happened? What about Mac-based? What about ChromeOS-based?

I'm not blaming the POS company nor am I blaming Microsoft. I mean, come on, who would have thought there were these kinds of vulnerabilities in those systems? As one news reporter stated this morning, those companies spent millions of dollars on security only to be compromised by a pretty simple program. And the real question here is, how did Sergey know about the vulnerability in the first place? Did he steal one of the systems? Did he work in a store that used them? Did he know that there was some patch missing on the systems?

But it doesn't matter to me what the truth is for Sergey or those breaches. The fact that VB is ready for the scrap heap is undeniable. To me, the security implications of its continued use is just another nail in its waiting coffin.

It can't happen soon enough for me.

And just so you don't think I'm a perennial malcontent, this is the first time I've ever campaigned for the absolute demise of any programming language. The fact that I don't like Java doesn't mean that it isn't a decent language. I think C# is better but that's just me.

Some advice for Sergey: Use your powers for good. Find something constructive to do with your time other than criminal activity. If I were your father, I'd spank your bottom and send you to bed without any vodka.

To summarize: VB is bad. It should go away. Stop using it.

[Author's additional notes: Here's a quotation from Linus Torvalds about VB:

"For example, I personally believe that "Visual Basic" did more for programming than "Object-Oriented Languages" did. Yet people laugh at VB and say it’s a bad language, and they’ve been talking about OO languages for decades.

And no, Visual Basic wasn’t a great language, but I think the easy DB interfaces in VB were fundmantally more important than object orientation is, for example."

VB is wordy, slow, single platform, visually and syntactically unappealing, and its use exposes too many vulnerabilities in the Windows OS. Torvald's statement about it not being a great language is an understatement but more politically pleasing than my total disdain for it. I believe that Microsoft should standardize on C# for heavy lifting and PowerShell for Windows automation tasks. VB, in my opininon, no longer fits into either category. /Author's additional notes]

Related Stories:

Topics: Security, Software


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Rubbish!

    Sorry Ken, but that is like saying Java should die, because JavaScript allows cross-site-scripting. Or Ford Mustangs should be banned, because the Pinto fuel tank is badly positioned!

    As to the VBScript being used for the exploit, he could have used any one of a hundred and one other scripting languages to achieve the same goals.

    Whilst I agree, that VB isn't the best of languages, it opened up new concepts in visual program design when it was released. There was nothing like it and knocking up a quick corporate application in VB made prototyping quick and simple.

    Yes, the same program written in C++ would have been faster... Once it finally arrived, but due to having to hand code all the forms etc. and implement all the simple things that VB took care of for you, like menus, resizing etc. you could deliver a working system or prototype in a fraction of the time other languages needed at the time.

    Then along came Delphi and enhancements to Borland C++ and MS Visual Studio, which slowly put the good bits of VB into those development environments.
    • BlackPOS written in C++


      Data from server logs captured by IntelCrawler indicate that the first BlackPOS infections were in Australia and Canada, followed by the U.S. A server owned by Neiman Marcus appears to have been infected in mid-July, months before the first indications of trouble from either Neiman Marcus or Target.

      An posted by forensic security firm Group-1B is from March 2013, when the malware was first discovered.

      Then called DUMP MEMORY GRABBER by Ree[4], the app was written in C++ as a monolithic file with no external libraries. It runs on any version of 32- or 64-bit Windows and uses a module called mmon.exe to scan RAM for credit-card numbers.
      ---- end

      Maybe this was the same or maybe it was a different version of BlackPOS, the point is: here you have proof of an implementation of BlackPOS using C++.

      so much for using C and C like languages...

      Scott McNealy promised us Java was secure better rush to that...
      Oops running out of languages...
      • Personally I really like Forth

        Everyone jump on the Forth bandwagon.

        • "YES!" to good old Forth!

          Sybase was written totally in a customized version of Forth! A back door in a big bank's implementation was responsible for major thefts from St. Petersburg Russia back around the early '90s.

          There was even a microprocessor ... RTX ... that directly executed Forth code!

          Ahh ... those were the good old days!

          Webtest in Carlisle, PA USA
          • "St. Petersburg 'hack'"


            See: Citibank (1994-1995)
            Phone connections were hardware-secured, but anyone with a valid account and knowledge of the trap door could get into the guts of the Forth-like application and do anything.
        • Where is...

          My Cantab Jupiter Ace? Forth was fun.
      • WRONG

        BlackPOS is PURE VBScript. What you are referring to is the payload it delivered...the skimming program.

        The EXE written in c++ would be next to useless without BlackPOS which was responsible for opening the remote security hole, dropping the payload and consolitating the cc data from pos machines to a compromised server for retrieval.

        Cherry picking facts is not the best way to frame your argument. It just makes you appear ignorant. I don't think you are ignorant though, rather more of a troll or astroturfer in this case.
        Mark Hayden
        • wrong he says without a shred of proof

          From Krebs:
          "according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Target’s internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices.

          “The bad guys were logging in remotely to that [control server], and apparently had persistent access to it,” a source close to the investigation told KrebsOnSecurity. “They basically had to keep going in and manually collecting the dumps.”
          Basically they could do anything that wanted to do. Attempting to blame a VBScript is ignorant.

          They had unrestricted access to the POS systems, there was no need to even use an exploit to gain access and its not been shown that there was any exploit performed by a VBScript.

          Also from Krebs:
          "That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system."

          The C++ module aforementioned would have to be an integral part of said BlackPOS without which there would have been no CC data captured. An additional VBScript component may be part of the package however, its a convenience afforded by unrestricted access. It could just as easily have been javascript or most anything else that easily customizable to work with their control server at implementation time... Like a config file.
  • VBScript

    So basically what you are saying is "1 million reasons to hate hackers". Vbscript is not to one to blame here but the environment in which some of this code runs. Vbscript is sill used today for Classic ASP pages, VBA Office applications like MS Access projects. There is nothing wrong about Vbscript, unless it is not coded properly an run on a unsafe environment. Yahoo and Adobe as far as I know does not use Vbscript and were hacked recently from the PHP Apps. Should we same the same about PHP?

    Of course the Object Oriented C# for example can be more secure by nature. However, used properly both languages can be very secure when things are done properly.
    • See above

      There is a huge difference between VBScript and VBA and VB. Like there are big differences between JavaScript, Java or C# and C++.

      VBScript was Microsoft's analogue to JavaScript and has little, apart from some basic syntax similarities, to do with Visual Basic.
      • You are mistaken

        VB/VBA/VBscript are 3 peas in a big ugly pod. They share syntax and software components and technology.

        VBscript is a VBA subset, and VBA is a subset of full VB6 that compiles exe files linked to a runtime.

        VBscript is limited to a sandbox, though a poorly constructed one given the access it has to toxic activeX. It cannot define classes and has very limited access to system resources bur you can late bind to any activeX already installed and invoke any methods. There are no limits to what an activeX can do and countless ways to distribute them when you leave security settings too relaxed, which on XP for internal network is almost universally the case.

        VBscript is the crazy glue of choice by crackers to cobble together a malware application suite out of building blocks already on a system and a handful of standalone locally installed malware binaries stowed away.
        Mark Hayden
        • "Modern" VB is different

          VB up to v6 was COM-based. VBA and VBScript are derived from the "up to VB6" versions of VB.

          VB these days is .NET based. It's pretty much exactly the same as C#, but with a Basic-like syntax.

          If someone has full access to the servers that run a POS system (and deliver images to the POS devices), they can probably write an exploit in any language (they could install node.js and write it in JavaScript). It's not the language's fault.
    • Classic ASP?

      And what reason would anyone have for still using that?
      • There are reasons

        A low priority Intranet app that doesn't merit conversion, for instance. The ability to peg a website (asp.NET only lets you get to 67% or so, and then the app pool recycles.) Or, you're on Apache, and have to resort to Chili.
  • Windows based POS?

    Hmm, if they had been written in Linux, he would have knocked out a short Bash script to do the same thing. Unless he was using an exploit in VBScript to escalate his privileges, he could do the same (in probably less code) on a Linux terminal.

    All the Edeka stores over here use Linux POS.
    • security

      I thought this article would be about security and why VB Script introduces these exploits when other languages are more secure. If the POS was written in Python perhaps it wouldn't be as easy to get around the underlying security using a python script where a VB app is more vulnerable to security breaches using a VBA script. Isn't that the point?
      Radomir Wojcik
      • Nope

        Scripting almost any scripting language which could have been slipped onto the device would have worked. It would have worked on a Linux POS, using Python, Bash etc. if it wasn't properly locked down and security updates applied.

        The point ofnthe article is that Ken has an irrational hatred of VB and this was an excuse to rant about it.
  • KEN .. .. .. you're kidding, right?

    To hate VB because someone used it to create havoc would mean if rain flooded your basement you'd hate water also?
    I do believe everything in this world has been used for ill-gotten gains sometime in our human existence, so your point would mean......
    . . . . . !(@@)! ___ YUP, WE'RE ALL DOOMED!
    • No, you missed the point...

      The point is that VB and related languages are bad for many reasons. The fact that it was used in this manner is, as I stated, another nail in its coffin.
      • OH I got your point.

        .. hopefully you understood mine.
        Just because someone uses a good thing to bad
        means it should be removed from everyone's use.
        My flood analogy was rather drastic but I thought it would drive my point.
        ''Take anything good for bad use, we'll have nothing in this world.''
        Quite similar to this point I made decades ago...
        Remove guns from all of society, criminals will use clubs.
        Remove rocks from all of society, criminals will...
        I never ends, does it?
        Well maybe it can.
        When we remove the Earth from under our feet so criminals can't use it against us.
        ... sad world.