itman 1,743 Posted March 25, 2019 Share Posted March 25, 2019 Does Eset detect an executable created via PyBuilder in which the Python engine along with a script is bundled as a PUA? If not, it should. persian-boy 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted March 25, 2019 Administrators Share Posted March 25, 2019 If the script itself is detected, then the executable should be detected as well. Link to comment Share on other sites More sharing options...
itman 1,743 Posted March 25, 2019 Author Share Posted March 25, 2019 (edited) 10 minutes ago, Marcos said: If the script itself is detected Can Eset actually detect a Python script pre-execution if its packed and encrypted? Note that Win 10 AMSI does not scan Python scripts. -EDIT- also Python scripts "are famous" for running "sleeper" code designed to "wait out" heuristic scanning methods. Edited March 25, 2019 by itman persian-boy 1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted March 25, 2019 Administrators Share Posted March 25, 2019 If a script is recognized as malicious or PUA, it will be detected upon access. Not sure if a compiled executable is extracted to a disk upon execution; if not then it might not be detected without AMSI. It'd need to be tested to tell for sure. Link to comment Share on other sites More sharing options...
itman 1,743 Posted March 25, 2019 Author Share Posted March 25, 2019 (edited) 8 minutes ago, Marcos said: It'd need to be tested to tell for sure. Advisable since there are ransomware strains that do employ "sleeper" Python scripts. Hence my recommendation that an .exe with the Python engine code imbedded be flagged as a PUA. This is not normal activity as should be flagged as suspicious. Perhaps included in the new Deep Behavior Inspection detection. Edited March 25, 2019 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted March 25, 2019 Administrators Share Posted March 25, 2019 I assume that flagging any executable built with PyBuilder as PUA would cause false positives. If PyBuilder was a tool to evade AV detection, then the tool itself would have to be detected. Link to comment Share on other sites More sharing options...
itman 1,743 Posted March 25, 2019 Author Share Posted March 25, 2019 (edited) -EDIT- Having a bad day today. Also I misstated previously, You can create a .exe using PyBuilder. PyInstaller and a few others are alternative methods to do so. PyBuilder only allows you to create a self-executing Python .py script. To create an executable, you need to use PyInstaller to create an .exe encapsulating the script: http://www.primalsecurity.net/0xc-python-tutorial-python-malware/ Edited March 25, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,743 Posted March 25, 2019 Author Share Posted March 25, 2019 (edited) Also and rephrased, I am referring to detection of Python engine components within an executable. A recent such malware example is XBash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ . At the time of its initial discovery, only 1/57 at Virus Total detected it. Edited March 25, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,743 Posted March 26, 2019 Author Share Posted March 26, 2019 (edited) @Marcos - FYI One reason Eset should be paying attention to use of bundled Python engine components is this recent "nonsense" banking protection test by AV Labs - Poland: Quote Malware was written in Python scripts and compiled to EXE file. https://www.wilderssecurity.com/threads/avlab-test-of-software-for-online-banking-protection.414737/ Ah ……. a reincarnation of PC Security Channel testing methods. If Eset is "spending any money" with this outfit, I would look elsewhere for better use of its corporate dollars. Edited March 26, 2019 by itman Link to comment Share on other sites More sharing options...
Recommended Posts