Jump to content

Python Question


itman
 Share

Recommended Posts

10 minutes ago, Marcos said:

If the script itself is detected

Can Eset actually detect a Python script pre-execution if its packed and encrypted? Note that Win 10 AMSI does not scan Python scripts. -EDIT- also Python scripts "are famous" for running "sleeper" code designed to "wait out" heuristic scanning methods.

Edited by itman
Link to comment
Share on other sites

  • Administrators

If a script is recognized as malicious or PUA, it will be detected upon access. Not sure if a compiled executable is extracted to a disk upon execution; if not then it might not be detected without AMSI. It'd need to be tested to tell for sure.

Link to comment
Share on other sites

8 minutes ago, Marcos said:

It'd need to be tested to tell for sure.

Advisable since there are ransomware strains that do employ "sleeper" Python scripts. Hence my recommendation that an .exe with the Python engine code imbedded be flagged as a PUA. This is not normal activity as should be flagged as suspicious. Perhaps included in the new Deep Behavior Inspection detection.

Edited by itman
Link to comment
Share on other sites

  • Administrators

I assume that flagging any executable built with PyBuilder as PUA would cause false positives. If PyBuilder was a tool to evade AV detection, then the tool itself would have to be detected.

Link to comment
Share on other sites

-EDIT- Having a bad day today. Also I misstated previously,

You can create a .exe using PyBuilder. PyInstaller and a few others are alternative methods to do so.

PyBuilder only allows you to create a self-executing Python .py script. To create an executable, you need to use PyInstaller to create an .exe encapsulating the script: http://www.primalsecurity.net/0xc-python-tutorial-python-malware/ 

Edited by itman
Link to comment
Share on other sites

Also and rephrased, I am referring to detection of Python engine components within an executable.

A recent such malware example is XBash: https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ . At the time of its initial discovery, only 1/57 at Virus Total detected it.

Edited by itman
Link to comment
Share on other sites

@Marcos - FYI

One reason Eset should be paying attention to use of bundled Python engine components is this recent "nonsense" banking protection test by AV Labs - Poland:

Quote

Malware was written in Python scripts and compiled to EXE file.

https://www.wilderssecurity.com/threads/avlab-test-of-software-for-online-banking-protection.414737/

Ah ……. a reincarnation of PC Security Channel testing methods. If Eset is "spending any money" with this outfit, I would look elsewhere for better use of its corporate dollars.

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...