back to article All-Python malware nasty bites Windows victims in Poland

Malware authors have put together a strain of malicious code written entirely in Python, in what may turn out to be an experiment in creating a new type of cross-platform nasty. PWOBot is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has already infected a …

  1. John Deeb

    Fail

    I fail to see the particular seriousness of the threat in this case. Wouldn't it be easier to detect since the generated code will be more predictable with all the known python optimization and libraries involved? Any environment where someone can install a payload created with whatever set of tools or in whatever language would have major problems in the first place. Or do I miss something here?

    1. Pascal Monett Silver badge

      Seriousness of the threat

      This is what it can do :

      PWOLauncher : Download/execute file, or execute local file

      PWOHTTPD : Spawn a HTTP server on the victim machine

      PWOKeyLogger : Log keystrokes on the victim machine

      PWOMiner : Mine bitcoins using the victim CPU/GPU

      PWOPyExec : Execute Python code

      PWOQuery : Query remote URL and return results

      This list basically means that are in remote control of infected PCs. They can detect passwords, launch whatever they want and generally benefit from all the resources of the machine.

      I rank that as rather serious. I certainly hope it can be detected and blocked by my current AV solution, although I must admit that I tend to not download its targeted carriers (Quick PDF to Word, XoristDecryptor, Easy Barcode Creator, Kingston Format Utility and the others are really not in my interest zone).

    2. Charlie Clark Silver badge

      Re: Fail

      It's easy to add some obfuscation to the final package that will make detection a lot harder. This is standard for much malware.

  2. tony2heads
    Coat

    python

    pythons don't bite, they crush

    1. Anonymous Coward
      Anonymous Coward

      Re: python

      They can bite too, but they'll squeeze the life out of you.

  3. Anonymous Coward
    Anonymous Coward

    Track-tastic

    When I click on the link to PA's website, Privacy Badger and uBlock Origin go berserk. The page continuously reloads. Not the best.

  4. Anonymous South African Coward Bronze badge

    Expect some nasty cryptolocking ransomware written in Python sooner or later... ne'er-do-wells just seems to keep themselves busy these days...

    Solution would be to code a default-deny OS - where nothing will run without authorization from the user. Granted, it will be a major PITA (especially after application upgrades)...

    1. James Loughner
      Linux

      You mean like run execute permission in Linux???

      1. bazza Silver badge

        "You mean like run execute permission in Linux???"

        A lack of execute permissions is no barrier. See dot, and indeed source.

        This makes scripts positively bothersome to prevent them running. You have to take control of the read permissions too, and that just starts getting irritating...

        1. Anonymous Coward
          Anonymous Coward

          Yes, but dot and source only work for scripts written in the same language as the shell.

          You cannot execute a script written in Python that way, nor a compiled executable. The script can embed a script in another language, but it has to manually execute the interpreter and pipe the data to it for that to work.

          1. P. Lee

            re: dot and source only work for scripts written in the same language as the shell.

            True, but /usr/bin/python or %WINDOWS%/Program Files/python/python.exe isn't exactly hard to guess.

            What we want is a jailed browser process by default, and a prohibition on launching any executable (mime/extension recognition?) from disk areas the browser has write access to. I'd settle for a ramdisk with all the executables in it which gets copied and deleted after use. The browser is a high-risk interface - we know that. From a security pov, you should be able to completely compromise it and still not be able to compromise the user's general files, install persistent threats or compromise the system as a whole. i.e. (pun intended) the browser is an app controlled by the OS, not part of the OS. If you want a high-privileged (what we normally get now) browser, that should be a launch-time option, not the default.

            This isn't a windows only problem - I want this for linux too. A chroot without all those interpreters (python, bash, cmd.exe, screen saver config, word.exe, excel.exe) would be a good start. The option of a non-kernel (slow but safe) display system would also be good, even if it were a boot-only option.

            Linux is free - it is hard to complain about a lack of features. Windows has no excuse.

        2. Paul Crawford Silver badge

          @bazza

          Removing execute permissions for the /home partition, /tmp, etc, where users can write to helps a lot, but not as you say for a particularly determined user and/or program. For the really gullible Linux user you can also deny them a command shell so they can be tempted to type in crap.

          However, for more serious blocking of tricks like you mention you can use tools like apparmor to deny execution of bash, python, etc, in user-writeable areas to further piss off malware authors.

          Incidentally Windows supports no-execute as a ACL setting, you can do the same to block execution in all user-writeable areas stop a lot of Trojans from being able to run even if the user is dumb enough to try some random download. Of course, you end up with complaints of other crap they need also being broken...

    2. NotBob

      where nothing will run without authorization from the user

      How'd that go last time Microsoft tried it? Pages and pages of complaints about the annoying permission dialogs, and users willing to follow anyone's instructions online to make it stop...

    3. allthecoolshortnamesweretaken

      Re: default-deny OS / no run without authorization / PITA

      That'd be pretty much like checking the punchcards before stacking them into hopper... 'PITA' doesn't cover half of it...

  5. Anonymous Coward
    Anonymous Coward

    Cross platform?

    With all those Windows specific paths and registry functions being used in the code?

    1. thames

      Re: Cross platform?

      Python is very, very, good at being cross platform. However, as you said, hooking into platform specific features is inherently not cross platform.

      I suspect that the main reason that Python was used in this application was to reduce the cost and time to write the software. It typically takes far fewer lines of code to do something in Python than it does to do it in something like C++, Java, or C#. The language also permits a development process consisting of rapid, short, iterative cycles (write a small stand alone bit of code, test it, write another small bit of code, test it, etc.). This lets someone get their virus out "onto the market" in less time, with less manpower, and with lower overall investment.

      In other words, it's the same reason why Python is so popular in many legitimate fields of endeavour.

  6. a_yank_lurker

    Not Quite Cross Platform

    The executable was not Python code but a Winbloat executable written in Python. Outside of a few developers, I would be surprised if Python was ever installed on a Winbloat box. I suspect this is true of a Mac also.

    What this seems to be is someone writing malware in Python (the language is actually unimportant) and compiling it into a platform specific executable (this case Winbloat). Other than Python being used, this is not much different than many of the other malware that are Winbloat/Mac/Linux executables.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not Quite Cross Platform

      Pretty sure MacOS X ships with Python.

      That said, it's not the first time that a runtime environment like PyInstaller has been used. I seem to recall one based around NodeJS being used for malware in the past to target Windows hosts.

      1. a_yank_lurker

        Re: Not Quite Cross Platform

        Not sure what ships with a Mac since I do not have access to one right now. With Python, it is important to have the correct version of the interpreter installed since P2 and P3 are compatible.

  7. Anonymous C0ward

    Bitcoin mining on CPU

    Enjoy your 2p. You might get it in time for the heat death of the universe.

  8. Anonymous Coward
    Linux

    Upon initial execution of PWOBot

    "Upon initial execution, PWOBot will first uninstall previous versions of PWOBot should they be found. It will query Run registry keys searching for instances of previous versions."

    How exactly does PWOBot initially compromise the Windows computer?

    1. theblackhand

      Re: Upon initial execution of PWOBot

      From what I can tell, it compromises Windows when a user installs an application that they downloaded from the Internet. I assume that traditional methods of containing this type of threat will continue to be as effective as they have been in the past I.e. Restricting admin rights, up-to-date AV software, user education

      As for the Python element? I can't recall a scripting language (compiled or otherwise) ever being used to install software...

  9. channel extended

    Which Python?

    Will it require 2.7 or 3.3? If I get a request to update python should I look closer? Clearly just because a language is cross enviroment doesn't mean a compiled executable is. Look at the so called UWP.

    No matter what the source, most infections still rely on the "I Agree" click.

    1. herman Silver badge

      Re: Which Python?

      <p>Which Python? Monty of course.

      <p>I fart in your general direction.

  10. Stevie

    Bah!

    Seems to me this could be mitigated by a simple every-other-line edit to change the number of leading tabs. Harmless to most files, death to python scripts.

    [later] After more thinks I see this wouldn't work though.

  11. This post has been deleted by its author

  12. zarvus

    Now we just need some Ruby malware and I will have further justification for not learning it as well, other than general laziness and meh and it reminds me too much of Java.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like