| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by NullInvictus 2173 days ago

I think a lot of people will read 'python malware' and assume packages; that's not what this is about.

A lot of exploits are two-stage. Stage one is usually the vulnerability, usually written in C given the low-level and tightly controlled instructions required. The exploit breaks security to run an executable or otherwise gain control. Stage two is usually downloading a python executable to grab the goods.

There's nothing especially sinister about the selection of Python for this case over other interpreted languages. Malware authors are just regular developers - they don't want to spend hours trying to hack together a C binary to dump a database when six lines of Python will do it. Python just runs on a lot of platforms, has a lot of mature drop-in libraries, and decent documentation. They use it for the same reason we use it.

The article just makes it sound like malware developers are using modern packaging tools to turn that two-stage exploit into a single-stage. That doesn't strike me as particularly surprising. Teams tend to gravitate towards specializing in one tool when they can. I'd obviously prefer to write a bunch of python than do the same in C, when performance isn't a huge concern (It's the other guy's CPU, after all).

Just seems like a minor observation, rather than some doom trend.

5 comments

vesche 2173 days ago

Author here. Thanks for reading & the feedback. I'll try to unpack some of this.

> A lot of exploits are two-stage. Stage one is usually the vulnerability, usually written in C given the low-level and tightly controlled instructions required. The exploit breaks security to run an executable or otherwise gain control. Stage two is usually downloading a python executable to grab the goods.

This seems like a gross oversimplification & commonly incorrect. Often times a "stage one" vulnerability to gain initial access would be network code written in a high level language such as Python or Ruby (see Metasploit). And an executable payload to interact with the system would be generally written in a compiled language like C or C++. My article is detailing the uncommon rise of interpreted languages (especially Python) being used over the past ~5 years as malware dropped on an endpoint in an attack.

> Just seems like a minor observation, rather than some doom trend.

I wouldn't say this is a minor observation or a "doom trend." I'd say it's a very interesting and insightful observation that is worth keeping an eye on. Malicious actors are no longer operating in a world of slow endpoints and lack of resources. They instead are operating in a world of high-speed internet, very fast endpoints, and have a rich ecosystem of open-source tools at their disposal.

I find it highly interesting that malicious code written in interpreted languages, bundled with their interpreters into an executable, are finding their way into the arsenal of high-tier malicious threat actors over the past few years. Just as the web browser is slowly eating away at the operating system, interpreted languages are slowly eating away at compiled languages in a variety of domains- including malware.

link

userbinator 2173 days ago

Malware authors are just regular developers - they don't want to spend hours trying to hack together a C binary to dump a database when six lines of Python will do it.

It used to be that malware authors (virus writers in particular) were characteristically more "hardcore" than the average developer, as in preferring native code (even handwritten Asm) and clever optimisations to make their software smaller and more "tricky", for lack of a better term. But that was when it was as a whole not as commercialised, so it's not so surprising to see that aesthetic disappear with increasing commercialisation.

It's the other guy's CPU, after all

...and that might be why malware was initially more optimised than average; it spreads more easily when it's tiny and fast, doing its thing without being noticed, than if it causes a noticeable increase in system load that will prompt further investigation and lead to its discovery.

I wonder when we'll see Electron being used for malware...

link

tastroder 2173 days ago

> It used to be that malware authors (virus writers in particular) were characteristically more "hardcore" than the average developer, [...]

A subgroup of them still operates like that but I feel like "it used to be" might be a bit outdated. It doesn't seem new for malware authors to utilize low hanging fruits from languages to infrastructure. We've had VBA macros that are or spread malware for decades now, it used to be a pretty regular sight in the early 2000s to see low-effort payloads to be written in some high level language and utilize some random IRC server as a C&C for example. Not everything out there is some state actor level APT nightmare, with more developers in every part of the market and even more users that simply don't care enough it seems like a normal development to see stuff like this more often.

link

rlayton2 2173 days ago

Like all software, you choose the language / platform depending on your business goals. Want it to be hidden for ages and slowly leak data? Write in optimised C to minimise footprint. Quick break in and grab everything? Pick your favourite and fastest language to code in.

link

photon12 2173 days ago

Interviewed someone last night for my podcast who has written some python malware tools, and there's enough stuff out there to where you can't exactly call it a new concept.

link

elipsey 2173 days ago

Link? :-)

link

someperson 2173 days ago

From the user's submissions, I would assume https://www.symbolcrash.com/podcast/ (but I don't know if the episode is released yet)

link

photon12 2173 days ago

Yep, planning on editing it tomorrow

It's with Josh Pitts, author of this tool [1] and another payload that caused lots of go projects to be eaten by Kaspersky [2]

[1] https://github.com/secretsquirrel/the-backdoor-factory

[2] https://github.com/golang/go/issues/16292