Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
"pyrate", Behavior Blocker Bypass POC #3
Message
<blockquote data-quote="MacDefender" data-source="post: 879722" data-attributes="member: 83059"><p>If Python's already installed, there is potentially an attack where a rogue installer can drop a script into Python's site packages, or a system-wide Python library that's commonly imported, which would be executed the next time a user legitimately starts the Python interpreter. I've seen such techniques used for ransomware on UNIX environments like Linux and macOS, especially in terms of dropping things into .bashrc or another automatically sourced script that is owned by the user and runs frequently.</p><p></p><p>Unfortunately, on Windows, a lot of applications (especially scientific ones like MATLAB, AutoCAD, etc) and video games love to bundle a copy of a scripting engine or some other runtime environment, so it's really challenging to define a whitelist.</p><p></p><p>This is also a trend seen on macOS, where the latest version builds in a prompting feature similar to CFA which is on by default:</p><p>[ATTACH=full]238837[/ATTACH]</p><p></p><p>From a phishing standpoint, the goal is now to just lure the user to grant these kinds of privileges to something like Terminal (or Python, haha), and then that paves the way for ransomware to abuse those agents.</p><p></p><p></p><p></p><p>This is kind of interesting. I wonder which executable it thought was not trustworthy -- whether that's the self extracting EXE or detecting that it's executing python.exe with an argument to a script.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 879722, member: 83059"] If Python's already installed, there is potentially an attack where a rogue installer can drop a script into Python's site packages, or a system-wide Python library that's commonly imported, which would be executed the next time a user legitimately starts the Python interpreter. I've seen such techniques used for ransomware on UNIX environments like Linux and macOS, especially in terms of dropping things into .bashrc or another automatically sourced script that is owned by the user and runs frequently. Unfortunately, on Windows, a lot of applications (especially scientific ones like MATLAB, AutoCAD, etc) and video games love to bundle a copy of a scripting engine or some other runtime environment, so it's really challenging to define a whitelist. This is also a trend seen on macOS, where the latest version builds in a prompting feature similar to CFA which is on by default: [ATTACH type="full"]238837[/ATTACH] From a phishing standpoint, the goal is now to just lure the user to grant these kinds of privileges to something like Terminal (or Python, haha), and then that paves the way for ransomware to abuse those agents. This is kind of interesting. I wonder which executable it thought was not trustworthy -- whether that's the self extracting EXE or detecting that it's executing python.exe with an argument to a script. [/QUOTE]
Insert quotes…
Verification
Post reply
Top