Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
"pyrate", Behavior Blocker Bypass POC #3
Message
<blockquote data-quote="MacDefender" data-source="post: 879888" data-attributes="member: 83059"><p>I generally agree that it's hard to package into a 1-click exploit because EXEs are so well protected via SmartScreen, but if you distribute these as ZIP files (like a "portable" app), that more or less bypasses SmartScreen for the default config. For example I started with a OneDrive ZIP file link in MS Edge Chromium and got this far extracting it with no warnings from either the browser or SmartScreen:</p><p></p><p>[ATTACH=full]238889[/ATTACH]</p><p></p><p>Double clicking IDLE.exe also didn't trigger any additional dialogs. The annoying thing about this kind of exploit is that every <em>executable</em> is 100% authentic, common, and signed (IDLE.exe is a signed stub that launches pythonw.exe, which is signed as well). But it's interpreting .py script files that are not signed at all, but beyond the scope of Windows SmartScreen and other signature verification mechanisms.</p><p></p><p></p><p>And BTW, the 100% legitimate portable Python implementation I used as the basis of this exploit is packaged this exact same way -- downloaded as a ZIP file, extracts to this directory structure, doesn't trigger SmartScreen.</p><p></p><p></p><p>This would primarily be a social engineering attack. You'd basically make a fake GitHub landing page that looks almost exactly like the real one and trick users into downloading this trojan horse Python bundle instead of the legitimate one. Unfortunately, data scientists frequently trade Python setups this way so I can also see it working in the real world <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite111" alt=":(" title="Frown :(" loading="lazy" data-shortname=":(" /></p><p></p><p></p><p>And FWIW, my versions of the exploit come with a copy of Python. It makes the exploit a disgusting 20-30MB which is impractical, but I could've picked something like Lua or even just bringing along a copy of BusyBox+MinGW which is a lot smaller and almost equally powerful.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 879888, member: 83059"] I generally agree that it's hard to package into a 1-click exploit because EXEs are so well protected via SmartScreen, but if you distribute these as ZIP files (like a "portable" app), that more or less bypasses SmartScreen for the default config. For example I started with a OneDrive ZIP file link in MS Edge Chromium and got this far extracting it with no warnings from either the browser or SmartScreen: [ATTACH type="full"]238889[/ATTACH] Double clicking IDLE.exe also didn't trigger any additional dialogs. The annoying thing about this kind of exploit is that every [I]executable[/I] is 100% authentic, common, and signed (IDLE.exe is a signed stub that launches pythonw.exe, which is signed as well). But it's interpreting .py script files that are not signed at all, but beyond the scope of Windows SmartScreen and other signature verification mechanisms. And BTW, the 100% legitimate portable Python implementation I used as the basis of this exploit is packaged this exact same way -- downloaded as a ZIP file, extracts to this directory structure, doesn't trigger SmartScreen. This would primarily be a social engineering attack. You'd basically make a fake GitHub landing page that looks almost exactly like the real one and trick users into downloading this trojan horse Python bundle instead of the legitimate one. Unfortunately, data scientists frequently trade Python setups this way so I can also see it working in the real world :( And FWIW, my versions of the exploit come with a copy of Python. It makes the exploit a disgusting 20-30MB which is impractical, but I could've picked something like Lua or even just bringing along a copy of BusyBox+MinGW which is a lot smaller and almost equally powerful. [/QUOTE]
Insert quotes…
Verification
Post reply
Top