Researchers use PyInstaller to create stealth malware
Academic researchers say the application builder could be used to create undetectable attack bundles that bypass many widely used antimalware programs.
A popular Python developer tool could also become a potent malware accessory, according to new research.
A group of researchers from the University of Piraeus in Greece said that PyInstaller, a tool intended to convert Python code into standalone applications, is capable of creating malware payloads that are able to slip past many of the most widely used antivirus programs and get their malicious code up and running before being flagged and terminated.
This means that, rather than spend the extensive time and money required to obfuscate code and create an untraceable malware packer from scratch, cybercriminals would be able to take advantage of the most popular Python application builder to create packers that are not caught in scans.
"Interestingly, our approach to generating the malicious executables is not based on introducing a new packer but on the augmentation of the capabilities of an existing and widely used tool for packaging Python, PyInstaller but can be used for all similar packaging tools," wrote Vasilios Koutsokostas and Constantinos Patsakis in the research paper, which was published this week. "As we prove, the problem is deeper and inherent in almost all antivirus engines and not PyInstaller specific."
Patsakis told SearchSecurity that the team went into the research knowing that antivirus engines already have a problem properly handling Python applications. In many cases, apps based on Python produce false positives. The extent of the issue, however, was never really understood.
"From the very beginning we knew that something quite wrong was happening as all applications were flagged as malicious," Patsakis explained. "This kind of bias implies that AVs were not scanning the packages that PyInstaller produces properly, but due to the wide use of Python, we did not expect the reason being the Python bytecode."
The issue lies in how PyInstaller turns Python code into executables. Because Python is a scripting language, PyInstaller does not compile the code in the traditional sense. Rather, it bundles all the libraries and other components the Python code requires into .pyc files and compressed archives. When the bundled application is launched, a bootloader is spun up and those dependencies are unpacked into a temporary folder and called as needed.
Those .pyc files, as it turns out, are extremely difficult for most modern antimalware tools to effectively scan. In many cases, the University of Piraeus duo found that when an individual .pyc file was scanned through the VirusTotal scanning suite, it was not properly analyzed and in many cases code that would normally be flagged as malicious was instead passed through.
In one example, the pair slipped in code for a reverse shell into a .pyc file through PyInstaller and inserted the same code into a JavaScript file and an uncompressed Python script. The JavaScript file was detected four times more often than the Python code. More importantly, the reverse shell code in the .pyc file went completely undetected by the full suite of AV tools in Virus total. This was all done out in the open, with no code obfuscation.
"There are many ways to bypass static analysis so in this sense finding a new AV bypass was not surprising," Patsakis explained.
"The surprising part was that we did not have to actually hide the payload, which for a scripting language like Python was rather unexpected."
What is more concerning, the researchers said, is that this problem is not simply a quirk of PyInstaller but reflective of a larger issue among security tools. It seems that there is a blind spot in many commercial antimalware tools when it comes to the way Python bytecode is handled and scanned.
Fortunately, a fix for the problem is not particularly difficult. The researchers believe that most commercial AV vendors are well-equipped to add support for Python bytecode into their scanning and antimalware detection tools. Once those features are added, consistently stopping Python-based malware would be feasible.
"The fix for AVs is not something difficult to apply, as .pyc are not hard to process and new rules can be added to their arsenal," Patsakis said. "Therefore, we expect fixes to be soon applied from all AVs."