

Show HN: Pytroj - Infect .pyc files - jgeralnik
https://github.com/jgeralnik/Pytroj

======
jgeralnik
This project was built during Defcon Israel's recent 24 hour hackathon. Any
feedback would be appreciated.

~~~
wyuenho
I have a question. Can you do this with Java/C#/Ruby/Javascript etc? What
makes this so special?

~~~
pyre
It makes installing random things from PyPi more of an issue of trust (though
it has always been this way, even people didn't realize it).

~~~
jgeralnik
Exactly. When you install my package, I can infect other packages and have
them execute arbitrary code without you realizing it. This is by no means
unique to python, and in fact can happen whenever you run any program. It just
shows the dangers of running things you don't really trust. Doing this in
python is, however, slightly harder to detect, as you are changing the pyc
file and not the py file itself. Someone who looks at the source will notice
nothing amiss, and in fact if the update the source the pyc will be rebuilt
cleanly (until it gets reinfected). Javascript and ruby are not generally
byte-compiled and so you would have to change the source to infect them. Other
languages that compile either to bytecode or executables can be just as easily
be infected.

~~~
mitchty
For ruby you could likely do something similar using rubinius which can
precompile .rb files to .rbc files prior to execution.

Though they discourage the use of the .rbc files directly so not sure this is
much to worry about as they change the bytecode format often enough.

------
fuzzyman
This Trojan requires the ability to execute arbitrary code and write to files
- so it's not in itself any kind of exploit. It's just malicious Python code.

------
nirai
why not infect .py files directly?

~~~
wladimir
Because in general you're more likely to check and/or update the .py files
than .pyc files, I'd say.

Btw, a nice (GUI) tool for examining/disassembling pyc files is:
<http://code.google.com/p/pychrysanthemum/> (it supports all the different
python and bytecode versions without having to mess around with opcodes.py
files...)

~~~
nirai
more likely, as 10^-20 is more likely than 10^-30?

when was the last time you have read python files of installed 3rd party
software to find viruses and trojans?

and even if you bothered, by simple obfuscation you would need to be an expert
to identify a trojan in a python file.

In addition a simple way to find or clean up such a virus would be to compile
.pyc files from their sources during a virus scan.

in short that can't be the reason.

