"This cryptocurrency mining malware also disables your security services A new form of cryptocurrency mining malware uses a leaked NSA-exploit to spread itself to vulnerable Windows machines, while also disabling security software and leaving the infected computer open to future attacks. ...PyRoMine. ... first appeared this month and spreads using EternalRomance, a leaked NSA-exploit which takes advantage of what until a year ago had been an undisclosed SMB vulnerability to self-propagate through networks... Researchers discovered the malware was downloadable from a particular web address as a zip file, bundled with Pyinstaller, a program which packages programs written in Python into stand alone executables, meaning there's no need for Python to be installed on the compromised machine..." https://www.zdnet.com/article/this-...ables-your-security-services/#ftag=RSSbaffb68
Aren't security suites supposed to protect themselves from being disabled? Same goes for Windows services, security tools must monitor them.
New 'PyRoMineIoT' Malware Spreads via NSA-Linked Exploit June 12, 2018 https://www.securityweek.com/new-pyromineiot-malware-spreads-nsa-linked-exploit
"PyRoMineIoT cryptojacker uses NSA exploit to spread The latest malware threat based on the EternalRomance NSA exploit is PyRoMineIoT, a cryptojacker infecting IoT devices... A new malware variant reads like the greatest hits of cyberthreats: a cryptojacker using an NSA exploit to scan for IoT devices with hardcoded passwords to spread and distribute the miner..." https://searchsecurity.techtarget.c...neIoT-cryptojacker-uses-NSA-exploit-to-spread
What really should have been concentrated on is that the malware is Python (scriptor) based. Instead much too much credit is given to the Exploit (carrier). Understand that an exploit is a single entity, and once discovered can be detected and stopped no matter what malware it carries. However Scriptor based malware (for which far too many Security products are oblivious) can be Morphed quite easily into the thousands and can be carried by numerous things.
Let's take a look at this: Also for reference: https://www.quora.com/Can-I-run-a-Python-script-in-Windows-without-Python-installed I believe in this latest IoT variant, the Python executable was executed via a .vbs script. On Win 10, this would allow for inspection of the script code by any AV vendor that uses AMSI. The question to be resolved is if AV vendors: 1. Have behavior signatures to detect the Python code within the dropped Win .exe. I believe they do. 2. Whether they would block on that factor allow is debatable but it should be enough to at least trigger a cloud scan of the process.
Let's analyze PyInstaller since it appears to be a favorite among malware developers. You will see why at the end of this posting. PyInstaller offers two methods for delivering Python Win executables; folder or file: https://pythonhosted.org/PyInstaller/operating-mode.html It is somewhat obvious that if "Hiding the Source Code" is employed in a PyInstaller created download, conventional AV signature analysis is going to be a problem. -EDIT- Did a quick lookup on major AV vendors detection of Python based executables and it appears most do detect them. There was a 2015 posting in the Avast forum where someone was complaining that his program was being blocked although his script wasn't doing anything malicious. Appears the AV's are triggering on the loading of the Python bootloader components: ./PyInstaller/bootloader/YOUR_OS/run, ./PyInstaller/bootloader/YOUR_OS/run_d ./PyInstaller/bootloader/YOUR_OS/runw and ./PyInstaller/bootloader/YOUR_OS/runw_d
The only thing that strikes me is this: It's pretty weird, given that modern security software uses kernel mode drivers and the only way to disable them is loading a kernel mode driver or exploiting a vulnerability that allows to execute code in the Windows kernel.
ITMan- One would think that a vbs script vector would trigger alerts on Win10 no matter what it subsequently did. Sadly this is not the case as can be seen by the proliferation of the vb coded H-worm. Also one can make a self contained Python malware (normally a keylogger or other info stealer) quite simply that will cut through Security Solutions like a knife through soft butter, So the ineffectiveness of typical security to stop this malware should come as no surprise (there is a reason why Conficker- originally detected in 2008 is still a Clear and Present danger), This is what I have been screaming about for years, and sadly Vendors (and Pro AV Testing sites) prefer to ignore this protection lack.
Win 10 AMSI in-memory sandboxing only allows the AV vendors to inspect the script code after decryption and obfuscation prior to execution. If the script contained a Python based .exe and itself was heavily obfuscated as my prior posting shows is possible, it is doubtful the .exe would be stopped unless a positive sig. existed for it. Now lets talk about where the attacker was able to dump a copy of Python on the target device. Really not that hard to do since it just requires folder/directory creation and none of the contained binaries would be flagged as malicious. Now we are able to run Python scripts on the target device. Now for some "sleathy" malware deployment methods. Here's a good one - running a macro outside of a MS Office app: https://wellsr.com/vba/2015/excel/run-macro-without-opening-excel-using-vbscript/ . Next we can deploy our nasty Python script code from the macro: http://imagej.1557.x6.nabble.com/calling-python-script-from-macro-td5014952.html . Isn't Windows a wonderful platform for malware developers …………………..
Can you explain to me why AV's would not be able to block this? What's so special about this Python malware. I suspect Windows was created for this, in order to create a billion dollar IT security industry. It's ridiculous how many ways malware can attack a system.
Actually its a multi-billion dollar industry. And, you must have been reading my mind with your comment. Not only would virtually all the third party AV vendors would be out of business if Windows became "bullet proof" but Microsoft would get "dinged" profit-wise. Its rather obvious their corporate future revenue plans are relying heavily on their security offerings. Hum ….. that virtually guaranties Windows will never be patched/redeveloped into a secure version.
Don't get me wrong, M$ has done a lot to make Win 8 and 10 safer, but the underlying architecture is way too attractive for malware. Certain malware techniques should have never been possible.
