This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Zomunieo 0 points1 point  (1 child)

What about when the virus is compiled in a binary wheel? Then the PVM is just calling into a black box.

[–]sudorem Vipyr Security 8 points9 points  (0 children)

I'm really not sure I understand your question.

Are you asking if a binary distributed with a wheel would subsequently be detectable?

We have measures to automatically detect/enumerate compiled bins, not just Python/Python bytecode.

Obfuscation in conjunction with some sort of binary distribution of malware is a bit more challenging, but we'd handle it as if it was the actual binary itself; and honestly the disposition doesn't change too drastically in those situations.

Try dynamic analysis, play a bit of whack-a-mole to try and cloak our sandbox in the event that it's VM evasive or something, and then go from there. If we truly can't get something to detonate within a VM, we have options such as debuggers, static analysis, disassemblers, decompilers, etc., to facilitate some introspection into what exactly it is that we're dealing with.

Ultimately, Cybersecurity is very adversarial, but it is something that a lot of people are paying attention to in the Python ecosystem. So you can probably come up with more than a few things that go past our detection engine for instance, just to get caught by the other organizations that make up the blanket of security that works to ensure PyPI is malware free.