[python-uk] Reviewing third-party packages

S Walker walker_s at hotmail.co.uk
Thu Jul 27 10:25:07 EDT 2017


Exactly my point, yes- especially if one were to make a framework designed to easily analyse such things (when it becomes much easier for the malware because it for instance could just check whether the framework is in the current env (as a super-trivial example- but any framework that is easy to run is likely to be easy to adapt to for this sort of code).

It'd certainly be feasible to check for outgoing calls though, at least for relatively simple cases (on-import, when calling with particular args), but I think the licensing, etc issues are probably easier to solve-ish and maintain, so probably a better starting point. This is just a gut feeling though- I've done this stuff manually in the past when I've needed to.

Thanks,
S

On 27/07/17 14:41, Mike Eriksson wrote:


On Thu, Jul 27, 2017 at 2:39 PM Andy Robinson <andy at reportlab.com<mailto:andy at reportlab.com>> wrote:
On 27 July 2017 at 15:33, S Walker <walker_s at hotmail.co.uk<mailto:walker_s at hotmail.co.uk>> wrote:
> I suspect malicious phone-home (and other deliberately malicious security)
> stuff would be very difficult to automatically test for

Presumably you want to spy on outbound network activity from your test
machine, rather than analysing code?


That is if they haven't written their code so it is aware of the characteristics of 'malware analytics environments'. Basically it's dormant if it thinks it is being observed. Something which is very common these days. At least at the cutting edge of such things.

Cheers, Mike



_______________________________________________
python-uk mailing list
python-uk at python.org<mailto:python-uk at python.org>
https://mail.python.org/mailman/listinfo/python-uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-uk/attachments/20170727/950e5e2e/attachment.html>


More information about the python-uk mailing list