Zachary Ware added the comment: > But in that case, why hook into exec? The malware author can execute > arbitrary Python so doesn't *need* exec.
As I understand it, the malware is distributed in encrypted form (probably encrypted differently each time it propagates) so as to be given a green-light by anti-malware software, then decrypted and run via exec so that the bad code is never actually on disk, and thus never scanned. Yes, the attacker can run arbitrary Python code, but if he just distributed the code in plain text, it could be detected and blocked. The unpacking code is simple and generic enough that it can't be blocked. As far as actually enabling AMSI, I'm +0. I don't understand it well enough to be +1, and I share Paul's concerns about startup overhead. I'm also unsure that AMSI actually affords any protection: what's to stop the attacker from distributing their own interpreter that just doesn't use AMSI? ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26137> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
