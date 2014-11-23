Packages downloaded thousands of times targeted people working on sensitive projects:
Highly invasive malware targeting software developers is once again circulating in Trojanized code libraries, with the latest ones downloaded thousands of times in the last eight months, researchers said Wednesday.
Since January, eight separate developer tools have contained hidden payloads with various nefarious capabilities, security firm Checkmarx reported. The most recent one was released last month under the name "pyobfgood." Like the seven packages that preceded it, pyobfgood posed as a legitimate obfuscation tool that developers could use to deter reverse engineering and tampering with their code. Once executed, it installed a payload, giving the attacker almost complete control of the developer's machine. [...]
All eight tools used the string "pyobf" as the first five characters in an attempt to mimic genuine obfuscator tools such as pyobf2 and pyobfuscator. The other seven packages were:
- Pyobftoexe
- Pyobfusfile
- Pyobfexecute
- Pyobfpremium
- Pyobflight
- Pyobfadvance
- Pyobfuse
While Checkmarx focused primarily on pyobfgood, the company provided a release timeline for all eight of them.
Pyobfgood installed bot functionality that worked with a Discord server identified with the string:
MTE2NTc2MDM5MjY5NDM1NDA2MA.GRSNK7.OHxJIpJoZxopWpFS3zy5v2g7k2vyiufQ183Lo
There was no indication of anything amiss on the infected computer. Behind the scenes, however, the malicious payload was not only intruding into some of the developer's most private moments, but silently mocking the developer in source code comments at the same time. Checkmarx explained:
The Discord bot includes a specific command to control the computer's camera. It achieves this by discreetly downloading a zip file from a remote server, extracting its contents, and running an application called WebCamImageSave.exe. This allows the bot to secretly capture a photo using the webcam. The resulting image is then sent back to the Discord channel, without leaving any evidence of its presence after deleting the downloaded files.
Among these malicious functions, the bot's malicious humor emerges through messages that ridicule the imminent destruction of the compromised machine. "Your computer is going to start burning, good luck. :)" and "Your computer is going to die now, good luck getting it back :)"
But hey, at least there is a smiley at the end of these messages.
These messages not only highlight the malicious intent but also the audacity of the attackers.
(Score: 3, Insightful) by looorg on Wednesday November 15, @02:51PM (1 child)
Must be some kind of development irony, installs tool for obfuscation and gets malware. Didn't they read the source code or was it so obfuscated they couldn't read it? Of cause they didn't read it. Lets not be silly here. Trust is everything ...
So what was it using the webcam photo for? The Lolz?
(Score: 3, Interesting) by VanessaE on Wednesday November 15, @03:15PM
Yeah as far as I'm concerned, any developer who uses such tools deserves to have their asses handed to them, as do the people who make those tools. If you're so desperate to hide your source code, then Python is not for you. Pick a regular compiled language, only distribute the binaries, and use a license that's fit for the purpose.
(Score: 2) by ikanreed on Wednesday November 15, @03:14PM
A fairly benign hot take, but code obfuscation is both security-through-obscurity and directly hostile to the ideals of open source. I'm not surprised the people using it have lax security standards to target.