Pytroj

Pytroj is a proof of concept attack against .pyc files. It searches for other .pyc files and injects itself into them. The injected code can be any python code (in this case it prints "You have been exploited").

This proof of concept only searches for .pyc files in its own directory. To use it:

 python -c 'import exploit, b, c'
 python exploit.pyc

The files b.pyc and c.pyc will now be infected. If you create another .pyc file (for example, python -c 'import byteplay') and run either b.pyc or c.pyc, the new file will also get infected.

Another way to run an infected file is to import it once the .pyc file exists:

 python -c 'import b'

The infected files print out a list of files that they have newly infected, followed by the phrase "You have been exploited"

After that, infected programs will continue to execute as normal.

Slides are here

On the web

• [Symantec - python has venom.] (http://www.symantec.com/connect/blogs/python-has-venom)
• [Hackernews] (http://news.ycombinator.com/item?id=3039439)
• [Jacob's Tips for Virus Removal] (http://jacoblol75.blog.com/2011/10/09/simple-ways-to-get-rid-of-python-pytroj/)
• [Packet strom] (http://packetstormsecurity.org/files/105385/Pytroj-Tool-Python-Injector.html)

For help, questions, or comments, feel free to contact us:

Joey Geralnik, Leon Fedotov, Itzik Kotler