Analysis by Poul Jenson and Masaki Suenega

Spotted by Karthik Selvaraj

Here at Symantec Security Response we have discovered Python.Pytroj, a proof-of-concept virus that infects .pyc files with arbitrary code.

In case you are unfamiliar with Python here is a brief description. Python is a programming language which can run on most major operating systems. Python scripts have the extension .py and, once executed, create .pyc files—Python compiled files.

So a quick test to see how it works!

We can see in the screenshot below that we have three files:

exploit.py b.py c.py

When we import the files via the “python –c” command the files are interpreted, run, and the .pyc files are generated.

These .pyc files are what Python.Pytroj targets during infection.

In the next stage we run exploit.pyc, the infection stage.

This modifies the .pyc files and outputs “You have been exploited”.

If we examine the before and after files for b.pyc we can see clearly the file has been infected.

Before:



We can see the “Original” string which the file will print to the screen.

After:



We can still see the “Original” string just before the marker in the red box.

Now for the techie part. The .pyc files are deserialized using the marshal module of Python, disassembled, and then the viral source code is inserted into the dissassembled source. It is then reassembled and serialized using the marshal module once again. The malicious code in the binary is not simply added or inserted, but interleaved into the existing binary.

This proof-of-concept isn’t considered a serious risk; however, it is a novel method of infection and something we’ll need to pay close attention to, should it be used with a more dangerous payload!

For now, this is the first we’ve seen of such threats, and our antivirus products detect this as Python.Pytroj.