Affected platforms: Python (all versions on any OS incl. Windows, Linux, Mac OS)
Severity: Medium (fake software packages, code execution of benign malware)
http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/
" Copies of several well known Python packages were published under slightly
modified names in the official Python package repository PyPI (prominent
example includes urllib vs. urrlib3, bzip vs. bzip2, etc.). These packages
contain the exact same code as their upstream package thus their functionality
is the same, but the installation script, setup.py, is modified to include a
malicious (but relatively benign) code.
List of fake package names:
– acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition)
– apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms)
– bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
– crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
– django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api)
– pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
– setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools)
– telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
– urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
– urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)
fake python libs in PyPi, maybe others
fake python libs in PyPi, maybe others
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0
Re: fake python libs in PyPi, maybe others
Devs unknowingly use “malicious” modules snuck into official Python repository
https://arstechnica.com/information-tec ... epository/
"The incidents closely resemble an attack carried out last year in a research experiment by a college student in Germany. As part of his bachelor thesis, University of Hamburg student Nikolai Philipp Tschacher uploaded packages to PyPI and two other repositories. The packages used names that were similar to widely used packages already submitted by other users. They also contained code that tracked the developers. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script."
https://arstechnica.com/information-tec ... epository/
"The incidents closely resemble an attack carried out last year in a research experiment by a college student in Germany. As part of his bachelor thesis, University of Hamburg student Nikolai Philipp Tschacher uploaded packages to PyPI and two other repositories. The packages used names that were similar to widely used packages already submitted by other users. They also contained code that tracked the developers. Over a span of several months, his imposter code was executed more than 45,000 times on more than 17,000 separate domains, and more than half the time his code was given all-powerful administrative rights. Two of the affected domains ended in .mil, an indication that people inside the US military had run his script."
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130410 Firefox/23.0
Re: fake python libs in PyPi, maybe others
Sounds similar to, Backdoors on webshells.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.1 Lightning/5.4