PT PyAnalysis

PT PyAnalysis is a service for detecting suspicious and harmful Python-packets in integrated development processes. ON

2022: Collection of requests for early access to the service

Positive Technologies created the PT PyAnalysis tool to identify suspicious and harmful Python-packets and opened the collection of applications for early access to its service. Since Python packages are used by most developers, they will have to carefully study external dependencies and embed their analysis mechanism into the development process. In a repository study that PyPI lasted eight months, the company's experts found 175 malicious packets, some of which had been there since 2018. Positive Technologies announced this on December 23, 2022.

Illustration: ipo.msk.ru

PT experts found various types or traces of malicious in the found packages: ON

• steelers (stealer) - malicious software for stealing user passwords (63%);
• backdoors () backdoor - software with which malefactors they can imperceptibly remotely control the victim's device (20%);
• bootloaders - used to download malware to the victim's computer (6%);
• unwanted activity for the user, for example annoying notifications or deleting a Telegram account (8%);
• proof of concept of malware without malicious activity, destructive actions or theft (2%);
• ransomware (1%).

Developers download packages into their software, which allows an attacker to attack users of this software. The study found that the average life expectancy of a malicious package before its removal is 13 days. This is a sufficient time to infect the user's computer. Most often, packages are disguised as legitimate and used to steal data.

Anyone can create a repository with an unoccupied name on the pypi.org to store Python packages. Administrators have Malware Checks, but its detection rules lie in the source code of the project, and it is easy to get around them. The system itself is not blocking: signals come to the mail to administrators, after which the package code is checked and a decision is made to block.

Attackers use various techniques related to compromising developers, imitating legitimate packets and obfuscation. Over time, their actions become more effective and invisible. To build a full-fledged system of protection against such threats, you need to involve experts in analyzing malicious code.

Positive Technologies' PyAnalysis system is characterized by automation, and this is its feature: through the API, users can send the name of the Python package for verification and receive an assessment of its danger (clean, suspicious, malicious). Expertise in the field of malicious code analysis is not required. The system not only gives a clear verdict, but also explains why this or that package is malicious.

"When a developer downloads a package into his software, he does not suspect that it is infected and the attacker gets the opportunity to attack users of this software. That is why our system for checking Python packages from the PyPI repository works according to the as a service model: everyone can test it in their secure development process. During the testing phase, use of this system will be free. We expect Python developers and secure development specialists to evaluate PT PyAnalysis and share their comments with us so that we can improve this service and make it convenient for everyone, "said Maxim Dolginin, Head of Cyber ​ ​ Threat Data Development, Positive Technologies.

You can leave a request for access to the service on the PT PyAnalysis page.