ISC StormCast for Friday, October 16th 2020
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 16 October 2020
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, October 16th, 2020 edition of the Santernet Storm Center's Stormcast. |
| 0:08.0 | My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida. |
| 0:13.0 | Xavier today is talking about an interesting obfuscation technique that he has spotted in a sample of a Python remote access tool that he found on a virus total. |
| 0:26.5 | It looks like this tool is, well, yet again, another sort of a red team exercise that he probably sort of came across here. |
| 0:34.1 | The tool itself loads actually or contains as part of the code, bytecode that is then decompressed and fed to the Marshall module. |
| 0:45.3 | That's a module that will actually then allow you to execute that bytecode. |
| 0:50.3 | Now the tricky part here is of course from a reverse analysis point of view, how do you |
| 0:56.0 | actually then decompile this bytecode? |
| 1:00.0 | Python is not, well, strictly speaking, compiled, but bytecode is sort of somewhat compiled |
| 1:08.0 | representation of Python code. |
| 1:14.8 | Luckily, well, like there's the Marshall module to actually read bytecode. We have the uncompile module to actually do the opposite and decompile the bytecode, and |
| 1:20.8 | decompile the bytecode. |
| 1:24.0 | And with that, we get our Python code back, which was readable enough here in this case |
| 1:29.2 | for Xavier to do additional analysis on this particular malicious Python code tool. |
| 1:38.6 | Then of course we are still keeping an eye on the bad neighbor vulnerably as it's often called now. That's CVE |
| 1:46.5 | 2020 16898, the Windows ICMPV6 router advertisement vulnerability. A couple more small details here. |
| 1:55.8 | No real sort of working exploit yet. And there's some reasons why it may be difficult to come by. |
| 2:02.6 | So first of all, again, this vulnerability has to be exploited on the local network, also to actually do remote code execution. |
| 2:09.6 | But according to a Rapid 7 block, it turns out you need also, and that's very typical because of various anti-exploit techniques that you find in |
| 2:20.4 | modern versions of Windows, you also need information leakage vulnerability to bypass some of |
| 2:27.7 | these techniques. While information leakage vulnerabilities are somewhat common in Windows, |
| 2:33.7 | nobody has sort of come forward yet that they actually got remote code execution, but there are a number of people that have stated they got the blue screen of death. |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.