Hello and welcome to the Wednesday, November 20th, 24 edition of the Santernet Storm Center's

Stormcast. My name is Johannes Orich and I'm recording from Singapore. In diaries today, we have

Xavier looking at, well, some recent Python mal malware that he found.

This particular Python malware is unique in a couple of ways.

First of all, it runs in Windows and Linux, and then it attempts to detect whether or not it's

running in a debugger in both operating systems.

In Windows, there are a couple standard ways of doing that.

The particular malware here is using the Microsoft API call is debugger present, which is made

available in Python via the respective C-types WinDL-DL, Colonel 32 Library.

In Linux, well, there is no rules of quick standard way like this, but of course you can

still detect whether or not you are running inside a debugger.

The particular methodology that's being used by this script is to check the Proxelph status file. It does include a line with a tracer PID. This is not zero

if the program is running inside S-Trades, which of course is a common tool used in order to reverse

software like this. Beyond that, it's not clear what this particular malware is doing.

Xavier is still analyzing it.

The particular bytecode that is being used here doesn't quite appear to work.

Could still be some malware under development.

The virus total score is pretty low with 2 out of 64.

Last week, Palo Alto did publish this advisory that I've mentioned before that hinted that there is exploit going around for at that point unknown vulnerability.

And Palo Alto did recommend isolating the admin interface.

Well, we now have more details from Palo Alto and also patches.

There are two distinct vulnerabilities, the one is an authentication bypass vulnerability in PanOS that does allow unauthenticated attackers to gain administrator

...