Hello and welcome to the Wednesday, October 19th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

So we here today looked at a technique used to obfuscate malicious Python scripts, and well, that particular

obfuscator is actually available as a web page. You just copy, paste your Python code and

get the obfuscated script back. The technique overall is pretty simple and straightforward,

and I've seen actually very similar stuff also in

JavaScript. The obfuscated Python script uses a number of eval statements that then

decode a hex-encoded version of the script, and then base 64 decoded.

Xavier tested a couple of malicious scripts to see how the simple and obfuscated version scored in virus total.

As expected, virus total detection rates dropped quite a bit for the obfuscated version.

So with a little effort, a simple copy paste to a web page, an attacker is able to bypass a good number of anti-maliver tools.

Personally, I think there's actually sort of an opportunity here for a somewhat more holistic signature,

given that the obfuscated scripts consist mostly of eval statements.

Eval statements, they happen, but they shouldn't really dominate your script like that.

And Oracle, as expected, dropped its quarterly critical patch update today, and as also expected, there are too many products and vulnerabilities covered to really

discuss them here at any lengths.

370 vulnerabilities are addressed and looks like something like 110 or 120

different product families.

So per product, it's actually not that bad.

It's about three vulnerabilities product.

I looked at sort of what the highest TWSS scores,

where they were a good number of vulnerabilities with a score of 9.8.

...