@glyph a programming language where you couldn't write viruses doesn't sound likely to be useful for much of anything else

@glyph "To evade detection, we observed the use of legitimate services such as Telegram for command-and-control communications, obfuscated Python scripts, malicious DLLs being sideloaded, Python interpreter masquerading as a system process (i.e., svchost.exe), and the use of signed and living off the land binaries."

ah yes, python's offers such boons to malware writers as dynamic linking DLLs

@glyph I think it's more likely this is just a smear piece from microsoft to spread fud about a language more popular than C#, than some crime that python bears responsibility for

@aeva it’s a slightly odd use of the phrase, but “living off the land” is a term of art in infosec referring to reducing malware payload footprint and detectability, so an LOTL binary is just a preinstalled (usually scriptable in some way) thing that is already legitimately present in the target environment. not defending the overall quality of the writing but that part was legible to me :)

@aeva I do not think that python is responsible for a crime, but python’s use in malware is pretty common and has definitely been increasing in prevalence, this article was just a recent and high-profile example. like I said above, maybe nothing can really be done about this, but it is worth considering

@glyph this vague uncritical something must be done sentiment makes me nervous. python deployment doesn't need to be any harder than it already is 😭

@aeva @glyph I remember when this was a distinction held by perl. I doubt there's much of anything that can meaningfully be done there which doesn't also eliminate python's utility as a programming language.

@wuest @aeva okay let me be clearer here: I don't mean we need to make Python not turing-complete so it can't be weaponized, but it might be nice if the *community* developed a slightly more hostile attitude towards this usage. it's not like there aren't things that have *already* been done. PyPI scans for and rejects malicious packages so malware has a harder time using it as a distribution or C&C channel

@aeva @glyph @wuest

They could write malware using Powershell too.

@glyph @wuest @rrwo or dot net. i bet a lot is written in C#. but you won't see microsoft run a smear campaign on their own flagship products

@aeva @wuest @rrwo I have definitely taken the note that if I ever comment on this again, I will not cite microsoft as a source :). (they aren’t the only ones talking about this, this was just a recent and high profile example)

@glyph @wuest I don't think anyone condones it???

@wuest @aeva to gesture at something further that maybe could happen which would move in this direction, drawing from my fantasy python feature league, would be to develop packaging tools which made legit Python binaries be sandboxed by default. right now because of its malware usage many AV scanners will falsely flag legit Python. but if legit Python could be privilege-limited by default, maybe those scanners could find signatures that wouldn't hit so many legit things

@wuest @aeva also like maybe we could just make python packaging really *good* so that python apps look more like regular binaries and thus malware would have less of a "oh it's Python" signature (hence false AV flags) and more of its own distinctive signature because every app would be more tool-legible. I definitely do not want to make deployment _harder_ somehow

@glyph @wuest I just assume windows defender is just the libel generator at this point. I remember someone reaching out to me because it said one of my itch demos (totally custom rendering experiment written in C# + an experimental build of SDL3 + and plutosvg) as some random virus. Despite confidently falsely claiming that I had tried to dupe someone into downloading a virus, the person nevertheless remained calm, correctly assumed it was a false positive, notified me, and moved on.

@glyph @wuest point is, windows defender produces false positives so often people are *completely* desensitized to it. that is on them.

@glyph @wuest I think it's a valid question to ask why the windows defender team hasn't made windows defender able to recognize "this is an unmodified release build of python stuffed into an archive it fights for freedom" yet

@aeva @wuest okay yeah this was a bad example because the entire concept of "AV" is intellectually bankrupt and never really worked in the first place and doesn't even _appear_ to work now

@aeva @wuest I was committing the category error where Python has agency but AV developers don't, but in fairness to me, I only make that assumption because AV companies act like phototactic bugs seeking enterprise procurement contracts and not like thinking feeling human beings

@aeva @wuest there was a period of time where some of Twisted's copy literally said 'supported platforms: Linux, mac, FreeBSD, Windows*, NetBSD

*: without Avast installed

@glyph @wuest I imagine windows defender mostly exists to ineffectually bully people into distributing their stuff on the windows store

@glyph @wuest @aeva I think you overestimate how much different teams cooperate with each other or even want each other to succeed at all.

(I don't think you overestimate their capacity for being nefarious, only their institutional competence. Even that I can well be wrong on.)

@aeva @glyph @wuest I fully agree and have nothing to add but my reaction to windows defender smartscreen: grr

@xgranade @glyph @wuest the sorts of situations where the answer to the question "why has this been allowed to continue" is "the purpose of a system is what it does" are imo usually happy accidents for the beneficiaries

@xgranade @glyph @wuest @aeva yea when you ask the question, "why does windows defender still exist in the face of demonstrably doing none if the things it is notionally intended to do?", that doesn't end up pointing at the windows defender development team, it ends up pointing at whoever in microsoft is responsible for it's continued existence, and oh look there is no publicly available information about who that is our why they are doing anything. 1/2

@aeva @wuest not saying anyone does, the attitude towards this stuff *is* already pretty hostile. yet, the usage increases. so perhaps not hostile enough.

all I was trying to do here was to highlight this and say it's a thing more Python developers might want to be aware of and considering ways to discourage, not that Something Must Be Done Immediately. good work has already been done and continues to be done, but by a pretty tiny sliver of the community working in relative obscurity

@wuest @glyph something i remember from my brief stint writing Fintech Ruby for a fintech startup was that most malware these days is an organized crime thing. which kinda makes sense because old school computer viruses that were written by nerds had a kind of playful malice and not so much the "hold hospitals hostage and scam grandpa" stuff. the people doing it are most likely not in our orbit, and they're either doing it under duress or with a complete lack of scruples