Python Obfucation and Evasion Techniques

Presented at Kernelcon 2019, April 5, 2019, 3:20 p.m. (20 minutes)

Python was designed for rapid development and ease of use which allows for complex tasks to be completed much faster than its counterparts. However, by nature of the language it can be reverse engineered much faster than a compiled language. This limits the language's potential to be used for developing malware and other nefarious tools. We have surveyed current obfuscation and anti-reversing techniques available to harden Python code. We propose that implementing the most advanced and effective obfuscation techniques currently requires too much effort for adversaries at this time, but that situation may rapidly change as frameworks and tools evolve. Our presentation will discuss obfuscation techniques currently seen in the wild and available to adversaries, as well as more advanced techniques that malware analysts should be prepared for in the future.

Presenters:

• Nick Beede - MITRE
  Nick is a security professional based in the Washington, DC area. He spends most of his time reverse engineering malware and developing new ways to improve digital forensics. Nick graduated from the University of Nebraska at Omaha in 2013 and when he's not staring at assembly you can find him climbing up or snowboarding down any mountain he can find.

Links:

• https://2019.kernelcon.org/agenda#python

Similar Presentations:

• DEF CON 18 (2010) / pyREtic - In-memory Reverse Engineering for Obfuscated Python Bytecode
• NolaCon 2016 / Snake Charming: Fun With Compiled Python
• ToorCon San Diego 20 (2018) / Following a Trail of Confusion: Identifying and Defeating Modern Malware Code Obfuscation