Python malware is on the rise, with many low level criminals switching to it for it's ease of use, low entry level, and many libraries available to choose from. However, the most widely used tools for transforming them into PE files also leave behind common signatures that tell us the file we've downloaded was once a Python script, making detecting potential malware much easier.
YARA is a great tool that allows us to write detection scripts with, and allows us to detect Python executable files with a high level of accuracy. Take the below rule, this will trip on meta data left behind by Py2EXE.
import "pe"
rule py2exe
{
condition:
for any i in (0 .. pe.number_of_resources - 1):
(pe.resources[i].type_string == "P\x00Y\x00T\x00H\x00O\x00N\x00S\x00C\x00R\x00I\x00P\x00T\x00")
}
Similarly, we can detect the meta data left behind by PyInstaller.
import "pe"
rule pyinstaller
{
strings:
$a = "pyi-windows-manifest-filename"
condition:
pe.number_of_resources > 0 and $a
}