Dionysis asked me whether I could help him with a simple python script he was working on. He claimed he was trying to get the plain text from a ciphertext, but he was getting a weird runtime error message.
He gave me a gist with the script and wnated to know if I could see something he was missing. He suggested I run the script and see the message myself.
I told him that I would test it the next day since it was a bit late at night at the time. I was already suspicious so I wanted to first create a docker container to test it.
The next day, I looked at the script but I couldn't find something malicious so I decided to run it.
At first, I got the following error because a module was missing.
Traceback (most recent call last):
File "get-ciphertext.py", line 1, in <module>
from monkeypatcher import patch
ImportError: No module named monkeypatcher
The module's name (monkeypatcher) was bugging me so I google'd it. I got to the page of monkeypatch instead of monkeypatcher. But, I thought it was probably just some developer giving inconsistent names and decided to install the module!
Running the script failed of course (thankfully) since I was inside a docker container.
Traceback (most recent call last):
File "get-ciphertext.py", line 10, in <module>
interceptor, recv_original = patch.intercept((socket, 'recv'))
File "/usr/local/lib/python2.7/dist-packages/monkeypatcher/patch.py", line 6, in intercept
with open(os.path.expanduser('~/.bounty')) as fileinput:
IOError: [Errno 2] No such file or directory: '/root/.bounty'
Although I was suspicious from the start and although I saw an inconsistency in names I went on and installed the malicious module. What saved me was that I was running inside an isolated container.