Why would it occur to someone to write malware in Python? We will do this to learn the general principles of malware engineering, while at the same time you will practice using this language and be able to apply the knowledge gained in other purposes. In addition, malware in Python still comes across in the wild, and not all antiviruses pay attention to it.
Most often, Python is used to create backdoors in software in order to download and execute any code on an infected machine. So, in 2017, Dr.Web employees discovered Python.BackDoor.33, and on May 8, 2019, Mac.BackDoor.Siggen.20 was noticed. Another trojan, RAT Python, stole user data from infected devices and used Telegram as a data transfer channel.
We will create three demo programs: a locker that will block access to the computer until the user enters the correct password, an encryptor that will bypass directories and encrypt all files in them, and a virus that will spread its code, infecting other programs in python.
How to write a locker, ransomware, and virus in Python
Despite the fact that our creations do not pretend to be of any high technical level, they can be dangerous under certain conditions. Therefore, I warn you that for the violation of the operation of other people's computers and the destruction of information, severe punishment may follow. Let's agree right away: you will only run everything that we describe here on your own machine, and even then carefully so as not to accidentally encrypt the entire disk for yourself.
Setting up the environment
So, first of all, of course, we need Python itself, and the third version. I will not describe in detail how to install it, and I will immediately send you to download the free book "Python Bite" ( PDF ). In it you will find the answer to this and many other questions related to Python.
Additionally, we will install several modules that we will use:
At this preparatory stage is over, you can start writing code.
Creating a locker
The idea is to create a full-screen window and prevent the user from closing it.
Import libraries:
Now let's get to the main part of the program.
Here
— the protection that is activated when the cursor moves to the upper left corner of the screen. When it is triggered, the program closes. We don't need it, so we disable this function.
In order for our locker to work on any monitor with any resolution, we read the width and height of the screen and use a simple formula to calculate where the cursor will go, click, and so on. In our case, the cursor enters the center of the screen, that is, we divide the width and height by two. A pause (sleep) will be added so that the user can enter a code to cancel.
Now we have not blocked text input, but we can do this, and then the user will not get rid of us. Let's write some more code for this. I don't recommend doing it right away. First, let's set up the program so that it turns off when you enter your password. But the code to block the keyboard and mouse looks like this:
Let's create a function to enter the key:
Everything is simple here. If the key is not the one we set, the program continues to work. If the passwords match, we slow down.
The last function that is needed for the pest window to work:
On this, our impromptu locker is ready.
Creating
a ransomware We will write this virus using only one third-party library - pyAesCrypt. The idea is to encrypt all files in the specified directory and all directories below. This is an important limitation that allows you not to break the operating system. For work, we will create two files - an encoder and a decoder. After work, executable files will be self-deleted.
First, we ask for the path to the attacked directory and the password for encryption and decryption:
Next, we will generate scripts for encryption and decryption. It looks something like this:
Let's move on to the files that we will use as templates. Let's start with the encoder. We need two standard libraries:
We write the encryption function (everything according to the pyAesCrypt manual):
Instead str(password), the script generator will insert a password.
Important nuances. We will encrypt and decrypt using a buffer, so we will get rid of the file size limit (at least significantly reduce this limit). The os.remove(file) call is needed to remove the original file, since we are copying the file and encrypting the copy. You can choose to copy the file instead of deleting it.
Now a function that bypasses folders. There is nothing complicated here either.
At the end, add two more lines. One to start the bypass, the second to self-destruct the program.
Here again, the desired path will be substituted.
Here is the entire source.
Now the "mirror" file. If we wrote encrypt in the encryptor, then we write decrypt in the decryptor. It makes no sense to repeat the analysis of the same lines, so the final version is immediately.
A total of 29 lines, of which three were deciphered. In case one of the files suddenly turns out to be damaged and an error occurs, we use catching exceptions (try ... except). That is, if we fail to decrypt the file, we simply skip it.
Creating a Virus
The idea here is to create a program that will infect other programs with a specified extension. Unlike real viruses, which infect any executable file, ours will only infect other Python programs.
This time we don't need any third-party libraries, only the sys and os modules are needed. We connect them.
Let's create three functions: message, parser, infection.
Function that reports an attack:
Let's call it right away to understand that the program has worked:
Bypassing directories is similar to what we did in the ransomware.
In theory, we could poison sources in other languages in the same way by adding code in these languages to files with the appropriate extensions. And in Unix-like systems, scripts in Bash, Ruby, Perl, and the like can simply be replaced with Python scripts by correcting the path to the interpreter in the first line.
The virus will infect files "down" from the directory where it is located (we get the path by calling os.getcwd()).
At the beginning and at the end of the file we write the following comments:
I'll explain why a little later.
Next is the function that is responsible for self-replication.
Now, I think, it has become clearer why the “start” and “stop” labels are needed. They mark the beginning and end of the virus code. First, we read the file and look at it line by line. When we stumbled upon the starting mark, we raise the flag. We add an empty line so that the virus in the source code starts on a new line. We read the file a second time and write the source code line by line. The last step is to write the virus, two indents and the original code. You can mock and write it somehow in a special way - for example, modify all output lines.
Creating an executable
How to launch a virus written in a scripting language on the victim's machine? There are two ways: either to somehow make sure that the interpreter is installed there, or to pack the cryptor we created along with everything necessary into a single executable file. The PyInstaller utility serves this purpose. Here's how to use it.
install
And enter the command
We wait a bit, and a bunch of files appear in the folder with the program. You can safely get rid of everything except executables, they will be in the dist folder.
It is said that since Python malware began to appear, antiviruses have become extremely nervous about PyInstaller, even if it is attached to a completely safe program.
I decided to check what VirusTotal had to say about my creations.
Virus.exe showed the worst result - either some antiviruses paid attention to self-replication, or they simply didn’t like the file name. But as you can see, not all antiviruses have alerted the contents of any of these files. So, we have written three malicious programs: a locker, ransomware, and a virus using a scripting language and packaged them using PyInstaller
. Of course, our virus is not the worst in the world, and the locker and encryptor still need to somehow be delivered to the victim’s machine. At the same time, none of our programs communicates with the C&C server, and I did not obfuscate the code at all.
Nevertheless, the level of detection by antiviruses was surprisingly low. It turns out that even the simplest ransomware virus can become a threat. So antiviruses are antiviruses, but downloading random programs from the Internet and running them without thinking will always be unsafe.
Most often, Python is used to create backdoors in software in order to download and execute any code on an infected machine. So, in 2017, Dr.Web employees discovered Python.BackDoor.33, and on May 8, 2019, Mac.BackDoor.Siggen.20 was noticed. Another trojan, RAT Python, stole user data from infected devices and used Telegram as a data transfer channel.
We will create three demo programs: a locker that will block access to the computer until the user enters the correct password, an encryptor that will bypass directories and encrypt all files in them, and a virus that will spread its code, infecting other programs in python.
How to write a locker, ransomware, and virus in Python
Despite the fact that our creations do not pretend to be of any high technical level, they can be dangerous under certain conditions. Therefore, I warn you that for the violation of the operation of other people's computers and the destruction of information, severe punishment may follow. Let's agree right away: you will only run everything that we describe here on your own machine, and even then carefully so as not to accidentally encrypt the entire disk for yourself.
Setting up the environment
So, first of all, of course, we need Python itself, and the third version. I will not describe in detail how to install it, and I will immediately send you to download the free book "Python Bite" ( PDF ). In it you will find the answer to this and many other questions related to Python.
Additionally, we will install several modules that we will use:
At this preparatory stage is over, you can start writing code.
Creating a locker
The idea is to create a full-screen window and prevent the user from closing it.
Import libraries:
Now let's get to the main part of the program.
Here
— the protection that is activated when the cursor moves to the upper left corner of the screen. When it is triggered, the program closes. We don't need it, so we disable this function.
In order for our locker to work on any monitor with any resolution, we read the width and height of the screen and use a simple formula to calculate where the cursor will go, click, and so on. In our case, the cursor enters the center of the screen, that is, we divide the width and height by two. A pause (sleep) will be added so that the user can enter a code to cancel.
Now we have not blocked text input, but we can do this, and then the user will not get rid of us. Let's write some more code for this. I don't recommend doing it right away. First, let's set up the program so that it turns off when you enter your password. But the code to block the keyboard and mouse looks like this:
Let's create a function to enter the key:
Everything is simple here. If the key is not the one we set, the program continues to work. If the passwords match, we slow down.
The last function that is needed for the pest window to work:
On this, our impromptu locker is ready.
Creating
a ransomware We will write this virus using only one third-party library - pyAesCrypt. The idea is to encrypt all files in the specified directory and all directories below. This is an important limitation that allows you not to break the operating system. For work, we will create two files - an encoder and a decoder. After work, executable files will be self-deleted.
First, we ask for the path to the attacked directory and the password for encryption and decryption:
Next, we will generate scripts for encryption and decryption. It looks something like this:
Let's move on to the files that we will use as templates. Let's start with the encoder. We need two standard libraries:
We write the encryption function (everything according to the pyAesCrypt manual):
Instead str(password), the script generator will insert a password.
Important nuances. We will encrypt and decrypt using a buffer, so we will get rid of the file size limit (at least significantly reduce this limit). The os.remove(file) call is needed to remove the original file, since we are copying the file and encrypting the copy. You can choose to copy the file instead of deleting it.
Now a function that bypasses folders. There is nothing complicated here either.
At the end, add two more lines. One to start the bypass, the second to self-destruct the program.
Here again, the desired path will be substituted.
Here is the entire source.
Now the "mirror" file. If we wrote encrypt in the encryptor, then we write decrypt in the decryptor. It makes no sense to repeat the analysis of the same lines, so the final version is immediately.
A total of 29 lines, of which three were deciphered. In case one of the files suddenly turns out to be damaged and an error occurs, we use catching exceptions (try ... except). That is, if we fail to decrypt the file, we simply skip it.
Creating a Virus
The idea here is to create a program that will infect other programs with a specified extension. Unlike real viruses, which infect any executable file, ours will only infect other Python programs.
This time we don't need any third-party libraries, only the sys and os modules are needed. We connect them.
Let's create three functions: message, parser, infection.
Function that reports an attack:
Let's call it right away to understand that the program has worked:
Bypassing directories is similar to what we did in the ransomware.
In theory, we could poison sources in other languages in the same way by adding code in these languages to files with the appropriate extensions. And in Unix-like systems, scripts in Bash, Ruby, Perl, and the like can simply be replaced with Python scripts by correcting the path to the interpreter in the first line.
The virus will infect files "down" from the directory where it is located (we get the path by calling os.getcwd()).
At the beginning and at the end of the file we write the following comments:
I'll explain why a little later.
Next is the function that is responsible for self-replication.
Now, I think, it has become clearer why the “start” and “stop” labels are needed. They mark the beginning and end of the virus code. First, we read the file and look at it line by line. When we stumbled upon the starting mark, we raise the flag. We add an empty line so that the virus in the source code starts on a new line. We read the file a second time and write the source code line by line. The last step is to write the virus, two indents and the original code. You can mock and write it somehow in a special way - for example, modify all output lines.
Creating an executable
How to launch a virus written in a scripting language on the victim's machine? There are two ways: either to somehow make sure that the interpreter is installed there, or to pack the cryptor we created along with everything necessary into a single executable file. The PyInstaller utility serves this purpose. Here's how to use it.
install
And enter the command
We wait a bit, and a bunch of files appear in the folder with the program. You can safely get rid of everything except executables, they will be in the dist folder.
It is said that since Python malware began to appear, antiviruses have become extremely nervous about PyInstaller, even if it is attached to a completely safe program.
I decided to check what VirusTotal had to say about my creations.
Virus.exe showed the worst result - either some antiviruses paid attention to self-replication, or they simply didn’t like the file name. But as you can see, not all antiviruses have alerted the contents of any of these files. So, we have written three malicious programs: a locker, ransomware, and a virus using a scripting language and packaged them using PyInstaller
. Of course, our virus is not the worst in the world, and the locker and encryptor still need to somehow be delivered to the victim’s machine. At the same time, none of our programs communicates with the C&C server, and I did not obfuscate the code at all.
Nevertheless, the level of detection by antiviruses was surprisingly low. It turns out that even the simplest ransomware virus can become a threat. So antiviruses are antiviruses, but downloading random programs from the Internet and running them without thinking will always be unsafe.
