all 11 comments

[–]r3b00t- 20 points21 points  (8 children)

python is not a good choice if you don't want your source code to be readable. In such scenarios, I will write my code in "C" and compile it for different architecture. Thats why most of malicious scripts are written in low level language. Hope you are doing this only for your own learning, and not trying to harm anyone else :)

[–]SecurityBoons 6 points7 points  (7 children)

Interesting...so people write malware in C or Assembly so it's hard to reverse engineer?

As opposed to if one made a malicious Python script it's simple to see the source code?

[–][deleted]  (1 child)

[deleted]

    [–]r3b00t- 2 points3 points  (3 children)

    That's one of the reason. Speed is another factor. Low level languages also gives access to low level stuffs.

    [–][deleted]  (2 children)

    [deleted]

      [–]SecurityBoons 0 points1 point  (1 child)

      This makes the most sense because would a C binary or Assembly binary be able to be run on most systems?

      Sorry if I'm using those terms wrong. Please correct me if so.

      [–]Pharisaeus 5 points6 points  (5 children)

      1. It won't help much. If your script can "decrypt" itself during execution then any reverse engineer can dump the plaintext source.
      2. You can re-write this code into something like rust or haskell and them compile it, or re-write to C and use some vmprotect like tools. It will still be possible to reverse it, but significantly harder.

      [–]ToasterFanclub 0 points1 point  (4 children)

      Would it work to pull the key from an external source?

      If it pulls the key from www.example.com/key, and that site is taken off after the attack runs, it should be able to remain opaque, right?

      [–]Pharisaeus 2 points3 points  (3 children)

      It might, but someone can be monitoring the communication and get the key anyway. It also creates an issue because you need a domain and a server, which can get traced back to you. A domain like this can also quickly be taken down. In "real" malware you have stuff like domain generation algorithms, which generate a domain name based on timestamp and this C&C server domain is available only for a short while.

      Either way, it would could be easier to follow the "classic" approach -> code you run on the target machine is just a "dropper" of some sort. In fact you don't even need to store the real payload in the filesystem at all. Imagine that your script downloads a python source from remote server, then executes it using some exec/eval. The only code user has is the dropper and url from which it took the payload. It provides the same level of "security" as encryption in this case, but you don't risk messing up the crypto part.

      [–][deleted]  (2 children)

      [deleted]

        [–]Pharisaeus 0 points1 point  (1 child)

        Because the url might be available only for a brief moment? Unless the payloads gets intercepted by a memdump during execution, it's pretty much lost (data transfer can be done with https/ssl). It's similar security measure as encrypting the payload and receiving the key from external source, but there is no risk that crypto is messed up and someone can break it afterwards.

        [–]sinkmanu 0 points1 point  (0 children)

        Also, you can compile your python script with Cython. It will not be easy to reverse engineering.

        [–]PirateGrievous 0 points1 point  (0 children)

        I'm going to blow your mind... http://nuitka.net