Malware Coding Series: Finishing our botnet

Previous Parts:

1.Intro

2.Building Botnet

Hi Readers,
Today i will show you how to make your python malware more persistent adding a new Anti TaskManager script to close it every time an user tries to check the processes..

You can find this script here: github

This script can be included in our previous mlgbot project or compiled separately and executed via INSTALL funcion.. this makes it more persistent.

To finish our botnet we need to add another script.. the keylogger as in our previous code (here) i added a SENDLOGS command that sends a file called data.txt where all the keystrokes are recorded via an external keylogger (also made with python).. python keyloggers are very easy.. this is the one that i found more efficient : (here)
As always you compile the scripts with pyinstaller and make them executable by any windows machine and then you can try them in virtual machines.
After you compiled the keylogger you need to use again the INSTALL function to install it or you can also add a few lines of code to downlaod the keylogger when the bot starts-up.

I have made a video to show PoC and how i used my botnet with an php control panel that interacts with a sql database to store userlogs,botsonline and other infos..

https://github.com/Samickz/s4mick/blob/master/mlgBot/mlgbot_v1.1.py

Here you can find the updated code with the new features added with python ctypes:
LOCKSCREEN:  ctypes.windll.user32.LockWorkStation()
MSGBOX: ctypes.windll.user32.MessageBoxA(None, msgtext, Error, 0x10)
SETCURSOR: ctypes.windll.user32.SetCursorPos(x,y)

ctypes allows you to use system,user,dlls and fun stuff with python

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s