Building a Simple Trojan with Python: A Step-by-Step Guide

The scripts mentioned in the article are certainly not suitable for use in real-world scenarios: they lack obfuscation, their operation principles are rudimentary, and they have no malicious functions at all. However, with a bit of ingenuity, they could be used for simple pranks—like shutting down someone’s computer in a classroom (or an office, if you haven’t had your fill of pranks in the classroom).

Theory

So, what exactly is a trojan? A virus is a program primarily designed for self-replication. A worm actively spreads across networks (typical examples include “Petya” and WannaCry), while a trojan is a hidden malicious program that disguises itself as legitimate software.

The idea behind this type of infection is that the user voluntarily downloads malware onto their computer, often disguised as a cracked program. The user may disable security mechanisms, believing the program to be legitimate, and might want to keep it for a long time. Hackers are always on the lookout for such opportunities, so news reports frequently mention new victims of pirated software and ransomware affecting those who seek free software. We know, however, that there’s no such thing as a free lunch, and today we’ll learn how easy it is to pack that “free lunch” with something unexpected.

Identifying the IP Address

Firstly, we (meaning our trojan) need to determine its current location. A crucial piece of information is the IP address, which will allow future connections to the infected machine.

Let’s start coding. First, we’ll import the libraries:

Both libraries are not included with Python, so if you don’t have them, they need to be installed using the pip command.

The code for obtaining external and internal addresses will be as follows. Note that if the target has multiple network interfaces (such as both Wi-Fi and Ethernet), this code may not function correctly.

Finding a device’s local IP address is relatively straightforward: we identify the device name on the network and check the IP associated with it. However, determining a public IP address is a bit more complicated.

I chose the website api.ipify.org because it provides a simple output: just one line showing our external IP. By combining a public IP with a local IP, we can determine the approximate location of a device.

Present the information even more simply:

Have you ever encountered a construction like print(f'{}')? The letter f stands for formatted string literals. In simple terms, it’s like embedding expressions directly within a string.

Final code:

By running this script, we can determine the IP address of our (or someone else’s) computer.

Email-based Backconnect

Now let’s write a script that will send us an email.

Import the new libraries (both need to be installed beforehand using pip install):

Let’s write some basic information about ourselves:

Let’s proceed with drafting the email:

The final step is to set up the connection to the email service. I use Yandex.Mail, so I configured the settings accordingly.

In the line server.ehlo(email), we use the EHLO command. Most SMTP servers support ESMTP and EHLO. If the server you’re trying to connect to doesn’t support EHLO, you can use HELO.

Here is the complete code for this part of the trojan:

Running this script results in receiving an email.

I tested this script on VirusTotal. You can see the result in the screenshot.

Trojan

The concept involves a Trojan acting as a client-server application, with the client installed on the targeted machine and the server running on the attacker’s machine. It is designed to enable maximum remote access to the system.

As usual, let’s start with the libraries:

Let’s start by creating a “Guess the Number” game. It’s quite straightforward, so I won’t spend too much time on it.

Here is the code for our trojan. We’ll delve into how it works below, so we won’t repeat the basics.

First, let’s understand what a socket is and how it works. A socket, in simple terms, is like a plug or outlet for programs. There are client and server sockets: the server socket listens on a specific port (outlet), while the client socket connects to the server (plug). Once the connection is established, data exchange begins.

The line client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) creates an echo server (send a request — receive a response). AF_INET indicates the use of IPv4 addressing, and SOCK_STREAM specifies that we are using a TCP connection instead of UDP, where the packet is sent into the network and not further tracked.

The line client.connect((HOST, PORT)) specifies the IP address of the host and the port for the connection and immediately establishes the connection.

The client.recv(1024) function receives data from a socket and is known as a blocking call. This means that the call will continue to execute until the command is either transferred or rejected by the other side. The number 1024 refers to the number of bytes allocated for the receive buffer. You can’t receive more than 1024 bytes (1 KB) at a time, but that’s generally not an issue—how often do you manually enter more than 1000 characters into the console? It’s not worth trying to significantly increase the buffer size—it’s costly and unnecessary, as a larger buffer is rarely needed.

The decode('cp866') command decodes the received byte buffer into a text string using the specified encoding (in this case, 866). But why use cp866 specifically? Let’s open the command prompt and enter the command chcp.

The default encoding for Russian-speaking devices is 866, where Cyrillic is added to Latin characters. In English versions of systems, regular Unicode is used, specifically utf-8 in Python. Since we speak Russian, it’s crucial for us to support it.

When a command is received, you need to determine whether it is a system command. If it is, perform specific actions; otherwise, if the terminal is active, redirect the command there. The downside is that the execution result remains unprocessed, and ideally, it should be sent back to us. This is your homework: implementing this function should take no more than fifteen minutes, even if you have to look up each step online.

The results of checking the client on VirusTotal were encouraging.

The basic Trojan is up and running, allowing us to do quite a lot on the target machine since we have command line access. But why not expand its functionality? Let’s also steal the Wi-Fi passwords!

Wi-Fi Stealer

The task is to create a script that retrieves all the passwords of accessible Wi-Fi networks from the command line.

Let’s get started with importing the libraries:

The subprocess module is used to create new processes, connect to their standard input and output streams, and retrieve their return codes.

Here is a script for extracting Wi-Fi passwords:

By entering the command netsh wlan show profiles in the command prompt, we will receive the following information.

By parsing the output above and substituting the network name into the command netsh wlan show profile [network name] key=clear, you’ll get a result like the one shown in the image. From there, you can analyze and extract the network’s password.

There is one remaining issue: our original plan was to retrieve the passwords for ourselves rather than displaying them to the user. Let’s fix that.

Let’s add another variation of the command to the script where we handle our network commands.

All the commands of this script have already been discussed in detail, so I won’t repeat myself. Instead, I’ll just show a screenshot from my email.

Improvements

Certainly, there is room for improvement in nearly every aspect—from securing the transmission channel to protecting the malware’s own code. Attackers typically use different methods for communicating with command and control servers, and the malware’s operation is not dependent on the operating system’s language.

And of course, it’s highly recommended to package the virus using PyInstaller so you don’t have to drag Python and all its dependencies onto the victim’s machine. A game that requires installing a module for email functionality—what could be more convincing, right?

Conclusion

Today’s trojan is so simple that it can hardly be considered operational. However, it is useful for learning the basics of the Python language and understanding the algorithms of more complex malware. We hope you respect the law, and that the knowledge you gain about trojans will never be required in practice.

As a homework assignment, I recommend trying to implement a bidirectional terminal and data encryption, even if it’s just using XOR. This will make your trojan much more interesting. However, we absolutely do not encourage using it in the wild. Be careful!