This project demonstrates a polymorphic malware script written in Python. It shows how malware can use polymorphism to evade detection by traditional static antivirus software.
The malware searches for Python files (.py) within a specified directory, checks for a signature to avoid reinfection and injects an encrypted copy into the target files. Each infection generates a unique encryption key, making each infected file different from others. The primary aim is to demonstrate how polymorphic malware can avoid detection by traditional static analysis techniques.
- Signature-Based Prevention: The script uses a specific signature to prevent reinfection of already infected files.
- File Infection: Infects
.pyfiles by inserting an encrypted payload. - Polymorphism: Generates a unique encryption key for each infected file, ensuring that each instance is unique.
- Payload Execution: Decrypts and executes the payload in the target files.
-
Search for Target Files:
- The script recursively searches through directories to find Python files that do not contain the infection signature.
-
Infect Files:
- For each target file, the script:
- Reads the malware code into a string.
- Generates a unique encryption key using the
Fernetmodule from thecryptographypackage. - Encrypts the malware code and writes it to the target file with decryption logic.
- For each target file, the script:
-
Execute Payload:
- The infected file, when executed, decrypts the embedded malware code and runs it, continuing the infection cycle.
- Clone the repository:
git clone https://github.com/Piyush-Bhor/polymorphic-malware.git
cd polymorphic-malware
- Install Dependencies:
Make sure you have Python installed along with the cryptography library:
pip install cryptography
- Run the Malware:
Note: Run this script with Python 2, not Python 3.
Execute the script on a specific directory:
python2 polymorphic_malware.py
Here’s a screenshot showing how two separate infected files look:
I uploaded the script on VirusTotal, and none of the 66 security vendors detected it.
This project is intended for educational and research purposes only. Running or distributing malware is illegal and unethical. Please don't be stupid.
This project is licensed under the MIT License. You can read it here .