Confused about malware development

Hi folks

I been confused lately about malware development, I am familiar with python and use it for web development however I know that it’s not the right language for malware development.
The reason that I picked python at first place was because I was told “It’s a general purpose programming language & you can do anything with it”.
The moment I became an intermediate programmer, I found out that python is not general purpose, even if I create a malware and compile it to executable,
I still can’t run it everywhere since every python executable is created for your local system specs.

Now I have too many question but since some of ya just like to push noobs and tell them to “Google it”, I will first list all the resources I have read and they didn’t help:

So now to the questions:
1: isn’t there any other protocol to build windows/linux reverse shell backdoor? I mean I want to build malware for windows, linux & OSX but I am unsure, if this is the only way,
most of the tutorials I have read point out to using TCP, I know what TCP/UDP is but I am just asking, are these the only way?
2: Why do people suggest C and Assembly for Malware writing?
I mean, you need to actually compile C code to an executable, and that executable doesn’t work everywhere:

So how does “C” becomes the #1 language for malware development?
3: Let’s forget about C and Assembly for a moment; C# or C++? Which one should I go for serious malware development?

,

when programing in C you have more control over the memory as well as the luxury to do some low level tricks that won’t be easily done with python or not possible at all, pretty much the rule is the lower the language is more control you have, and the more control you have the easier for the malware to bypass AV
as for the second question, not really within the reach of my knowledge, so I’ll let the others answer

C/C++ are both fine
statically linked executables run on all systems
Or dont use the crt at all

I would start getting familiar with basic C(++)programming and windows API

1: Sure, TCP and UDP are transport protocols and have some useful features but if you feel frisky you can always try an ICMP shell if you wish, just know that TCP is recommended because it is a very reliable protocol, ICMP shells are used to bypass more strict firewall rules, but don’t expect the performance of the typical reverse shell.

2: Those Python related articles do not talk about writing malware, but reverse shells, which is what you would use on a system in which you have already achieved code execution of some kind, to obtain a proper interactive shell. For this task Python is just fine because it comes shipped with most *nix OS out there.

I imagine the kind of malware you are interested in needs a way of remaining on a system for as long as possible, going undetected, perhaps collecting data. Sure Python has so many libraries that this can be done quite easily, but you have to remember Python is an interpreted language, ergo its scripts can be read by anyone, it is much slower than a native executable and when turned into one with programs such as py2exe it creates massive binaries that an AV can pick up blindfolded, that’s not what you want for a stealthy malware.

Plus, a malware often does its magic using low level system calls and operating system API, which are both accessible natively through C, because still to this day C is what most code of Windows and *nix is written with, so writing C code gives you access to a whole world of functions that are far more powerful than what Python provides.

Take for example the LogonUserExExW Windows API function and the jail FreeBSD system call, or any other function you find in the man pages or Microsoft’s documentation, the code examples are in C, the function prototypes are in C, and the code of the functions themselves is also written in C, here is the jail syscall’s code.

Having this much power allows you to fine tune each operation of your program, and considering that an AV cannot flag an action as malicious without already knowing what is malicious and what isn’t, you can bypass these checks by finding a new way of doing what you wanted without alerting anyone. Python and other higher level languages offer very little freedom in comparison.

I haven’t heard of a major malware completely written in Assembly in a long time frankly, ASM produces code that is even faster than C because it is essentially just a human readable representation of the opcodes the CPU sees and takes commands from, so coding in ASM equals to talking directly to the CPU… or at least it’s what it is supposed to mean, but now we have so many macro instructions that even by writing Assembly you often don’t know exactly what is going on under the hood.

But the bottom line is, ASM produces very efficient, fast, slim code, and it works directly with the operating system’s syscalls via interrupts, the only problem is Assembly has a very steep learning curve and is unsuited for large programs, especially for one as complex a modern malware, hence why typically you find simpler smaller malware written in ASM, not APT level spyware. Regardless, if you want to learn how your computer truly works learning it is a must.

If you want to run your program on a computer that doesn’t necessitate a ton of dependencies do not write it using Visual Studio.

3: I’m not a C++ programmer and I only know a little bit of C#, I wouldn’t recommend it for malware development. Stay native.

Suppose I have compiled a compiled C program and it’s not even .exe yet, how am I going to use it as a Malware for attacking a Windows machine?

Thanks for giving time and answering.

About the second answer, if I am not mistaken, you said that ‘after I gain a shell into a system, then I can use a malware written in C to perform actions, remain undetected and surface around the system’ , now that’s great but how am I going to get access to a system in the first place?

Besides that, even if I can write malware in C, there are very less chances for me to run it on my target machine, because I need to compile it all the time, and setting up a compiler even after gaining shell to the victim’s machine is a hard task, mostly detectable by a human rather than AV.

Can you clarify a bit more on which language can get my feet to the door?

you can maybe make the malware check if there are new updates on the malware every couple minutes and if so download a prebuilt executable from somewhere?

You compile the malware on your own machine
The generatie executable should run on any machine
Just like any programs you download do
Theres no need to compile your program on the target machine

Here’s a beginner tutorial on c programming
Try it and have fun
And soon you will figuren out how it all works
https://www.tutorialspoint.com/cprogramming/index.htm

How to gain access to your target is completely up to you. Are you targeting a web server? Look for vulnerabilities. Are you targeting an individual? Resort to social engineering. Are you targeting an organization? Step up your OSINT game and lay down a plan of attack. Most malware is spread using social engineering techniques.

As @evil_inside said you do not need to recompile your program to run anywhere, I think you may be confused about the concept of compiled languages. When compiling a program you just have to make it compatible for the right architecture (x86, x64, ARM, MIPS, …) and the right operating system. Once you have your binary you can run it on the operating system of your choice on your selected architecture, as long as dependencies are also present of course.

For that C is excellent, because you can do everything you want using native operating system libraries, so no extra dependencies required.

Nice idea, I have similar ideas but actually implementing them is tough.

Thanks a lot

Baud mostly said everything but I’d like to add my 50 cents.

How about you simply look up open source malware or leaked malware source code (it is usually hosted on github). I saw you linked my tutorial on writing DOS like viruses for modern windows but I don’t think thats what you need.

First I suggest you become familiar with Assembly and C, because the resulting compiled files can run natively on any platform. Next you should choose a target operating system, and learn its internals - that is the REAL challenge as malicious software manipulates operating system internals. That is also the reason you should go for C and ASM, it is because you can interact with the OS with not a lot of limitations at those levels.

Top Windows and Linux malware is written in C or C++. the server which does the C&C handling can be written in the language of your choice as all it has to do is parse and pass commands.

https://github.com/touyachrist/evo-zeus - Zeus Malware written in C
https://github.com/t3rabyt3/Gozi - Gozi written in C
https://github.com/nyx0/Carberp - Carberp bootkit written in C and Assembly
https://github.com/quasar/Quasar - Quasar Open source RAT written in C# (I’ve reversed this malware and created an emulator for it, you can find my research paper on the forum)

Pssh python is not used for malware, yeah right. I think that more of the reasons why you see .Net, macros, and PE files out in the wild simply is because of the large target on M$ users. Though I think for concentrated malware development of bigger projects with smaller binaries I’d go C. Though I do love pyc’s

Check out Slingshot C2, @Danus’s Malware Lake, Awesome Malware Analysis, and reading about Triton

Good day

I got it what you want to do. You want a language which can make undetectable exe with low filesize ? Python is just simple and easy shit. You can’t make stable software’s nor malware with it. You have 2 options if you want malware coding for windows

1. Learn C/c++ and develop malware with visual studio.
2. Learn C# or Visual basic with visual studio
   github. com/mrfr05t/Mr.Peter
   github. com/DarkSecDevelopers/GrayKeylogger
   github. com/NYAN-x-CAT/Lime-RAT

Favorite njrat
github. com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code

Thanks so much for your reply.
Is this your research:

?

Actually I wanted a language that works anywhere, I can worry about obfuscation later, I got really good suggestions from the folks above, I will go on with C for now.
I wonder, why people don’t talk about javascript malware when all you have to do is ship it with some website?

Guys, Why malware authors so concerned about size?

I’ve looked into some of commercial malware and most of them at least weight at 200 kb.

What they are trying to do by having such small size?

The small size of a large program indicates that it is working quickly. I want to add that on high-level languages are not write, because they have dependencies. For example, Python will not run without an interpreter, and if you compile it, you will get a weight of more than 3000 KB, while the same C++ program will weigh 300 KB, and it will not need any interpreter.

You can test this by writing a simple program that does the same job in ASM and in a high - level language. Look at the disassembled version of the program, and you will understand what I mean. You will see a huge cloud of garbage commands, or not optimized slow code, while ASM will have fast, optimized and simple code.

If you mean C with classes then it could weight 300 KB. But Modern C++ at least weight around 1-2 MB

I get it. No body have straight answer!!

No. C++ can’t weight 1-2 MB. It’s not possible. With CRT simple hello world - have weight around 200-300 KB…

You can test it