Malware Simulation with Python in Controlled Environment

📋 Project Description

This project aims to perform tests in a controlled environment with malware simulations: two simplified implementations - a ransomware that encrypts files and a keylogger that remotely sends keystrokes typed by the victim.

⚠️ Legal Disclaimer

ATTENTION: This project was developed exclusively for educational purposes in a controlled environment.

• All tests were conducted on isolated virtual machines
• Never use these techniques on systems without explicit authorization
• Misuse of these techniques is illegal and may result in criminal consequences
• This material should not be used for malicious activities

🛠️ Technologies Used

• Language: Python 3.x
• Libraries:
  • cryptography (Ransomware)
  • pynput (Keylogger)
  • smtplib (Email)

---

🔒 Scenario 1: Simulated Ransomware

Description

Ransomware is a type of malware that encrypts the victim's files and demands payment for the release of the decryption key. This attack can cause severe damage, resulting in data loss and financial harm.

How It Works

The ransomware encrypts files in the ransomware/test_files directory. Before encryption, files are readable (passwords, messages). After running the encryption script, files become completely unreadable.

Implementation

Step 1: Environment Setup

Install required library:

pip install cryptography

---

Step 2: Encryption Script (encrypt.py)

How it works:

• Generates encryption key: Creates a unique cryptographic key using the Fernet algorithm and saves it to secret.key
• Encrypts files: Reads each file in the target directory, encrypts its content, and overwrites the original with encrypted data
• Creates ransom note: Generates README_FOR_DECRYPT.txt informing the victim about the encryption (in real attacks, this contains payment demands, cryptocurrency wallet addresses, and deadlines)

Execute:

python encrypt.py

Result: All files become unreadable, and a ransom note appears.

---

Step 3: Decryption Script (decrypt.py)

How it works:

• Loads decryption key: Retrieves the encryption key from secret.key (in real attacks, victims don't have access to this)
• Decrypts files: Reads encrypted files, applies decryption using the key, and restores original content
• Error handling: Handles files that cannot be decrypted

Execute:

python decrypt.py

Result: Files are restored to their original readable state.

---

Step 4: Ransom Note

The README_FOR_DECRYPT.txt file is created during encryption:

YOUR FILES HAVE BEEN ENCRYPTED!

All your files are now inaccessible.
This is a controlled testing environment.
In real attacks, payment instructions would appear here.

How attackers use ransom notes:

• Placed in multiple folders to ensure the victim sees it
• Contains payment instructions (usually cryptocurrency)
• Includes deadlines and threats (increase ransom, delete files)
• Provides "customer support" contact information
• Often changes desktop wallpaper to display demands

---

⌨️ Scenario 2: Simulated Keylogger

Description

A keylogger is a type of surveillance malware that records every keystroke typed by the user. It captures sensitive information such as passwords, credit card numbers, personal messages, and confidential data. Keyloggers operate silently in the background, sending captured data to attackers without the victim's knowledge.

How It Works

The keylogger monitors keyboard input in real-time, stores the captured keystrokes, and periodically sends the logged data via email to the attacker. This allows cybercriminals to steal credentials, monitor user activity, and gain unauthorized access to accounts and systems.

---

Implementation

Step 1: Basic Capture Script (keylogger.pyw)

How it works:

• Monitors keyboard: Uses the pynput library to listen for every key press event
• Captures keystrokes: Records regular characters, special keys (Space, Enter, Backspace), and handles exceptions
• Saves to file: Writes captured data to keylog.txt for later retrieval
• Runs continuously: Operates in the background until stopped manually (ESC key)

Install dependencies:

pip install pynput

Execute:

python keylogger.pyw

Result: All typed keys are saved to keylog.txt

---

Step 2: File Saving Implementation

The basic keylogger saves captured data locally:

Features implemented:

• Real-time logging: Appends each keystroke immediately to prevent data loss
• Special key handling: Captures and labels special keys like Enter, Space, Backspace
• Persistent storage: Maintains log file even if program crashes
• Exit mechanism: ESC key to stop recording

Output example in keylog.txt:

username: admin
password: MySecurePass123
[ENTER]
email@example.com
[SPACE]
sensitive information here
[<] (backspace)

---

Step 3: Automatic Email Sending (keylogger_email.py)

How it works:

• Scheduled sending: Uses Timer to automatically send captured data every 60 seconds
• Email configuration: Connects to Gmail SMTP server with app-specific password
• Data exfiltration: Sends keylog content via email to attacker's address
• Clears log: Resets the log variable after successful transmission to avoid duplicates
• Stealth operation: Continues capturing while sending happens in background

Configuration required:

• Source email: Attacker's email account (sending)
• Destination email: Where stolen data is received
• App password: Gmail app-specific password (not regular password)

How attackers use email exfiltration:

• Bypasses local detection by removing evidence
• Provides remote access to stolen data
• Works even if victim's computer is turned off later
• Can use compromised email accounts to avoid detection

Execute:

python keylogger_email.py

Result: Keystrokes are captured and automatically emailed every 60 seconds.

Warning: Real keyloggers use sophisticated techniques including rootkit integration, memory injection, and anti-analysis methods to evade security software.

---

🛡️ Defense and Prevention Measures

How to Protect Against Ransomware

1. Regular Backups

   • Maintain offline backups of critical data (external drives, cloud storage)
   • Follow 3-2-1 rule: 3 copies, 2 different media, 1 offsite
   • Test backup restoration regularly

2. Updated Antivirus

   • Keep antivirus software up-to-date with latest definitions
   • Enable real-time protection and scheduled scans
   • Use reputable security solutions (Windows Defender, Bitdefender, Kaspersky)

3. System Updates

   • Install OS security patches immediately
   • Enable automatic updates for critical software
   • Update applications and firmware regularly

4. User Education

   • Don't open suspicious email attachments
   • Verify sender before clicking links
   • Avoid downloading from untrusted sources
   • Be cautious with USB drives from unknown sources

---

How to Protect Against Keyloggers

1. Antimalware Software

   • Use anti-keylogger tools (Malwarebytes, SpyHunter)
   • Perform regular full system scans
   • Monitor for suspicious processes and network activity

2. Firewall Configuration

   • Enable and properly configure firewall
   • Block unauthorized outbound connections
   • Monitor unusual network traffic patterns

3. Multi-Factor Authentication (MFA)

   • Enable 2FA on all critical accounts
   • Use authenticator apps (Google Authenticator, Authy)
   • Even if password is stolen, account remains protected

---

🔗 Resources and References

Documentation

• Python Cryptography
• Pynput Documentation

Additional Materials

• OWASP - Malware Analysis
• NIST Cybersecurity Framework
• SANS Institute - Security Resources

---

👤 Author

Phablo Loureiro Alves

• LinkedIn: https://www.linkedin.com/in/phablo-loureiro-alves/