[Tula33923]

Mostly malware's usually lock files (ransomware) or tend to spy on or steal a users browser info/passwords (like RATs). However, most of the big ones are usually written in C++. I know C++ is popular but its really hard to master and write code in while something like Python is much more simpler, easier, and is more portable without changing the code much.

So how come malware is mostly written in C++ instead of something like Python? (Ive heard Python is slower since it includes all the libraries and such but is the speed really that big of a difference?)

[EP_X0FF]

There already exist Java malware, huge number of C# MSIL malware, Visual Basic malware, cross-platform malware written in Rust.

Python is not mainstream language and not widely known. There are no ready to use code in malicious purposes compared to gigabytes of ready to copy-paste solutions available for C/C++/Assembler, malware does not need to be cross-platform compatible. It doesn't even need to be fully working lol. Quality of code also doesn't matter. Python gives ZERO opportunity to malware authors and only problems - new obfuscators, delivery infrastructe changes etc. For what reason they should use it? TL;DR; because Python is out of Windows (and thus malware) eco-system which is dominated by C/C++/Assembler. Nobody is writting malware in Pascal dialects (except few ransomwares), while cross-platform compilers and IDE exist. However Python is still can be used, but it be will truly exotic appearance like this https://www.bluecoat.com/security-blog/ ... ed-attacks

[Tula33923]

Python is not mainstream language and not widely known.

Really? I feel like most guides or projects i see in /r/netsec are written in Python and the big companies (e.g. Google) also seem to use it alot.

There are no ready to use code in malicious purposes compared to gigabytes of ready to copy-paste solutions available for C/C++/Assembler, malware does not need to be cross-platform compatible.

So the only reason why theres no Python malware is because theres no already made malware that people can just copy and paste?

. Python gives ZERO opportunity to malware authors and only problems - new obfuscators, delivery infrastructe changes etc

Hmm, this i dont understand. If you can make malware in Python (doesnt have to be a RAT, lets say ransomware), how is there zero opportunity?

EDIT: I ask why malware is not written in Python because theres very little Python malware to analyze and trying to analyze malware in other language is a little harder.

[Vrtule]

If we presume that most of the malware targets Windows platforms, another problem arises: most of the (home) users do not have Python installed, so the malware also has to install the interpreter first.

[Tula33923]

If we presume that most of the malware targets Windows platforms, another problem arises: most of the (home) users do not have Python installed, so the malware also has to install the interpreter first.

Im assuming most malware use something like PyInstaller where everything is built in and they dont need the entire Python Package. If not, why do malware writers need to install the entire python package and not just use something like PyInstaller which already determines which libraries is needed

[EP_X0FF]

Really? I feel like most guides or projects i see in /r/netsec are written in Python and the big companies (e.g. Google) also seem to use it alot.

The problem with all this internet security experts and communities - they live in their own out of reality world, playing in toys.

So the only reason why theres no Python malware is because theres no already made malware that people can just copy and paste?

It is one of the reasons. Why should I use Python/Brainfuck if I have huge codebase/docs/examples for C#?

Hmm, this i dont understand. If you can make malware in Python (doesnt have to be a RAT, lets say ransomware), how is there zero opportunity?

What kind of opportinity this language is giving? The languages like C#/VB are very popular in script-kiddies area (hackforums and clones) just because they are really simple for beginners. Under beginner here is typical kid 13-18 years old, stupid/smart enough to write "ransomware". With these languages you don't need to think - everything is done for you by language/components/classes, you only need put -> or . and select what you want. Few years ago one of the C# opportunities was also total AV inability in parsing MSIL binaries. That's why C# was used in various obfuscators. AutoIt is simple too - it is used by malware, and again stupid ransomware and as obfuscator. What Python can give there? Py2Exe as obfuscator again.

I ask why malware is not written in Python because theres very little Python malware to analyze and trying to analyze malware in other language is a little harder.

I don't know what so hard in this. About year ago a bunch of Cisco "virus analysts" spend few months reversing Borland Delphi Visual Component Library thinking they are reversing obfuscation of super-puper APT (yeah just Delphi form with randomly placed VCL controls). So in 2016 learning basic knowledge about file formats/C/C++ is incredible hard task. I'm not even highlight here x86 assembler, since most of the "virus analysts" doesn't know it. Probably this is the reason why every malware (which is used in targeted attack) now called APT.

Mass production malware vital to loader file size, user stuck at exploit page, payload is downloading to the machine, there can't be megabytes of dead code. Initial malware dropper must be small enough. Not 3-5-7 megabytes. And again why there should be used Python not for example Java script loader which is working on Windows by design?

[TETYYSs]

About year ago a bunch of Cisco "virus analysts" spend few months reversing Borland Delphi Visual Component Library thinking they are reversing obfuscation of super-puper APT

oh my god is this true?

[EP_X0FF]

About year ago a bunch of Cisco "virus analysts" spend few months reversing Borland Delphi Visual Component Library thinking they are reversing obfuscation of super-puper APT

oh my god is this true?

http://www.kernelmode.info/forum/viewto ... =16&t=3838

[Tula33923]

So what I am understanding is that the reason why there is not many Python malware is because people have not made one which means no one has code to just copy and paste? Are most of these malware's (even the darker, hidden ones found on russian forums, not like HF) the same case? I can understand why HF malware may all look the same since many people already copy and pasted each other.

And again why there should be used Python not for example Java script loader which is working on Windows by design?

Javascript loaders only download the malware via whatever exploit but Javascript is not the main malware programming language.

[Brock]

Malware is much more "deployable" without additional run-time requirements, VMMs, interpreters etc. Native code compilation is most desirable and it's why c/c++ and asm are most common, at least on a Windows platform, especially since code is copy and go online. Delphi/Pascal as well, since it compiles to native code and can support both x86 and x64 Windows OS w/ support for inline asm built-in