What is a Botnet (Seriously ??) ?

Simply put , botnet is a network of computers , usually malware affected and remotely controlled by a C2C a.k.a Command and Control server. Whoever controls the server can do whatever with the bots they control.

Just to give an insight of the commands¹ , bots like Zeus can execute on the victim are :

1. Reboot – Reboot the computer
2. Kos – Delete system files, killing the computer
3. Shutdown – Shutdown the computer
4. Block_url – Disable access to a particular URL
5. Unblock_url – Restore access to a particular URL
6. Block_fake – Do not inject rogue HTML into pages matching a defined URL  
7. Unlock_url – Re-enable injection of rogue HTML to pages matching defined URL
8. Rexec – Download and execute a file
9. Lexec – Execute a local file
10. Lexeci – Execute a local file using the interactive user
11. Addsf – Adds a file mask for local search
12. Delsf – Removes file mask for local search
13. Getfile – Upload a file or folder
14. Getcerts – Steal digital certificates
15. Resetgrab – Steal information from the PSTORE (protected storage) and cookies
16. Upcfg – Update configuration file
17. Rename_bot – Rename bot executable
18. **Bc_del ** – Delete a back door connection
19. Bc_add – Initiate back door by back-connecting to a server and allow     arbitrary command execution via the command shell

P.S. : Source code of Zeus has been leaked and available to download and modify.

Mechanism

The botnet works in quite a simple fashion. You download a software (malicious) from some 3rd party website , assuming it to be a cracked version of the paid game or software , you are dying to use. As soon you click the executable the malware starts its work and connects back to it’s C2C server and registers you as the new bot with a unique id.

After the server uniquely identifies the bot , the bot starts a stream of data , so as to say . And all your data ( such as banking details or photos on local hard drive or blueprints of a project , anything and everything), credentials belong to the bot owner.

The bot may also spread like , the one in image 'SPYEYE', used one of the publicly available exploits , Microsoft RDP exploit . However there can be many other mechanisms like cracked softwares/games , torrents, Hacking software etc.

Persistence : What is a bot if it isn’t persistent over multiple restarts.The following list of registry keys are accessed during system start in order of their use by the different windows components:²

1)  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2)  HKLM\System\CurrentControlSet\Services  (start value of 0 indicates kernel drivers, which load before kernel initiation)
3)  HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)
4)  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
5)  HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
6)  HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
7)  HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
8)  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
9)  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
10) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
11) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
12) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
13) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
14) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
15) HKLM\Software\Microsoft\Windows\CurrentVersion\Run
16) HKCU\Software\Microsoft\Windows\CurrentVersion\Run
17) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
18) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
19) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
20) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
21) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
22) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only)
23) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

The software path mentioned in these keys are run during startup.So there is ample space for the malware to slip into one of these and remain persistent. You can check out the currently configured autorun softwares using 'Autoruns' a windows sysinternals tool.

What next : The bot owner owns your virtual life as long as the PC in context is used.

They can use your PC for malicious activities , such as DDoS and thus implicating you. Also your PC can be used for hosting content which even you won’t be aware of. It can also be used as a proxy server.

What it takes ...

Actually dedication , if not money ( Yes you can buy your own botnet ).

The going rate as mentioned here is :

Tech stack of a botnet

• BulletProof Server, a really secure server. Most certainly purchased through Bitcoins.
• If you can code then your own, malware, like mine else there are many malware samples available to download and create a botnet.

But wait weren’t we talking of making our own botnet…

So what if I don’t have bitcoins and so no bulletproof hosting, am I doomed ?

Actually this is the category in which most of us belong and since you are reading this with the sole intention of creating the next greatest botnet (or even if you aren’t ) I won’t disappoint you.

The malware I wrote will come to your rescue . Even though it is naive  but it was written with the sole purpose of experimenting with the idea of free web hosting servers to be used as C2C server.

How to setup the python malware :

The Github Link .

Features :

• 2 Way interaction without public IP ( without public IP ) : Upto some extent using the rtc.php file as mediator ( ToDo : Implement database for commands specific to a particular bot )
• Can work on any free webhosting service provider, (check the list )**
• PHP script can automatically create folders based on the unique botId created and sent by the bot
• Persistent ( otherwise what use it is as bot )

• Send identification details such as :

  • MAC address
  • Locale ( such as en-IN or en-US )
  • Public IP
  • Platform (x86 or x86_64)
  • Architecture
  • Node Name in the network

• Multi threaded Implementation for :

  • Sending the loot
  • Keylogger ( so that we don't miss that important key )
  • Receiving Command
• Sends MD5 hash of the file , before uploading the original file so as to check for any bad upload
• Retries until the file is uploaded ( which is checked using the checksum sent earlier )
• Screenshots : Takes screenshots based on the URL of the webpage ( this needs to be polished )
• Search command on the Bot side to search for the files
• CMD commands can be executed by the bot

The main file is the Client.py, which needs to be compiled and run on the victim machine, it has been tested on my PC and works out to be fine.

Disclaimer

Any actions and or activities related to the material contained within this website is solely your responsibility.The misuse of the information in this website can result in criminal charges brought against the persons in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information on this website to break the law.

This site may contain links to materials that can be potentially damaging or dangerous.