How to build your own botnet in less than 15 minutes
How to build your own botnet
Today on How to build your own botnet in less than 15 minutes-
Firstly Step 1: Find a builder kit (3 minutes)
Using a combination of search terms, you can usually find a link to a version of a popular builder kit in 3 minutes or less. Our chosen kit was originally an underground – yet commercial – product based on the ZeuS code, and originally cost $600 for a hardcoded command-and-control (CnC) server and $1,800 for an unlimited builder license. But considering that youâ€™re building a botnet to steal massive amounts of sensitive data, weâ€™ll assume that you have no qualms about using a pirated copy.
Our bot has the following core components:
- A settings.txt file for configuring the CnC callback channel
- The Full_builder.exe file for compiling the bot payload
- CnC host files. This is a PHP-based website used for reporting and CnC functions
- bot-bc.exe. This process allows your malware to back-connect through the Socket Secure (SOCKS) protocol for remotely controlling compromised machines
Figure 1: The builder kit’s settings.txt file
Figure 1 shows the settings.txt file, highlighting a number of options. The â€œURL Masksâ€ section lets you specify certain actions if the user of the compromised machine visits a website whose URL matches a given text string. These URLs can be anything you want. In Figure 1, the URL masks include ebay.com and OWA (Outlook Web access, for gaining control of the targetâ€™s corporate email account).
The â€œURL Masksâ€ options enable any of the following when the user visits any of the sites defined in the URL Masks section:
- N â€” does not write data in reports
- S â€” make a screenshot with mouse clicks on the page area
- C â€” preserve all cookies associated with that site and block access to it
- B â€” block access to the site
The injects.txt file highlighted in Figure 1 is arguably the killer feature of the Zeus family of bots. Essentially, the â€œinjectsâ€ capability lets you interact with any site that the compromised machine accesses. Because it works on the infected userâ€™s machine directly, the feature renders meaningless security features on those sites, such as two-factor authentication and SSL/TLS encryption. Forget man-in-the-middle attacks â€” this is an â€œman-at-the-keyboardâ€ attack!
Figure 2: Example use-cases of the “Injects” functionality
In Example 1, the contents of the account overview section are uploaded to the CnC server whenever the compromised host goes to a URL containing â€œhttps://www.payment-site.com/*/webscr?cmd=_login-done*.â€ With this handy report of usersâ€™ account balances, you can focus on targeting those with the most money in their accounts.
Furthermore, in Example 2, a “Big Bank Corp” site viewed by a compromised system would show an additional field on the password page asking for userâ€™s â€œATM PIN.â€ Because your grafted-in field is designed in the same style as the standard page, it looks like it belongs there. Sensing nothing amiss, many computer users would not hesitate to enter this information â€” which is immediately sent to you, the attacker.
Those are only two examples. As a botnet owner, you could create all sorts of targeted injects files to steal new and useful information. If thatâ€™s too much work, you can download ready-to-use injects definitions that serve as recipe books of sorts for specific attacks. Need to target end-users in France? Simply download the French Banks injects pack containing recipes for the purely illustrative and imaginary â€œLa Banque Centraleâ€ or â€œCrÃ©dit FranÃ§aisâ€, among others.
Step 2: Build your payload (5 minutes)
Once your injects file is ready, open the easy-to-use GUI interface to build the executable malware file (see Figure 3).
Lastly, you’ll need two pieces of information to build the malware:
- Firstly The URL to your setting.txt file (youâ€™ll store the file on your CnC server so you can change it at will)
- Then A symmetric-key encryption key to embed in the payload, so that it can communicate securely with your CnC server. This key can be any string of characters
Figure 3: The builder GUI for compiling the malware payload
After you have compiled the malware, youâ€™ll run your executable through a file compressor or obfuscator, also known as a packer or a crypter. Originally designed to reduce the file size of an executable file, these packers have the added benefit of disguising files when scanned by anti-virus software. For this example, I have used popular compressors which this example I have called packers “A” to “C”.
Furthermore to see whether the compressed files are sufficiently camouflaged, youâ€™ll submit your files to VirusTotal, a free site that scans uploaded files using a number of anti-virus engines. “(Note: if you were a real cybercriminal, youâ€™d probably choose a different virus-scanning site such as Scan4You, Chk4Me, or ElementScanner. VirusTotal shares its scanning results with anyone â€” including IT security companies â€” which could.
Lastly, That’s all on How to build your own botnet in less than 15 minutes
WE ARE HERE FOR SERIOUS BUSINESS, WE DO NOT TOLERATE TIME WASTERS AND BEGGARS TRYING TO BEG OR SCAM US OF OUR PRODUCTS. Payment is Upfront, Our services are not free