A Botnet Master's To-Do List

Directory climbing it all of its simplicity, and OSINT quality, just like it’s happened before.

The process of developing malware bots that would either succeed based on the diversification of the spreading and infection vectors used, or end up as a backdoor-ed commodity for experienced botnet masters to sent to novice ones, is entirely up to the coder, or perhaps module copy and paster. Some are going as far as implementing quality assurance approaches to ensure their malware has the lowest possible detection rate, before spreading it, on the anti malware and firewall level, while others are benchmarking and setting strategic objectives to achieve before starting the process itself.

However, there are also wannabe botnet masters whose lack of understanding of the different between project management and “to-do list organization”, and of course, setting their directory permissions right, leads us to a a first-hand malware bot’s to-do list courtesy of the coder itself. Here’s the to-do list itself, with all the static and variable features :

Spreading the malware
– NetAPI spreading
– VNC spreading
– MSN spreading
– ICQ spreading
– Email spreading
– Seeding via torrent (warez)
– Downloading (ftp & http)

DDoS features
– general ddos attacks (udp&tcp)
– tsunami ddos (push +ack flood)

Scanning features
– latest vulnerabilities scan
– exploits scann for homepages (php/perl/cgi scripts (not a priority)

Sniffers and interceptors
– bank sniffer & readers
– paypal
– boa
– egold
– nationwide
– usw.
– game reader
– steam

Misc features
– encrypted config
– better clonning function (with timer based join (no massjoin)) + fixed channel messages
– noise at network sniffer (e.g.: honeypot (tool either shutdown and/or blocked))
– invisible to task manager
– more configuration settings
– melt exe on startup (true/false)
– startup (error) message editable (e.g.: (you need windows vista to run this programm) or (successfully installed))
– undetected source code

And while this wannabe botnet master is trying to achieve self-sufficiency, thereby slowing down the development process, others are not so close minded and are actively building communities around their malware botnets by releasing the source code for free, enjoying the innovation added by third party coders wanting to contribute to the community, where the bottom line is the inevitable localization of the bot to other languages once enough features have been developed to distinguish it among the rest of the commodity malware bots.

From a wannabe botnet master’s perspective, the more propagation vectors added, the higher the probability for infection, however, the probability for infection is also proportional with the probability for detection on behalf of researcher’s and vendors honeyfarms. And therefore, would less noise would mean slow infection rate, but higher lifecycle due to the less noise generated? The Stormy Wormy people for instance entirely relied on perhaps the most noise generation method – email distribution with malware hosted on IPs, however, their persistence and strategy to put more efforts into ensuring that no matter samples get obtained in the first couple of minutes a campaign is launched, the botnet itself should be harder to shut down.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *