Month: September 2012

Impressive Botnet Offering On Deep Web?

UPDATE 2012-09-05: R.V. sent me a link to this Pastebin (mirror) dated August 15th 2011 that basically states that the botnet is expected to be completed in 3.5 months (December 2011) and would be sold to 12 buyers worldwide. If sold at $8000 each, that would sum to $96000. Of course, this Pastebin could have been copied by a scammer who then put it on the deep web, (ab)using the leverage of some internet trail that makes the scam more credible. I’d love to receive more information about this. You can contact me via e-mail: koot at uva dot nl, and via Twitter: @mrkoot.

UPDATE 2012-09-03: this post caught more attention than I bargained for. Let me emphasize that the offer is IMHO probably a scam/hoax. There are a lot of vaguely used buzzwords and some claims are simply very unlikely to be true. For example, the claim that the bot is coded in assembly and has `no dependencies’ is AFAIK practically irreconcilable with the rich feature set that is claimed and that, as I interpreted it, includes some form of interoperability w/Tor and I2P. Then again, I am confident that magician-grade engineers exist that are able to create something that more or less approximates this offer. But even if the offer is a scam/hoax, it has its merits: it inspires the reader to think about behavior/features that might be observed in future malware. Which of these features are technically feasible? Which practical uses could they have? The buzzwords “GPS” and “VoIP” caught my attention. What are today’s possibilities and uses for creating malware that spreads to mobile devices and (only) runs when the device is at a certain location or, for that matter, is triggered by certain NFC/RFID communication with, say, passport/eID/driverslicense chips? Also, while I have no idea what the author meant with `VoIP logic bomb’, it *is* known that VoIP may be used as covert channel — see e.g. Covert Channels in SIP for VoIP signalling (.pdf) — and could as such be used to deliver payloads to a bot. 


====== START OF ORIGINAL BLOGPOST OF 2012-09-02 ======

The botnet offering cited below from the deep web describes many interesting technical characteristics. You need $8000 and three IP addresses you are able to use as C&C, and get a personalized copy of the bot that has a hardcoded/obfuscated max of 10k zombies. The offer has been around since July 22nd 2012, possibly earlier. If the offer is real, it sure is a feature-rich piece of crimeware. I stripped the contact name, Bitcoin # and e-mail address (I’m sure you’ll be able to find it elsewhere).

[REDACTED] botnet for sale

Run on windows clients – I need 3 C&C server IP addresses to hardcode and obfuscate 

bot coded in assembly no dependencies
Each build has maximum of 10k bots to ovoid widespread av detection.
Basic bot uses socks5.
built in ssh client
(fast-flux)
Bot is built with 30k pre generated 256 bit AES keys.
1 256 bit AES key for logs
1 256 bit AES key ssh
1 256 bit AES key socks 5
hwid it selects a pre-generated key 256 bit AES key.
Bot writes encrypted data into common file using stenography process injection
Download/Upload Socks5
Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter.
Using ipv6 in ipv4 tunnel.


Collector bot assembly /tor and i2p Plug-ins C++ /Assuming 10k bots
Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p.
Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know.

(Domain-flux .onion panel can be easily moved)
Using a Ubuntu Server on bullet proof server.  / Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh.  / Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted.

The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p.

1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working)
2.Social network cracker. (Beta)
3.Statics. (Working)
4.Anonymity status. (Working)
5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working)
6.Daemon status (Working)
7.logs (Working)
8.Metasploit connects via rpc. (working)
9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas.
Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (alpha)
10.Teensy spread. (in development)
11.vnc back connect. (working)
12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging)
13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working)
14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (Extra- Alpha)
Each Panel is hwid
1 unique build per Copy embedded into panel.

Everything is provided in English only manuals for setup: you need 3 servers for C&C and // one- BULLET proof server collector for -/ everything is working and can be setup within hours: Only serious players –  for sale $8000 -bitcoin – [REDACTED]

[REDACTED]

EOF