Friday, August 28, 2009

Development of Open Source crimeware to control and manage botnets

The development of web applications oriented botnets control and management through the http protocol, is at an advanced level by the underground community of Eastern Europe, particularly from Russia, where cyber criminals constantly flood the market crimeware clandestine marketing packages as Eleonore, ZeuS, ElFiesta, Adrenaline, and many others.

However, this business model that is already implanted, it expands into other territories where cyber-crooks ambition is mirrored by the trend difficult to stop, but with other philosophies: Crimeware Open Source. That is, development of open source software designed to be used for criminal purposes via the Internet.

In this case, it's a family of crimeware designed for control and administration of zombie networks.

This is a series of projects that seek, as the author (whose nickname is "cross"), make clear that the development of botnets in Perl is possible. Under the slogan "x1Machine Remote Administration System" available to the cyber crime organized two projects aimed at manipulation of Hybrid and TRiAD called botnets.

Hybrid Project
The "Hybrid" is the most ambitious. It's written in Perl, runs only on GNU/Linux platforms and allows, as is common in most of the style current crimeware, botnets manage http. While the author states that it was designed for malicious purposes, the legend that is at the interface of version 1 (the image shown below) said Botnet Control System, which is contradictory.

Configuration is done through a small panel which is accessed through the file HyGen.pl.

Version 2 (screenshot) maintains the same features as its predecessor. For the moment, is in a state of "Proof of Concept (PoC). However, it can be manipulated by any cyber-crooks to make it fully functional and add more components to abuse of the undead.

An interesting detail is that its interface is based on BlackEnergy, one of the first botnet-based administration via http designed to perform DDoS (Distributed Denial of Service).

TRiAD Project
About this crimeware already been discussed. This is a side project whose first version (screenshot) is designed, like the Hybrid project, to operate under GNU/Linux environment.

This first version was born in early 2009 and now has three versions that incorporate some more features. It's written in C and through it can carry out three activities harmful: doing attacks Distributed Denial of Service (DDoS), Bindshell (execution of a shell and opening ports) and ReverseShell (notice a zombie connection ).

TRiAD HTTP Control System v2 is the second version of the project that evolved into a multiplatform crimeware can be implemented on Windows and GNU/Linux.

This version, in addition to the features present in version 1, it has new features: elimination of the bot, shut down and restart the computer remotely. The following screenshot is for the download page.

Like the second version, TRiAD HTTP Control System v3 is written in C, compiled with GCC and runs under Windows and GNU/Linux. Its features are:

In GNU/Linux:
  • Syn Flood con source IP spoofing: [SynStorm]-[Host]-[Port]-[Nr of Packets]-[Delay]
  • Small HTTP Server: [HTTP Server]-[Port]-[Time(minutes)]
  • Bind Shell: [Bind Shell]-[Port]-[Allowed IP Address]
While the version for Windows platform offers:
  • UDP Flood: [Reverse Shell]-[Host]-[Port]
  • Small Proxy Server: [UdpStorm]-[Target IP]-[Target Port]-[Nr of Packets]-[Delay]
  • Reverse Shell: [Proxy Server]-[Port]-[Time(minutes)]
Regardless of the platform, both have in common the ability to:
  • Sleep
  • Reboot remote machine
  • Shutdown remote machine
  • Delete bot from remote machine
Clearly, this situation is aggravating a number of aspects that make this type of "initiatives" sources ideal for aspiring script kiddies to cyber-criminals for their free status, as for professional developers can tailor their code to add functionality that is adapted to the needs of each buyer (usually botmasters) depending on the platform that you want to explode.

Related information
TRiAD Botnet III. Administración remota de zombis multi...
TRiAD Botnet II. Administración remota de zombis multi...
TRiAD Botnet. Administración remota de zombis en Linux

# Jorge Mieres

No comments: