Bot Masters have a lot to fear now a days: 'The Feds', White/Grey Hats, Anti Virus Firms, and other Bot Masters, so adding protection to a Bot is now common place.
Here is a list of common security measures in use:
Sandbox Detection:
Anti: Sandboxie, Norman, Anubis, ThreatExpert, VMWare, Virtual PC.
Debugger detection: Ollydbg, SoftICE, Process Explorer, RegMon, FileMon.
Encryption:
SSL Encrypted connection to the C&C, BlowFish encrypted input/output of commands, BlowFish/XOR encrypted settings within the file.
Custom Crypters/Packers:
Scan/Runtime 'FUD', RC4/AES/Blowfish encrypted executable & settings, RunPE Injection, Process Injection to bypass Firewalls/HIPs, SDT Restore, API Un/Hooking.
Custom C&Cs:
IRC: There are a few custom IRCd's released, most of which have limited commands so only the Bot Master can communicate to the Zombies.
HTTP: Easy to setup, admin PHP interface, harder to detect due to blending into normal network traffic.
P2P: Hard to take down, no 'complete' public code available, can use existing P2P networks to there advantage eg Gnutella.
Some C&Cs have built in defense mechanisms such as auto banning and DDoS when they detect intruders.
Anti Malware:
Some Bots will seek out and destroy other Malware which have infected a Victim PC. Some Bots also hijack other Malware infections by what is called 'WormRide'. Basilically what WormRide does is hijack the transfer of Malware from a Zombie to a Victim and send itself inplace.
Anti Anti-Virus/Protection:
Disabling of AV products, unhooking of protected APIs, blocking updates by modifying the 'Host' file and also blocking/poisoning DNS, disabling Vistas UAC, disabling Windows Updates, modifying IE security levels, modifying local group policy, adjusting user/application rights.
Most of the above is publically available to Malware authors and its often just a case of 'copying and pasting' into a piece of Malware.
Wednesday, 3 September 2008
Friday, 11 July 2008
Important Dates in Bot History:
GT Bot - 199x - Author: Lance? - Note: The first mIRC based Bot?
GT Bot Sev2- 199x - Author: Lance? - Note: The first mass spreading bot via NetBios Passwords.
TKBot - 199x - Author: Thr34t-Krew - Note: IIS4 Unicode spreading Bot.
Kaiten - 2001? - Author: Contem - Note: The first *nix Bot?
SDBot - 2002 - Author: [sd] - Note: The 'mother' of all IRC Bots, and the base for most today.
D3ADLiN3.8k.com - 14/05/2003 - Author: Me! - Note: Date my first Bot website started! Oldest Bot related website on the Web which is still up and running!
SDBot with Syn Flood - 200x - Author: [sd] & Tesla - Note: First public Bot with SYN flood.
SpyBot - 200x - Author: Mike - Note: First public advanced mod of SDBot.
rBot - 200x- Author: Nils - Note: First public NTPass C++ Bot based on SDBot.
MSBlaster - 200x Author: ? - Note: Not strictly a Bot but it changed the Internet for ever.
rxBot - 200x - Author: Nils/RacerX - Note: More advanced version of rBot, first in the series of RAT type bots.
AgoBot - 200x - Author: Ago - Note:
PhatBot - 200x - Author: Ago/Phatty - Note:
WonkBot - 200x - Author: Ago/Phatty/Wonk Note:
Storm Worm - 2008? - Author: ? - Note:
Hydra - 2008 - Author: Ahmed Ramzy? - Note: Infects DLink Routers; First Bot to infect physical devices.
Conficker - 2009 - Author: ? - Note: Biggest recorded BotNet, estimated 8.9 million (ref).
I'll update this as I get more info.
GT Bot Sev2- 199x - Author: Lance? - Note: The first mass spreading bot via NetBios Passwords.
TKBot - 199x - Author: Thr34t-Krew - Note: IIS4 Unicode spreading Bot.
Kaiten - 2001? - Author: Contem - Note: The first *nix Bot?
SDBot - 2002 - Author: [sd] - Note: The 'mother' of all IRC Bots, and the base for most today.
D3ADLiN3.8k.com - 14/05/2003 - Author: Me! - Note: Date my first Bot website started! Oldest Bot related website on the Web which is still up and running!
SDBot with Syn Flood - 200x - Author: [sd] & Tesla - Note: First public Bot with SYN flood.
SpyBot - 200x - Author: Mike - Note: First public advanced mod of SDBot.
rBot - 200x- Author: Nils - Note: First public NTPass C++ Bot based on SDBot.
MSBlaster - 200x Author: ? - Note: Not strictly a Bot but it changed the Internet for ever.
rxBot - 200x - Author: Nils/RacerX - Note: More advanced version of rBot, first in the series of RAT type bots.
AgoBot - 200x - Author: Ago - Note:
PhatBot - 200x - Author: Ago/Phatty - Note:
WonkBot - 200x - Author: Ago/Phatty/Wonk Note:
Storm Worm - 2008? - Author: ? - Note:
Hydra - 2008 - Author: Ahmed Ramzy? - Note: Infects DLink Routers; First Bot to infect physical devices.
Conficker - 2009 - Author: ? - Note: Biggest recorded BotNet, estimated 8.9 million (ref).
I'll update this as I get more info.
D3ADLiN3
So who am I? Well im D3ADLiN3, im in my twenties and from the UK.
I started hacking when I was about 10 I guess, playing with RATs such as NetBus, Sub7, and Bo2K. I think my first experience with bots was mIRC based Bots.
People ask me "Do you still use/have bots?"
My Answer: No. Ive got to much to loose now, its not worth the risk.
The 'Bot Scene' has changed a lot since I first started. When I started it was all fun, knocking each other offline, flooding Dalnet with clones and having a laugh, now its all about fraud, phishing, and blackmail. sKids now'a days...
I started hacking when I was about 10 I guess, playing with RATs such as NetBus, Sub7, and Bo2K. I think my first experience with bots was mIRC based Bots.
People ask me "Do you still use/have bots?"
My Answer: No. Ive got to much to loose now, its not worth the risk.
The 'Bot Scene' has changed a lot since I first started. When I started it was all fun, knocking each other offline, flooding Dalnet with clones and having a laugh, now its all about fraud, phishing, and blackmail. sKids now'a days...
Subscribe to:
Posts (Atom)
