Title: New botnet By: a guest on Aug 15th 2011 Source: http://pastebin.com/6KfKMj2T (retrieved 2012-09-05) --- 8< ---- 8< ---- 8< ---- 8< ---- 8< ---- 8< --- working on a similar project. Dark Umbrella fast flux/domain flux hybrid approach (In development about 3-5 months left) bot coded in assembly no dependencies Each build has maximum of 10k bots to ovoid widespread av detection. Basic bot uses socks5. built in ssh client (fast-flux) Bot is built with 30k pre generated 256 bit AES keys. 1 256 bit AES key for logs 1 256 bit AES key ssh 1 256 bit AES key socks 5 hwid it selects a pre-generated key 256 bit AES key. Bot writes encrypted data into common file using stenography process injection Download/Upload Socks5 Bot sends data to a collector bot via socks5 through ipv6 which makes NAT traversal a trivial matter. Using ipv6 in ipv4 tunnel. Collector bot assembly tor and i2p Plug-ins C++ Assuming 10k bots Bots will be assigned into small groups of 25. And are assigned 400 collectors bots which is evenly 200 tor and 200 i2p. Collector packages the encrypted logs and imports them into a .zip or rar archive and uses sftp to upload through tor to a bullet proof server Note the Ukraine is best know Russia is no good. (Domain-flux .onion panel can be easily moved) Using a Ubuntu Server on bullet proof server. Using tor and Privoxy. Panel can be routed through multiple cracked computers using proxychains and ssh. Server uses a simple .onion panel with php5 and apache2 and mysql. You might ask what happens if bullet proof server is down. The collector bots can be loaded with 5 .onion panels. If panel fails for 24 hours its removed from all Collectors and bot will go to the next one and so forth. A python Daemon runs and unzip the data and Imports it into a mysql database were it remains encrypted. The bot master uses my Dark Umbrella.net panel to connect to the remote Bullet Proof server through a vpn and then through tor using ssh to run remote commands on server and sftp to upload and download. Running tor through a log less vpn through with a trusted exit node on the tor network. .net panel connects to mysql database database is decrypted on .NET panel (Note must real Bullet Proof hosting is not trust worthy this solves that issue) and imported into a local .mdb database. Then later the bot Master should encrypt database folder on true crypt. Commands are sent to bots individually rather then corporately like most bot nets. This allows for greater anonymity It will be possible to send commands corporately but strongly discouraged. Collector bots download and upload large files through i2p. 1.Connects remotely to rpc daemon through backconect and simplifying metasploit (Working) 2.Social network cracker. (in development) 3.Statics. (Working) 4.Anonymity status. (Working) 5.Decrypt-er. Decryption codes in highly obfuscated.net limiting each build to 10k bots. (Working) 6.Daemon status (Working) 7.logs (Working) 8.Metasploit connects via rpc. (working) 9. GPS tracked Assets by Google maps and using net-book with a high powered external usb wifi attenas. Starts an automatic attack if wep if wpa2 grabes handshake. If open starts basic arp spoofing attack. Common browser exploits. (in development) 10.Teensy spread. (in development) 11.vnc back connect. (working) 12. Advanced Persistent threat. Fake Firefox, Fake Internet Explorer, Fake Chrome. Fake Windows Security Essentials. (in development allows for excellent custom Bot-master defined keyloging) 13. Dark search bot index file is downloaded allowing easy searching of hard drives. (Working) 14. voip logic bomb. bot computer is sent via a voip call file once played through voip the microphone hears mp3 file and the dormant payload is activated in bot that is the logic bomb. (in development) bot Plug-ins developed later Each Panel is hwid 1 unique build per Copy embedded into panel. estimated cost 10k per copy my goal to sell 12 copies worldwide