IMPRESSIVE Botnet Guide

Botnet
`` Computer network of devices infected with

malware.
The term consists of the parts of the English words
"robot" and "network".
In this context, a bot is usually called a device (computer, smartphone) controlled

by a hidden program that receives commands from its owner via the Internet. Botnets
are used for DDoS attacks, brute-force password guessing, mining bitcoins or other
cryptocurrencies, and spreading spam. IoT devices can also be bots: for example,
the well-known Mirai botnet consists of them.
Due to the fact that an infected device executes any instructions of the attacker,
it is often called a zombie machine, and a botnet, accordingly, is called a zombie
network. The infiltration of malicious programs can happen if the user is not
vigilant: cybercriminals disguise them as useful software. Also, a bot-agent can
inject itself through the vulnerability of any software, by brute-force password
detection for shared network resources. In rare cases, it is installed during open
access to the computer.
Malicious programs for organizing botnets run independently on the device and are
protected from deletion. The protection mechanism consists in using unconventional
startup methods, replacing system files, rebooting the machine when accessing the
automatic boot keys. Agents mimic system processes, they can use two processes that
restart each other.
A botnet has huge computing resources and brings tangible profits to

cybercriminals. An attacker can anonymously control infected computer devices from
anywhere in the world.
Botnet
classification
Botnets are classified by architecture and network protocol.
From an architectural point of view, botnets with a control center and

decentralized ones can be distinguished. In the first case, all computers are
united around one control center (Command & Control Center, C&C). This is the most
common variety. The center waits for responses from bots, records them, distributes
instructions that are determined by the owner. Sometimes an attacker creates
several centers in case they are disabled or blocked. Zombie networks of this type
are easy to create and manage, react more quickly to commands, but it is also
somewhat easier to fight them than with other types of botnets: it is enough to
destroy the command center and the network collapses. However, the task may become
more complicated due to the migration of centers or traffic encryption.
Decentralized malicious networks are also called P2P botnets, from the English term
"peer-to-peer", which means point-to-point connection. In such systems, bot agents
do not connect to the control center, but to a certain number of other infected
computers. Having received the command, the malware passes it on to the next
machine, and this is how the instructions are propagated throughout the zombie
network. Thus, a cybercriminal can control all infected computers through any
botnet site. A network of this type is less convenient to operate, but due to the
lack of a center, it is also more difficult to deal with it.
The classification of zombie networks by protocols is explained by the interaction

between the machine issuing the command and the computers of the victims. It is
built on network protocols that determine the order of communication between nodes.
On this basis, botnets are divided into four groups.
The first group includes IRC-oriented zombie networks. They are characterized by
connecting each infected device to the IRC server, moving to the specified channel
and waiting for the owner's command. The second group is made up of networks using
IM channels. The need to create a separate account for each node reduces the
popularity of such botnets. The third group is web-oriented botnets, where
computers are controlled through the World Wide Web. They are easy to develop,
there are many web servers on the Internet, and they are very easy to manage for
these reasons, such malicious networks are in demand. The fourth group should
include other types of systems with their own, non-standard protocols.
Object of
influence
The objects of influence of botnets are government agencies and commercial

companies, ordinary Internet users. Cybercriminals use bots to achieve goals of
different content and size. For example, the simplest and most popular and
profitable use of botnets is spamming. The owner of the zombie network does not
always do this himself: often spammers rent a botnet.
Botnets are also used to carry out DDoS attacks. The attacked server cannot cope
with the streams of requests from infected computers and stops, users cannot access
it. In order to restore the operation of the web resource, the attackers demand to
pay a ransom. Cyber blackmail of this kind is very common, since today all
companies actively use the Internet to conduct business, and some organizations
work only through the World Wide Web. Also, owners or tenants of botnets can use
DDoS attacks for political actions or provocations. Government, state, military and
other organizations become targets of bot attacks.
Botnets are used to mine bitcoins. Penetrating into the user's computer, the bot-
agent uses the machine's resources for its own purposes. The more infected devices,
the more currency the attacker "mints". GPU power can be used while the computer is
idle, so the presence of malicious activity is not immediately noticed.
Botnets are also used for anonymous access to the Internet in order to hack
websites, transfer money. They are also actively used to steal classified
information. The advantage of a zombie network over other malicious agents is the
ability to collect information from a huge number of computers at the same time.
This information is often sold or exploited to expand a botnet.
Source
of threat
Bot agents are created by cybercriminals, for example, to steal. Typically, hackers
steal access data to a particular system in order to obtain monetary gain or some
other personal benefit. Zombie networks are used by representatives of illegal
businesses to promote their goods and services.
The most dangerous group of developers of such programs are organized

cybercriminals who use infected networks for attacks, stealing data and money,
sending advertisements, blackmail, provocations, etc. In addition, they form
botnets for sale and rent.
Risk analysis
Statistics show that a huge number of various computer devices are part of botnets.
The consequences of infecting a computer with a bot agent may vary depending on the
botnet owner and the goals he pursues. The most notable activities of the zombie
network are DDoS attacks. The danger of infected networks is also growing because
their creation becomes easier every year, new ways of introducing malicious
programs are found, which means that new botnets appear and the existing ones
expand.
In early March 2017, researchers discovered a vulnerability in the security system

of DVR and surveillance cameras of the Chinese company Dahua. This meant that
devices could easily turn out to be executing commands of attackers. Read more
about this in the article "Chinese cameras and DVRs can become part of botnets."
Despite the scary statistics, you can protect your computer. This requires:
use effective anti-virus protection,
timely update the operating system and all applications,
use an encryption program when transferring personal data,
observe general reasonable precautions when using the Internet.
It is also helpful to monitor device activity. If it is working hard during idle

time or is transferring too much data, then it is possible that there is a
malicious agent on it.
Telegram -
https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -
https://sellix.io/CashOutGang1337
CHAPTER 2
The most dangerous

botnets
A botnet won't surprise anyone today: they occur all the time, and the underlying
infection is easily cleaned out by antivirus software-thanks to the crookedness of
authors who collect malware on their knees from humus and sticks. But it happens
that pros take on virus writing, and then the damage becomes colossal, and the war
against malware is protracted and interesting. In this article, I will analyze such
stories, and some of them are not over yet.
Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

The most dangerous botnets

It is impossible to cover all even the most interesting epidemics in one article,
so I selected only eight of the most significant cases. And even they can't be
described in full detail, so I warn you right away that some details may be omitted
- intentionally or not. Keep in mind that the situation around active Trojans may
well change from the moment the article is published.
ZeuS
Brief description: banking Trojan
Years of life: 2007-present
Number of infections: more than 13 million
Distribution method: exploit pack
Distribution: 196 countries
Damage: more than $ 120 million
Our hit parade opens with Zeus, but not the one who sits on Olympus among the gods.
This banking Trojan is so widespread that it has taken the first place in the list
of America's most wanted botnets. According to sofa analysts, it was used in 90% of
all Bank fraud cases in the world.
At first, several hundred separate botnets were created on the basis of ZeuS, which
were controlled by different gangs of cybercriminals. The author or authors of the
bot simply sold the Builder to everyone they met and crossed, and they made their
own botnets out of it.
Everyone distributed the bot as best they could for example, in 2009, one of the
groups conducted a large-scale mailing of Zeus through the spam botnet Pushdo.
Damballa estimates that about 3.6 million PCs were infected in the United States
alone. In total, more than 13 million computers have been infected since the
introduction of Zeus.
The Zeus developer was originally known under the nicknames Slavik and Monstr, and
it was he who independently sold and supported the bot in 2007-2010. This continued
until version 2.0, when in October 2010 Slavik transferred raw materials of version
2.0 to the developer of the SpyEye Trojan and, according to legend, stopped
development. But, according to RSA, the original author did not go anywhere, and
the transfer of the code was a red herring.
In August 2010, that is, two months before the official announcement of the
termination of work on Zeus, experts discovered a botnet created on Zeus version
2.1, which was not sold on any underground forum at that time. From this, we can
conclude that the author simply changed the business model and decided to create
his own botnet, and not sell the bot Builder to everyone.
One of the main features in Zeus 2.1 - the scheme of communication with management
servers has changed: now server addresses were created using DGA (Domain Generation
Algorithms). To protect against interception, the signature of the file uploaded
during the update was checked (the RSA-1024 signature was used).
Among the innovations of this version, some researchers also include the appearance
in September of the ZeuS-in-the-Mobile (ZitMo) build for Android, Windows Mobile,
BlackBerry and even Symbian. The newly-minted Troy worked in conjunction with the"
regular " desktop version of Zeus and allowed you to bypass 2 TYPES of online
banking. According to Check Point Software and Versafe, by the end of 2012, the
zitmo build called Eurograber brought its owners a profit of about 36 million euros
(about $ 47 million at that time).
Someone either got greedy or leaked the source code of Zeus 2.0.8.9 to the left,
but the fact remains that the source code of the almost current version of Zeus
went on sale on the darknet, it was February 2011. And then either there were no
buyers, or the seller was hacked — in may, the source code got into the public.
This event was, I think, the most significant for the hacker world in 2011.
We should also mention the HVNC module (H stands for Hidden). This is an
implementation of a VNC server, but it interacts with a virtual desktop that the
user cannot see. Later, based on the merged sources, the HVNC module was converted
into a separate project.
After the leak, "craftsmen" immediately appeared, who began riveting their Trojans
from the Zeus source code, which sometimes were clones of Zeus a little more than
completely, including the admin panel. But there were also more worthwhile crafts —
for example, the Citadel project. Its main feature was the creation of an online
platform similar to the modern GitHub. Here, customers could request new features,
report bugs, and add their own modules. In short, the development became
interactive and brought a lot of money to its admins. Customers were even provided
with technical support — it included, for example, the constant maintenance of
Citadel in an up-to-date state to bypass the latest protection in the face of
antivirus programs.
In the fall of 2011, a researcher named Roman Hussy (who was studying Zeus), while
researching one of the Zeus variants, noticed strange UDP traffic. Further analysis
showed that the new version of Zeus had several IP addresses in the configuration
block and computers with these IP addresses responded to the infected system.
During the day, approximately 100 thousand unique IP addresses were identified,
which were contacted by the new modification, most of them were located in India,
Italy and the United States.
It turned out that Zeus has acquired peer-to-peer functions designed for updating
and based on the Kademlia Protocol. Because of the use of the script
namegameover.php, this version was given the name GameOver.
In early 2012, another version of Zeus GameOver was discovered: it contained a

built-in nginx server to interact with other bots via the HTTP Protocol. From this
point on, each bot could act as a proxy for communicating with the original C&C,
and protection from the distribution of "updates" by specialists on the other side
of the barricades was provided by the same file signature. The GameOver version
turned out to be very tenacious and still active.
More than 74,000 hacked FTP servers, spam, fraud with fake technical support,
exploits, and even social engineering in social networks were used to spread the
bot. In short, the whole gentleman's set.
Later, it was reported that the FBI, together with experts from about a dozen
countries, revealed the group behind the creation of Zeus. All its participants
were put on the wanted list, including the alleged organizer-a certain Evgeny
Bogachev. According to the FBI, Bogachev lives in Anapa and owns a yacht. For his
head offer a record amount of 3 million green American rubles! Since then, little
has been heard about Zeus updates: the author, apparently, has laid low, and there
is no progress in the search at all. We will wait for news.
By saying "I don't hear much about updates", I mean that the original Zeus was
actually no longer supported, but in 2015 there was a new interesting modification
of it was called Sphinx. Its panel is not particularly different, but inside it is
a new Trojan, well reworked by unknown authors. Now, in connection with the
coronavirus, it is especially active and is spread through social engineering. A
fake signature of Kaspersky Lab and a self-made certificate were used as a cover.
Treatment of Zeus is very difficult: it successfully bypasses antivirus programs

using polymorphic encryption, infects many files, and is constantly updated. The
best remedy is to reinstall the infected system, but if you really want to, you can
try to find and cure the infected files, of course, without any guarantees of
success.

Storm
Brief description: email worm for spam and DDoS
Years of life: 2007–2008
Number of infections: about 2 million
Distribution method: spam
Storm (aka Zhelatin) was first spotted in early 2007 and sent out under the guise
of records of destruction due to severe storms in Europe. From the very beginning,
the bot used social engineering in emails, and even such "news" as the resurrection
of Saddam Hussein was indicated as bait in the topic. But if SI was the only
feature of the Storm botnet, it would not have been included in our selection. For
its time, Storm was probably the most technologically advanced malware. It
implements a decentralized p2p management system based on the Overnet Protocol
(based on the eDonkey network) and server-side polymorphism.
Server polymorphism was previously used only in the Stration botnet, which first
appeared in 2006. Subsequently, there was a short and not particularly interesting
war for users ' computers between this botnet and Storm. However, at one point
Storm accounted for up to 8% of all malware on Windows computers.
In July 2007, at the peak of its growth, the botnet generated about 20% of all spam
on the Internet, sending it from 1.4 million computers. He was engaged in the
promotion of medicines and other medicines: both relatively legal, like viagra, and
prohibited.
Around the same time, attempts were made to break the botnet into several separate
subnets. Perhaps the authors wanted to sell access to infected machines in parts to
interested parties. Either way, it didn't work out.
The botnet was quite brutal in protecting its resources from too curious
researchers. When frequent requests were detected from the same address to download
bot updates, which is what antivirus companies like to do, the bots launched a DDoS
attack on this address. In addition, the websites of companies that prevented the
botnet owners from doing their dirty work were attacked with varying success. So,
as a result of DDoS attacks, the Spamhaus, SURBL (Spam URI Realtime Blocklists) and
URIBL (Realtime URI Blacklist) services were disrupted for a short time. This was
necessary to prevent anti-spam solutions from updating databases and blocking
mailings.
At some point, the total performance of PCs infected with the "Storm" surpassed the
then supercomputers. Imagine what power the owners of Storm had in their hands! If
they decided to do parallel computing instead of sending spam… However, let's not
talk about sad things. The cryptocurrencies that you were thinking about mining, of
course, were not yet born out of Satoshi Nakamoto's ideas, so there was nothing to
mine. It's a pity. In the role of a malicious miner, a botnet would look much more
interesting in our selection.
So it would have continued, but at the end of 2008, the botnet, as if by magic,
disappeared. Kaspersky Lab believes that this happened due to the closure of the
Russian Business Network, a criminal abusive hosting service from Russia. According
to another version, which seems more real to me, Storm was destroyed by security
researchers. At the Chaos Communication Congress conference (December 2008), a
group of hackers showed the tool Stormfucker, which, using a bug in Storm,
independently spread through the Overnet network and treated infected computers.
And in Microsoft, as usual, what is happening is interpreted in its own way: they
believe that the Windows update helped get rid of the botnet. The experts did not
agree on one thing.
Of course, a place in the sun is usually not empty, and with the demise of Storm, a
new botnet from the Waledac Trojan appeared. Although the code was completely
different from its predecessor, Waledac suspiciously resembled Storm in some
features: the use of Fast Flux C&C hosting, server polymorphism, spam distribution
functions and a p2p update mechanism. Even the spam email templates were almost
identical to those from Storm. Waledac advertised the same products from the same
sellers as Storm. A visual demonstration of how one botnet is covered up and
replaced immediately by a new one.
Storm seemed like a Ghost until 2010, when members of the Honeynet Project
discovered a new version of it. It consisted of approximately two-thirds of the
code of the first version: 236 of the worm's 310 functions remained unchanged. The
piece responsible for peering went to the trash (it seems that it was due to
Stormfucker), and the communication Protocol with C&C was changed to HTTP
(previously, sockets were changed to TCP). Fortunately, Storm 2.0 was not as widely
adopted as its older brother, which could have happened due to the transfer of raw
materials of the first version to another development team.
It was relatively easy to notice the symptoms of infection if you monitored

attempts to start processes. Malicious processes were usually named gameX.exe,
where X is the number. The following options are possible::
game0.exe - backdoor and bootloader in one package, this process started the rest;
game1.exe - SMTP server for sending spam;
game2.exe - email address Styler;
game3.exe -spam distribution module;
game4.exe - DDoS utility;
game5.exe - bot update process.
The code was run by the rootkit from%windir%\system32\wincom32.sys, which allowed
you to bypass some security mechanisms. Although the rootkit code in the kernel
doesn't care about any protection, because getting something out of the kernel,
even knowing its internal structure, is not as trivial as it seems.
Also, the rootkit did not hesitate to fake antivirus programs so that the user
would think that the protection was working normally, even though it did not work
at all.
Thus, Storm became one of the first commercial ready-to-use spam tools. It may not
have lasted long, but it showed the way to other attackers who began to act in a
similar way.
Mariposa
Brief description: Trojan worm
Number of infections: 12 + 11 million (two waves)
Distribution methods: pirated software, self-distribution via flash drives, peer-
to-peer networks, and MSN messenger
Distribution: 190 countries
The Mariposa botnet ("butterfly" in Spanish) appeared in 2009 and was based on the
Code of the Palevo Trojan, also known as Rimecud. Panda Labs estimated that the
size of this giant butterfly was 12 million computers.
In the code, the bot was called somewhat more simply - Butterfly Bot, but no one
forbids anyone to name things as they please, so antivirus companies came up with
their own name and issued it as an official one. The author had to accept it.
The bot could work as a loader for other malware of all stripes, could get
passwords from Firefox and IE out of the box, and raised HTTP and SOCKS proxies to
cover up the attacker. And of course, DDoS, with two modules at once: TCP SYN flood
and UDP flood.
One of the distribution methods was USB flash drives and at that time still worked
autorun.ini. However, this was very annoying for the bot (it is not for nothing
that it is based on Palevo): Mariposa created a highly obfuscated autoload file, in
which instructions were mixed with a large number of characters of different
encodings. So the ini file looked different every time.
The main activity of Mariposa was a Scam and already traditional DDoS. This
included the theft of affected accounts from their computers and their subsequent
resale. Then bank accounts were used to pay for services, and social networks were
used for any kind of Scam. Spoiler alert: now the purpose of stolen data is exactly
the same.
In terms of protection from studying, the bot authors tried their best: we enabled
a lot of security features, which, however, still did not help to avoid closing the
botnet. Security mechanisms include frequent updates and modifications to the
binary code that allowed bypassing signature analysis, countering startup on
virtual machines and in sandboxes, and a new secure Protocol for interacting with
the command center based on UDP.
Unfortunately for the botnet authors (the DDP Team group from Spain directly stated
its involvement), in December 2009, Mariposa's career was over. Researchers and the
police managed to identify, capture and disable C&C servers in the same Spain.
Three months later (in February), Spanish law enforcement officers arrested three
members of the DDP Team. An interesting detail — none of those arrested knew how to
program.
According to the Spanish police, the bot drivers were completely childish: they
connected as admins to C&C from their home IP, instead of using a VPN or proxy.
However, it was not possible to call the perpetrators to account, largely due to
the fact that running a botnet at that time was not considered a crime in Spain at
all, and for a criminal case, the police would have to prove that they stole
information and then used it for profit. According to official information, private
data of more than 800 thousand people in 190 countries were stolen with the help of
Mariposa — however, it was not possible to apply this in the investigation for lack
of solid evidence.
As a result, the investigation reached a dead end, and the administrators of

Mariposa, who were released a couple of months later, visited the office of Panda
Security, which had a significant hand in their capture, and began to ask them to
hire them: according to them, they were completely out of money after the Mariposa
infrastructure was destroyed. They left, of course, with nothing.
Despite the destruction of C&C Mariposa, since the end of 2010, the number of its
detections began to grow again, and six months later another botnet based on the
same Palevo, numbering about 11 million machines, was found. They called it Metulji
("butterfly" in Slovenian).
Just a month and a half to two months after the botnet was discovered, its
operators, residents of Serbian Bosnia, were identified. The guys also didn't
bother and spent money right and left. They were arrested jointly by the Slovenian
police, the FBI and Interpol. Since then, Palevo and its derivatives have
disappeared from the list of top threats.
As you can see, even kulhatskers with minimal knowledge can build botnets that are
not sickly in number, even without using spam and exploit packs. Twelve million
dollars out of the blue is a serious result.
ZeroAccess
Brief description: Trojan Downloader, spammer, and miner
Number of infections: 9 million
Distribution method: exploit pack
The history of ZeroAccess in the rootkit chronicle began in June 2009. At that
time, there was an interesting sample with a string in F:\VC5\release\
ZeroAccess.pdbthe rootkit driver. So the name ZeroAccess is copyright. There were
others, of course: ZeroAccess is also known as Smiscer and Sirefef.
An interesting feature of ZeroAccess is "live bait fishing" for breaking off

antivirus programs. In addition to its main driver, the rootkit, the bot had an
additional kernel driver for creating a decoy-an object that antivirus programs and
other supposedly protective mechanisms pecked at. This driver created the device \
Device\svchost.exeand stored the dummy BINAR at the address \Device\svchost.exe\
svchost.exe. Access to this pseudo-file was monitored by a rootkit. If something
hit the bait, ZeroAccess killed the process by injecting code into it that called
ExitProcess(). And to prevent subsequent launches of the program that got caught,
ZeroAccess reset the ACL for its executable file to prohibit reading and execution.
Thus, once caught, the antivirus could no longer start.
In January 2010, the creators of ZeroAccess rolled out an update that enriched
ZeroAccess with new features. For this purpose (surprise!), the resources of the
Russian Business Network were used. In this version, an obvious borrowing of the
ideas of the older TDL-3 rootkit became more noticeable: the launch was now
performed through driver infection, and hidden storage in a separate hard disk
partition was used to store rootkit components.
Until April 2011, 64-bit versions of Windows were relatively safe and did not get
infected with ZeroAccess. However, in may, with the next update, this annoying
omission was corrected, but not very technologically. The fact is that in the 32-
bit version, the rootkit worked at the kernel level, and in the 64-bit environment,
everything worked in user space. Apparently, the authors decided not to bother with
bypassing the driver signature verification and made such a crutch.
To increase survivability, we added TCP-based P2P for distributing our modules, as

well as a list of initial peers, which contained 256 supernode IP addresses.
Antivirus analysts note that this version began to load two types of payload for
click fraud and mining.
As time went on. More and more people have switched to 64-bit operating systems,
which make it difficult to develop a nuclear rootkit. In may 2012, the kernel
driver was closed, and now all work took place in usermode. The algorithm of the
peer-to-peer network has also changed slightly, and the length of the RSA key has
been doubled-from 512 to 1024 bits. Previously, peer-to-peer connections went only
over TCP, but now the list of IP addresses was requested over UDP, and the list of
modules was requested over TCP. As before, there was still a division according to
the type of payload: there was a clickfraud or mining module to choose from.
The ZeroAccess example illustrates the principle of Occam's razor-don't multiply

entities unnecessarily, or, in a simple way, don't complicate them. ZeroAccess
started out as a technological development, then the rootkit fell off in the course
of evolution, but the botnet continued to live and even got such a fashionable
feature as P2P.
Sophos estimates that the number of computers infected by the bot at the end of
summer 2012 was more than 9 million, and active infections — about a million.
According to experts, the ZeroAccess botnet was the most active in 2012.
Antivirus companies, of course, did not ignore the existence of the botnet and
actively looked for methods of intrusion through the ZeroAccess peer-to-peer
Protocol to disable it. In March 2013, engineers from Symantec took up the task and
successfully discovered a vulnerability in the botnet Protocol, which allowed,
although with great difficulty, to disrupt its work.
At the same time, monitoring of botnet activity continued, and on June 29, Symantec
specialists noticed that a new version of ZeroAccess was being distributed through
the peer-to-peer network. The updated version contained certain changes that closed
the vulnerability found earlier. This, it seems, prompted the operation to capture
the botnet, which started on July 16. The researchers tried to have time to take
control before the update arrived on all nodes. As a result, more than half a
million bots left the botnet.
But even greater success was achieved by whitehats from Microsoft: in December
2013, together with the law enforcement agencies of different countries, they
disrupted the work of ZeroAccess, taking control of C&C. Law enforcement officers
received search and seizure orders for servers that responded to 18 IP addresses
and from which the botnet was managed. After this operation, the bots received the
latest update from the authors with the WHITE FLAG message. In short, the botnet
gave up.
Technically, the botnet is still alive, but it will never receive updates again, as
the command servers have sunk into Oblivion. The bot is not updated, the detection
rate is constantly growing, and more and more antivirus programs are disabling it.
But we can't rule out that developers are currently working on a new version of
ZeroAccess.
Dridex
Brief description: banking Trojan
Number of infections: unknown
Distribution methods: spam, social engineering, free software
The Dridex banking Trojan is one of the major financial cyberthreats since Zeus
left office. In 2015, its damage was estimated at more than $ 40 million.
Dridex (then Cridex) first appeared around September 2011. The bot already then
knew how to use web injections to steal money on the Internet, and could also
infect USB drives. Therefore, it was initially classified not as a Trojan, but as a
worm. Web injections turned out to be suspiciously similar in style to Zeus - this
could have been facilitated by the leak of the source code of the latter in 2011.
Later, in 2012, the attackers abandoned the USB infection.
The similarity between the Zeus and Dridex web injections is not the only thing
that unites them. Specifically, with the Gameover Zeus version, the mechanisms for
working with regular expressions, the distribution method (email spam), some
aspects of the installer (the main body of the virus and the loader), as well as
the set of available components on the infected system were common. Their list
includes a SOCKS proxy and a hidden VNC, obviously borrowed from Zeus.
By the beginning of 2015, Dridex even had some semblance of a peer-to-peer network,
which again resembles Gameover Zeus. This cannot be called honest P2P, because not
all network nodes were equal. Instead, there were supernodes whose addresses were
specified in the Trojan's configuration file, in the XML section <nodes>.
Encryption of the communication Protocol with the command center also appeared.
The network grew rapidly and criminals seemed elusive, but on August 28, 2015, one
of the Dridex administrators was found and arrested. Some of the bots (they were
divided into subnets) disappeared from the network, but after a short time they not
only returned, but also brought new ones. It seems that other admins took control
of the arrested friend's subnets and continued working without him.
After the arrest, security measures were immediately tightened: IP-based filtering
by geographical location was introduced. If the country was not included in the
list, the bot received an error message. This, of course, did not prevent the
Trojan from being studied. A couple of months later, the network owners rolled out
an update to the Trojan loader, in which the XML config was replaced with a binary
one. In fact, this solution was already used in early versions of the then Cridex,
so this move was intended to confuse researchers rather than make the Trojan more
convenient.
Another interesting version was found in early 2017. In terms of its capabilities,
it was similar to the third one, but the analysis of new samples is now greatly
complicated by the fact that the loader works for a maximum of a couple of days.
Again, the solution is not new: it was about the same with the Lurk Trojan, only
the loader worked there for only a few hours. When the boot loader's lifetime ends,
the encryption keys are changed and the old samples become useless. All legacy
instances receive a 404 error from the server.
Encryption remains the same as its ancestor, RC4, with a static key in the Trojan's
body. Encryption was needed to protect against detection in traffic, and not to
block research, since RC4 is a symmetric algorithm that can be easily broken by
brute-force, but traffic analysis systems are powerless in front of such a pseudo-
random data stream.
Most of the victims are located in Europe. Most of the infections were recorded in
the UK, followed by Germany and France. Dridex does not infect Russian computers:
command servers do not respond to requests from Russian IP addresses.
Over the years of Dridex's existence, whitehats and law enforcement agencies from
different countries have repeatedly tried unsuccessfully to stop the botnet's
activity. In 2009, the US Department of justice filed charges against two Russians
who, according to them, are behind the development of Dridex malware and not only.
The indictment says that 32-year-old Maxim Yakubets and 38-year-old Igor Turashev
were the developers of the famous banking Trojan Dridex and Yakubets was the leader
of the group. In addition, Yakubets is also accused of developing and distributing
Zeus.
But so far, Dridex is only adding more and more user account control (UAC) bypass
techniques that help you stay afloat and continue to infect Windows machines. The
damage is difficult to name, but even by the most sparing estimates, it is measured
in hundreds of millions of dollars.
Emotet
Brief description: banker, loader
Number of infections: unknown
Distribution methods: spam, SI
Emotet is another high-tech banking Trojan. The first versions stole the Bank data
of only a few banks, but the botnet was quickly improved and is now also among the
top 3 most active and dangerous, although it first appeared relatively recently —
in 2014.
Infection actively occurs through spam: emails contain a malicious attachment with
a macro. The macro is not just executed, but it uses social engineering methods to
force the victim to launch itself, which leads to infection.
At the turn of 2016 and 2017, the creators repurposed the botnet, and now it mainly
acts as a loader for other malware of all stripes. However, it is also not worth
deleting it from the list of bankers yet.
The botnet is sold under the IaaS or MaaS (malware as a service) model to other
cybercrime groups. In particular, Emotet often works in tandem with Ryuk.
In the second half of 2019, the number of Emotet infections increased dramatically.
The loader suddenly registered a burst of activity. In September, after a short
four-month pause, Emotet again began to operate with increasing strength. A total
of 27,150 Emotet instances were detected in the second half of 2019 (an increase of
913% compared to last year). During this attack, more than 1000 unique IP addresses
were recorded, which hosted C&C Emotet. The graph below shows the number of Emotet
samples found for the second half of 2018 and 2019. There is a huge difference.
In 2020, a new feature was discovered: Emotet behaves like a worm, hacking into
poorly covered Wi-Fi networks and spreading there. Another demonstration of how
attackers invent new techniques in the name of more effective infection.
As for the geographical distribution, Germany, the United States, India and Russia
were the most affected. The top affected countries also include China, Italy and
Poland. Emotet is still active, so the infection pattern is constantly changing and
may even change by the time this article is published.
To date, nothing is known about the creators of Emotet, so there will be no

fascinating story of the idiocy of developers and the resourcefulness of law
enforcement officers. It's a pity.
3ve
Brief description: clickfraud botnet
Number of infections: ~1.7 million
Distribution methods: spam, SI
Damage: about $ 30 million
I think you've had enough of the banking Trojans in this collection. However, this
bot belongs to a different family-clickfraud botnets. 3ve ("Eve") does not steal
Bank data when infected, but clicks tons of ads on fake sites. Of course, the user
does not notice anything, since everything happens secretly. The bot contained many
detection bypass mechanisms to bring maximum profit to its creators. 3ve is
considered the most advanced clickfraud botnet.
Distributed by 3ve through the botnets Methbot and Kovter and had several schemes
of operation.
One of the schemes was identified as 3ve. 1, but it was first discovered by
WhiteOps specialists and named MethBot. This campaign was also monitored by experts
from Symantec and ESET, under the names Miuref and Boaxxe, respectively. Naturally,
no one knew then that this operation was just a small piece of a larger advertising
Scam.
Another scheme used primarily servers in data centers, rather than computers of
ordinary users — bots imitated the behavior of live users of mobile and stationary
devices. According to the FBI, 3ve operators used about 1,900 servers in commercial
data centers, and they had about 5,000 advertising sites at their disposal.
3ve operators went down after they began to fake BGP and allocated blocks of IP
addresses belonging to real clients to mask fraudulent activity. When ad networks
started blocking addresses associated with the 3ve.1 scheme, operators simply
rented infected machines in the Kovter botnet. New bots opened hidden browser
Windows and continued using the old scheme.
In the third scheme, everything remained the same, but instead of a huge number of
low-power bots, the campaign involved several powerful servers and a lot of rented
proxies to hide servers.
At its peak, the 3ve botnet generated about 3 billion fraudulent requests every
day, used about 10,000 fake sites to display ads, had more than a thousand bot
servers in data centers, and controlled over a million IP addresses needed to hide
bots.
The botnet was closed by a joint effort of Google, the FBI, Adobe, Amazon, ESET,
Malwarebytes and other companies. There were eight authors, and thirteen criminal
cases were opened against them. Six authors are Russians, and two more are Kazakhs.
Sometimes legends about Russian hackers do not lie!
According to Google, after the 3ve infrastructure was blacklisted and synkholing
was used against it, there was a real lull in advertising fraud. Although the men
in uniform don't give the exact income of the group, experts estimate 3ve's
earnings to be at least $ 30 million.
Mirai
Brief description: DDoS botnet
Number of infections: more than 560 thousand
Distribution methods: brute force
It would be strange if we didn't remember such a famous bot. He is the king of
botnets that attack IoT devices, and although he himself has long since died out,
his numerous descendants still haunt security professionals. First discovered in
2016, it quickly and efficiently hijacked smart home devices (and sometimes not
only them) with weak Telnet passwords.
This botnet was developed by students who for some reason got angry at their own
University and wanted to organize DDoS attacks on it. But they missed something,
and now this is the largest IoT botnet, if you take into account all its clones.
The botnet grew slowly at first, but after several attacks, it was noticed and the
hunt for its creators began. They didn't come up with anything smarter than just
publishing the source code. Like, we don't have to be the authors: it could have
been anyone, the source code is open. This feint with their ears did not help them,
and the authors were found. Unfortunately, it was already too late: other groups
received a powerful and dangerous tool for free. The number of botnets based on
Mirai (and sometimes complete clones of it) has exceeded one hundred and continues
to grow.
In September 2016, after Brian Krebs published an article about DDoS botnet
vendors, Krebs himself was the victim of an unusually strong DDoS attack, which
peaked at 665 GB/s. This attack in General became one of the most powerful among
the known ones. The hoster did not tolerate this anymore, and the site temporarily
lay down until a new hoster was found.
A month later, a powerful attack was launched against DynDNS. It was held in two
waves of about an hour and a half each. Despite the rapid response and measures
taken to repel the attack, it still affected users. The consequences were visible
until the evening of the same day. It is noteworthy that not one server was
attacked, but many around the world. The engineers clearly did not expect such a
feed and could not react normally. As a result, at least Twitter, GitHub,
SoundCloud, Spotify and Heroku were affected.
Ironically, DNS queries were used to attack the DNS provider. Traffic exceeded
normal by almost two orders of magnitude, and this is not counting the fact that
system administrators urgently introduced filtering. At that time, DNS
amplification was already described, but it was not taken seriously. The attack on
Dyn corrected the situation, so there are not so many servers vulnerable to this
technique anymore.
According to the investigation, only about 100 thousand excessively "smart" devices
participated in the attack. Nevertheless, the attack was impressive in its scale.
Inside Mirai - a small and clean code, which, however, was not very technologically
advanced. Only 31 login and password pairs were used for distribution, but even
this was enough to capture more than half a million devices.
Conclusion
Powerful botnets come and go: as soon as cybersecurity researchers and law
enforcement agencies close one network (and sometimes its owners), the next one
appears on the horizon, often even more threatening. For ordinary mortals, the
moral here is very simple: put strong passwords on all your devices and update the
firmware, and then your computer, router and too smart refrigerator will not start
working for a criminal gang.
CHAPTER 3
Telegram -
https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -
Terms, & Slangs
AV -
antivirus.
Botnet - This is a network of bots. Bots are computers infected by us, whose owners
are usually unaware of the infection of their computer. A network is built from
these bots, which is controlled by one user, that is, by us. Management takes place
through the backdoor admin panel, which can be located both on the hosting and on
our computer.
Backdoor - This is our main tool with which we will control other people's
computers. Translated as (back door) - "back door" says a lot. In
the first place it is a virus whose purpose is secretly installed on the computer
of the victim to control the computer.
Cryptography - In our case, this is the encryption of the backdoor code that makes
our virus invisible to security programs such as AV, firewalls, etc.
Cryptography can be performed using a special program (cryptor), or manually.
Joyner - This is a program with which we glue our backdoor with any other file. For
example, we have glued our backdoor with an image, so when such a file is launched,
the image will open simultaneously and the backdoor will secretly start.
Stub is an important part of the cryptor code. During encryption, according to a

certain algorithm, the encrypted file is written as stub resources and saved.
It turns out that the finished encrypted file is the same stub that, during
startup, searches the resources for the data that we have encrypted, decrypts and
executes them. Simply put, the stub acts as a shell to protect against AV.
A signature is a set of bytes by which AV determines whether a file is infected or

not. It is the change in signatures that makes the virus invisible to AV.
Backdoor creation
Well, now let's get down to creating our backdoor. For this we need Spy-net 2.7
RAT. Spy-net is a client-server program for hidden remote administration. The
backdoor will consist of 2 parts - a client and a server. The server will be
located on the computers of the victims, and with the help of our client we will
manage the machine of our victim. Open Spy-net. Before us is the client part. Let's
create a server with which we will manage the computers of the victims. We press
START. If the menu is not in English, then we do this:
To create a server, select "File" -> "Create server" A window appeared where we
will create our profile. Each profile can have its own settings. We delete all
unnecessary profiles. Click on the "New" button and a window for entering a profile
appears. You can name your profile whatever you like, it doesn't matter.
We delete all records in the table. We press the "Add" button and a window appears
where we must enter the IP and port.
Let's consider this moment in more detail.
IP
Where to get the IP address.

You can purchase a Dedicated Server and use its IP;
If you have a static IP you can use your IP;
If you have a dynamic IP, you can use the No-ip.com service.
No-ip service
(If you decide to use the Dedicated IP or your own, you can skip this
item). Why do we need the No-ip service? This service is used to convert dynamic IP
to static using special software of this service. The software synchronizes our IP
with specials. domain that we came up with when registering in the service. This
domain refers to our IP and when our IP changes, the software synchronizes the new
IP with the server. As a result, it turns out that when we change our IP, we will
always be available for one domain. The first thing we need to do is register. Go
to the site - noip.com
Click on "Sign up now".

We get to the registration page, fill in the fields as usual, login, password, e-
mail (better use foreign services - Gmail, yahoo, etc.) Next, enter the name of our
domain, the service has free domains only in the noip.biz zone.
We chose a name for the domain, now click under the column "Free DNS" -> "Sign UP".
We receive a confirmation letter on our soap. To activate, follow the link in the
letter. Everything is now our account is activated.
Click on the "Download" tab.
Next, "Download Now" Downloaded, run the installer.
We launch the software. We enter our Email and password that we specified during
registration.
The software is authorized. Now click on the "Edit Hosts" button.
Select our domain and save by clicking on the "Save" button. If everything is done
correctly, it should look like this:
If yours is different, then you need to try to choose another network card. To do
this, click "File" -> "Preferences" Under the line "network adapter" select another
network card. If, however, there is a red cross on one of the items, then in the
same settings under the "IP Detections Method" line, check the "use alternative IP
detection method" item.
Ports
After entering the IP, we need to enter the port. A few is better. You can use the
standard ports. But for many, the possibly popular ports are closed by the ISP. In
order to understand what ports we have open there are several methods.
1. Download and run the DoScan program, it is attached to the course. We need the
Express Scan tab, it opens immediately at startup. In the "IP address" field, enter
our IP.
Next, in the "Start port" and "End port" fields, specify the port search range.
Let's indicate from 1 to 50,000. I think we don't need any more.
Backdoor encryption
We have a backdoor, but this is not enough. So far, there is no sense from it,
because not a single antivirus program and firewall will miss it. It is not worth
hoping that the victim has all the protection completely disabled. What do we do?
In order for our backdor to be invisible to security programs, we need to encrypt
it from them, that is, encrypt it.
How it's done?
There are 2 ways:

Manual;
Program.
We will not plunge into the jungle of manual cryptography, because at first we do
not really need it and it will take a lot of time, and as you know, time is money.
We will consider the programmatic method of encryption.
Cryptors
There are public and private cryptors. We will look at public cryptors.
A cryptor is a program that automatically encrypts the file we have selected.
Perhaps the most important part of each cryptor is the stub (you can read what a
stub is on the first page).
The beauty of public cryptors is that they are free.

But the fact is that the stub consists of signatures and it is by the AB signatures
that it determines the infection of the file.
The more time the cryptor is in the public domain, the more people will use its
stub and thus the signatures will get into the databases faster. Simply put,
viruses encrypted with a public cryptor do not live very long, but they will do
well for a few days.
But you can still extend the life of public cryptors, or rather their stubs, by
cleaning signatures. True, here we need the skills of manual cryptography. If
someone wants to learn, then you can search for information on the Internet, since
there are a lot of it and just manuals and video lessons. If we start to touch upon
the methods of manual encryption and, having begun to study them, then many
beginners will simply have their brains filled with information. this is pure
programming and further reading of the course will be simply difficult, given how
much information lies ahead.
Plus, manual encryption is a very lengthy process, because signatures are

calculated by the brute force method, and each of your selections must be checked
for falsity.
If you use a cryptor and most AVs are burning your backdoor, then instead of manual
encryption, you can use the method of combining stubs. That is, we encrypted the
file and encrypt it again with another cryptor or stub. You can combine as much as
you want, the main thing is to check for paleness every time and look at the
changes. If no changes are observed, then crypt in the reverse order or use other
cryptors.
Test our encrypted backdoor for faintness?
One AV will not be enough, because this is not an indicator. "Taste and color ..."
Well, you get the idea, and that's why everyone uses different ABs. Do not install
all AVs in turn and check! There are special services for this:
virusscan.jotti.org (22 AV, free)
chk4me.com (25 AV, free)
file2scan.net (35 AV, 10 $ per month)
elementscanner.com (35 AV, shareware)
fullscanner.net (35 AV, 9 $)
P. S: NEVER use Virus Total (www.virustotal.com) for checks, even if this is not
the final version of the virus or you will not use it, the signatures will get into
the AV databases and any encrypted file with such a cryptor will be fired the next
day.
Naked backdoor no crypto

Glued and encrypted backdoor using public cryptors by combining.
Where can we get public cryptors?
One of the best options, in my opinion, is the Spanish forum -

indetectables.net/viewforum.php?f=7
In the section - "Nuevos Troyanos y Herramientas" fresh cryptors are posted every
day.
But the only disadvantage for newbies will be the "antiinub" system. (It is also a
plus, because although the cryptors are public, not all of them will be able to use
them)
Some passwords to the archives are encrypted and this site will help to decrypt
them - crypo.in.ua/tools/. There are also special programs.
Hints are attached to such encrypted passwords - abbreviations of cryptographic

algorithms and languages, or software with which the password is decrypted.
Also, most likely not all public cryptors will start for you, because some of them
are written using libraries that not every user has. This will be indicated by an
error message of the form "COMCTL32.OCX library not found". But this is not a
problem, because you just need to download the file of the required library and
register it via cmd. How to do this, you can read in more detail on the Internet,
because the settings for different versions of windows and bit systems are
different. You can find out which library you need from the error message.
In the future, I advise you to purchase a private cryptor, because it saves our
time, nerves and money very well . Of course, you can also master manual
encryption, it will be much cheaper than purchasing a cryptor, but one manual
encryption can take you more than one hour. What would you manage to do during this
time? I think a lot of things, but the cryptor will do it in 1 second and with a
clean result.
Their cost varies from $ 15 to infinity. Decent cryptors cost from $ 150. A big
plus of such cryptors is that they are updated almost every day.
Crypt services
If you are too lazy to mess with cryptors and you have a small budget, then the
easiest option for you is to use a crypt service. Usually, all crypt services crypt
at 0, that is, no matter what AB did not burn the threat. There are many such
services, but not all of them provide high-quality services (and some do not
provide them at all, but simply disappear with your money)
Algorithm of actions
1. Create our backdoor and glue it with the file under which we will distribute,
preferably with an .exe file.
2. We crypt the resulting glued backdoor.
3. Checking the backdoor on AV databases
4. Distributing
5. Profit
6. Do not forget to update the backdoor at least once a week.
As a result, we get an .exe file that is not fired by most AVs and launches our
backdoor in stealth mode.
Important
Tips
1. The already glued backdoor with the executable file (software / game) should be
encrypted.
If you do the opposite, then there is a possibility that the backdoor will be fired
due to gluing.
2. After gluing and encrypting, check the launch of the file on yourself. It
happens that gluing or encrypting the file can damage the file, and it will stop
running. In such
cases, it should be re-scripted or glued with another joiner.
3. The backdoor should be updated at least once a week, ideally once a day (if you
want good results, update every 1-2 days)! An update is a re-encrypted backdoor.
After a while, the backdoor starts to fire AV and whatever this happens, our bots
need to update the backdoor every time.
It is very easy to update. We create a new server (backdoor) with the same
parameters that we distributed, or we take a bare server file (without gluing) that
we have already distributed or re-script it.
Next, select all bots in the spy-net client, select the item - "Send file and ---
Runhidden"
OPSEC LEGAL INFO FOR

YOUR PROTECTION
Good info for High value
Targets & Comapnies
Legalization
Perhaps this concept is incompatible with a botnet, but I will try to convince you.
The point is to force the user to voluntarily install our backdoor, and this is
done using an agreement with which he agrees.
Running a little ahead, I will say that one of the distribution methods will be
through the installation files. Almost every isaller has a license agreement.
It is these license agreements that we will need to edit.
The change will concern notifying the user that third-party software will be
installed on his computer, the installation of which he must consent to. Who reads
our license agreements? That's right, no one and naturally he will give his
consent.
Now everything is in order.
We have an installation file with which we will glue our backdoor. Before glueing
it to the backdoor, we need to edit the license agreement. This can be done
manually, and if we distribute the file through the owner of the installation file,
then it is better to ask him directly.
What exactly to edit and where depends on the clauses of the license agreement.
It is advisable to implement our addition somewhere in the middle of the agreement,
so that it would not be very conspicuous. The text must be designed in an official
business style, must comply with the clause in the agreement and notify the user
that he agrees to install our backdoor.
Examples:
The user is hereby notified and agrees that when using the "program", if necessary,
a third party will administer the user's PC remotely to perform the necessary
tasks.
By using the "program" you agree that additional software will be installed on your
computer , which will allow a third party to remotely administer your computer.
This text is usually used under the clauses "General provisions" or "Terms of use".
The text is given as an example, composing your own is not difficult.
The main thing is to indicate that the user agrees / is notified / consecrated that
any actions will be performed with his computer using third-party software by a
third party, although you can probably indicate the "copyright holder" because no
one will then figure out who is the copyright holder and who is the third face.
It all depends on what product you need to edit the agreement and what functions
you will use.
You can write more vaguely, but I do not advise.
Now let's see how we can create our own installation file with a license agreement.
For this we need a well-known compiler - Smart Install Maker. Let's say we need to
create our own installation file for some software.
We open our compiler. The first thing we see in the "Information" menu is where we
fill in the fields according to the software itself and choose the path to save the
installation file itself. Next, we need the "Files" menu, find a shortcut with the
name "Add files from folder" in the lower right menu, find the folder with our
software and select it. All files from the folder will be automatically transferred
to the compiler.
Next, go to the "Dialogues" menu. In the general tab, in principle, you can leave
everything as it is. We are interested in the "License / Information" tab. We put a
tick in the box "Show the license agreement" and select the path to the file with
the agreement (if you do not have a license agreement yet, you can download it or
copy it into a text file and edit it).
In the "Interface" menu, select and customize the design for our installer.
The rest of the menus are not necessary for us to create a regular installation
file.
In the top menu we find a shortcut with the name "Compile", click and our installer
is ready.
The program is very clear and easy to use, with the help of it you can make your
own repacks (RePack - pirates) for games and installation files for various
programs
(I advise you to study in more detail this compiler for creating repacks).
SPREADING YOUR
CREATION
Spread - How you distribute your backdoor will determine
how efficiently your botnet grows.
There are a lot of backdoor distribution options, we will consider several of them.
1. Distribution through game launchers.
Of course, we can glue our backdoor with the game and scatter it across forums and
other platforms, but believe me, this will not bring the expected result, and at
the same time you will waste a lot of time.
Why do we need to distribute downloads, impose them on users when the user himself
finds our file and downloads it.
I'm talking about distributing pirated game servers or programs through websites.
At the moment, there are a large number of multiplayer games on the network, and
there are even more pirate servers for these games. And most of the administrators
of such servers are schoolchildren, which should play into our hands.
I recommend that you start your search with games like - Minecraft, CS, Lineage 2,
WoW, Aion. Almost every pirate server of these games has its own launcher, there
are a lot of servers for these games and they are growing every day.
Where to begin????????
The first thing we need to do is select the game servers with which we will glue
our backdoor. It is advisable to approach the choice with some criteria: the server
has its own launcher; good server popularity; small age administrator.
The bottom line will be to agree with the server admin about gluing our backdoor
with the launcher of their game.
Take the game Minecraft, for example. We find the site of a server for this game
and write to the administrator that we have a business proposal for him. It's
better not to write what we need right away, let him answer better. If he doesn't
answer, then he is not interested in money)
As a result, we have to offer the admin for a reward (usually $ 10-20) to allow us
to glue our backdoor with the launcher. Naturally, it is better to say that this
is,
for example, a script for cheating something, anyway it will not see or recognize
what we are gluing the launcher with. If there is a license agreement in the
launcher, then please edit it so that everything is consistent among the players,
you and the admin. We give him our text with edits in the agreement, as a rule,
editing for him
will not be difficult.

Admins can get caught different, someone will refuse, someone will ask for more
money, someone will think for a long time, but if the administrator is a student
and it comes to money, then they usually agree and they are not even interested in
what you have there for the "script".
You can agree on payment in a month, there have been such cases, in any case, in a
month you will have already assembled a good network, which will pay off the
monthly payments, with the help of which your network is increasing.
Personally, I had very good performance from Minecraft servers. There were from 10
to 200 downloads from one server per day. And there were several such servers.
Another important point is that our backdoor must be clean for all popular
antivirus programs such as Kaspersky, NOD, Avast, Dr.Web, Norton, McAfee, Panda,
AVG, Avira, Emsisoft, etc. Ideally, it should be 100% clean. T. to a few cries of
users that there a virus can alert the admin and other players. And we have nothing
to do with such a pale.
It is also necessary to re-encrypt our backdoor once a week and glue it to the
launcher, otherwise the backdoor will soon start firing the security programs.
Discuss this moment with the administrator.
Spreading the backdoor through games is effective and cost-effective in terms of

the fact that the computers of gamers are powerful enough, which is important, for
example, in such a direction as bitcoin mining.
2. Distribution through game bot programs
As well as pirate servers, there are a lot of different bots for these games.
Why bots? It's simple, here our prey will be the accounts from the official game
servers, which we will talk about a little later. For those unfamiliar with
multiplayer games, a bot is a program that performs any action in the game in an
automatic mode, that is, without the participation of the player. For example,
collecting valuable things, leveling a character, trading at an auction, etc.
Simply put, bots are used to automatically earn game currency, and as you know,
this currency has value only on off servers. That is why most of them use bots on
off servers.
I recommend using bots for games like WoW, Aion, Lineage 2, Gueld Wars 2, Diablo
III.
We will look for the creators of these bots or resource administrators who
distribute public / hacked versions of these bots.
Finding these resources is not difficult, you just need to enter in a search
engine, for example, "
WoW bot ".
The communication scheme is the same as in the first version.
The contact is mainly made by resource administrators who distribute these bots in
free access, because the income from their resources is not great, but here at
least some kind of reward. But the bot developer has money from his sales, so they
are often not interested in such offers, but still I managed to negotiate with some
of them.
One of the advantages of this distribution option is that when using and
downloading bots, many disable all security programs because almost all of them
regard bots as malware. But this does not mean that it is not necessary to encrypt
our backdoor!
3. Distribution via torrent trackers
Yes, surely many of you know about this method or have thought of it yourself.
But it will not be superfluous to mention this method.
The backdoor will be distributed again through games.
The first thing we need to do is to monitor the game market and identify the next
game releases.
Take the famous GTA V.
There are 2 options for development:
1. We create our own repack, glue it with a backdoor and put it on torrents a day
release release. To do this, we need to have a key and a game license. that is,
pre-order it. We will not waste time telling you how to make your own repack, for
this you can use smart install maker, besides, the Internet is full of guides and
video tutorials.

2. Download the ready-made repack and distribute it with our backdoor to trackers.
So of
course it's easier, you don't need to buy a game, you don't need to waste time
creating a repack. But you will waste time downloading the repack, which plays a
big role during the release. It happens that the distribution hangs for a couple of
hours, and then it is removed at the request of the copyright holders, but not from
all trackers. Here, luck will smile at you. It is also important to update our
distribution once a week, that is, to glue the repack with the newly encrypted
backdoor. Otherwise, after 1-2 weeks, our repack with the backdoor will slowly
begin to fire with security programs, users will start yelling into chats and your
distribution will be shut down.
4. Distribution through questionnaires
The method is as old as my great-grandmother.
I want to warn you right away that by this method we will receive low-quality bots,
but they will do quite well for buildup.
The bottom line is to attract lustful users (and there are many of them) to our
profile pages and force them to download the file with our backdoor.
We go to Facebook or any other social network.
We register girls' profiles. We post seductive photos, it is possible in underwear,
but without nudity. We make a more or less realistic profile, no need
to post photos of top models, famous personalities or porn actresses.
We start promoting the pages. We send photos of the girls of our profiles to
popular dating groups, and write under the photos something like “get to know a
boy”,
“boys add”, etc. That is, we need to interest the men so that they go to our page.
You can send messages using special programs.
Next, we need to force the download of our backdoor file.
We will distribute under the guise of an archive with erotic photographs of a girl
from our profile. The archive can be filled with left erotic photos, but it will be
suspicious, so we put a password on the archive and give everyone the wrong
password. And you can also erotic photos of a girl from our profile, but
it is very difficult to find ordinary photos of a pretty girl and then her erotic
photos. But it is possible, and this can help us -
pornolab.net/forum/viewforum.php?f=1728
In general, we create an archive with a photo and glue it to our backdoor.

Further, under the photos in the questionnaire, we place a link to our archive, or
in the status we write something like “New pictures from my erotic photoset in my
links” and place our link to the archive in the “links” section.
Let's pay attention to the link. If you upload our archive to any known file
hosting service, then the contact personally will block all such links. Therefore,
it is advisable to do a clean redirect (redirect).
For this we go to nic.reg3.ru, (or to any other site selling domains).

We register, buy the cheapest domain zones. After that, our domain appears in our
list. Click on it and we go to the domain management menu. We find the line
"setting the zone and redirection" under it we see a small menu, where we put a dot
in the item "Redirect to the site" and enter our link where we will redirect from
this domain, for example zalil.ru/123456
As a result, we get a fingerless link that redirects the user to the file hosting
service to download our archive.
For example, in the links we have "myphotosession.rf" clicking on it the user goes
to the file sharing site "zalil.ru" where he can download our archive.
Monetization
Now we have a versatile and very effective tool for making money online. Consider
some types of botnet monetization.
Sale of game currency and accounts

Many game accounts on official servers are of some value,
namely:
The character itself. The value depends on the level of the character;
Game currency.
Sale of game currency.
The method is quite routine and not very stable, but I started with it. With 10-20
downloads per day of my backdoor, I received from 1k rubles to 10k rubles per day.
It depends more on how lucky you are with your account.
Probably one of the most important points is to determine the game in which we will
specialize, of course, you can not focus on one game, but take everything
that fell into our "pocket", but this is very inconvenient, turn it!
To simplify the search for the accounts we need and expand the circle of our
"clients", we choose the distribution method through bots. Naturally, we will use a
bot for the game we chose.
Using this method, we will sell in game currency.
To begin with, I recommend to monitor the market and see the currency of which game
is the most expensive. Quite an expensive exchange rate for the currency of games
such as Rift and Guild Wars 2, but personally, I recommend working all the same on
WoW, because the population of this game is very large, and, accordingly, the
demand for currency.
The bottom line will be to go to the victim's account and redirect the game funds
either to your account, or to the service account to which we are selling currency.
Consider both options:
1. We sell currency to large services for the sale of currency, they constantly
need suppliers. First of all, we need to monitor these services again and
see who buys the currency more expensive than others. Prices will be lower than
they sell and differ among services of a few rubles, and maybe even kopecks; in
case of large transactions, even a couple of kopecks will bring a significant
increase.
2. Sell the currency directly to the buyer. Instead of selling currency to huckster
services at 2 or even 3 times cheaper, you can sell it immediately to players. This
method requires more time, but we will earn at least 2 times more.
To do this, it is desirable for us to have several characters on each of the

servers of this game. These characters will serve as a piggy bank for our currency.
Or, you can simply record the victim's account, the amount of money on the account
and the server. Thus, transfer money to the player immediately from the victim's
account, but the disadvantage here is that when the victim is playing, we will not
be able to enter, and therefore, we will not be able to transfer the game currency
at any time.
The very transfer of this currency within the game also plays a big role.
Some of the most common methods are through auction, guild, or trade.
Here are some examples:
Auction. We go to the account of our victim and look at the amount of money on the
account, remember. Next, we go to our piggy bank character, go to the auction and
place some small change, the cost, which will be equal to the amount that is on the
account of our victim. Everything, posted. Again we go to the account of our
victim, go to the auction and buy the thing that was placed with the help of the
piggy bank character. Now all the money has flowed to our character.
Guild. We go to the victim's account and leave the guild, unless of course he is a
member of the guild. Next, from our piggy bank character, we create a guild and
invite the victim's character there . Again we go to the victim's account, join the
guild and replenish its account with all the means of the victim.
The most important! So that the victim does not suspect too much, remember where
the character stood when entering the game and when exiting, try to return him to
the same place. The advantages of this method are that the victim does not
understand where his money went and blames it on a game bug, which minimizes the
risk of suspicion of “malware”. In the end, this is a game and the loss of game
money is much less upsetting than the loss of a game account ;)
Stealing game
accounts.
This method is a little easier to implement and does not take a lot of time.
To begin with, we also need to choose a game on which we will work.
I recommend choosing the most famous and most populous games such as Wow, Aion,
Lineage 2, WoT.
You already know how to distribute the backdoor. Next, we begin to collect the
fruits.
Install the game client and view the accounts of our victims. It is advisable to
install the client on a grandfather or virtual machine using a proxy or VPN.
We are interested in accounts whose levels have reached more than half of the
maximum level (for example, the maximum level is 80, which means we select accounts
whose levels are more than 40). The higher the level, the more expensive the
account.
It is desirable to sell at a lower price, because it is important for us to sell as

quickly as possible.
For sales, you can use special intermediary services, but they have a number of
disadvantages, for example, some ask to confirm passport data, although
this is not a problem - to confirm the left data, but an extra stamp.

But there are also services that post your ads without any checks.
You can also sell in the most usual way, spreading an advertisement for the sale of
a character on social networks, on game forums, message boards, in any case, the
buyer will find you, it's a matter of time. The more ads, the faster you can sell.
There are several pitfalls here:
1. Before selling an account, you need to change the password from the victim's
account, from the mailbox and postpone it for a week. If, at the same time, during
this period the victim has not restored access, then most likely he cannot do this,
or he simply does not care about the account. We can sell such accounts with
minimal risk that the victim will regain access.
(If you do not have a drop of conscience, then some might think of selling right
away, changing the password beforehand before selling, but in this way there is a
chance that the victim will restore access and thus our client who paid money for
the account will lose it. I strongly advise against doing this . !)
2. After changing the password, the victim may suspect that something was wrong and
start to scan his computer for our "malware" in most cases, their
attempts will be in vain, but you never know how deep it will bury itself and there
is a chance that the victim will decide to reinstall Windows, which is guaranteed
to destroy our backdoor on his PC.
3. Checks from the side of the dripper. The checks are different and more
sophisticated each time. They check the last IP visits, ask to send photos of
passports with
registration and with your handwritten receipt. Of course, most of them are easily
dispensed with, but such buyers are usually very petty. Personally, I didn't even
spend time on such.
Sale of logs and accounts
This is perhaps the most common type of botnet activity.
For those who don’t know, the log is a text file containing detailed information
about every action of our victim. Simply put, all the information that our
keylogger or stealer collects.
Logs can be sold as they are, that is, in the form in which they come to you on the
ftp-server, or you can make a selection in the logs. Each method pays off well, but
each has its own pros and cons.
Sale of pure logs.
The bottom line is to sell the logs that come to us on ftp. You can't think of
anything easier, the only thing that is required of us is to select the required
size of the log file before selling . The price depends on the size of the log file
and the quality of the logs. The quality depends on what the logs were taken with.
Logs taken by a keylogger are much cheaper than logs taken by a stealer or grabber.
The keylogger collects all the information (necessary and unnecessary), where he
went, what he wrote, i.e. a lot of garbage and unnecessary information. The buyer
is
mainly interested only in accounts and billing information.
A stealer or grabber collects and steals from browsers only passwords and logins
from various resources. This option is convenient for us and for our customers,
there is no need to dig in the logs to select accounts.
Now let's talk about the price.

The main criteria affecting the price of logs:
1. With the help of which the logs were removed. As already mentioned above, logs
from a keylogger are of lower quality, therefore they are cheaper than logs taken
by a stealer or grabber.
2. Country of logs. Or rather, the number of countries from which the logs were
removed. For example, if the logs contain only information from users of one
country (for example, Russia), then such logs are more expensive. If the logs
contain information about users from different countries, then such logs are called
Mix and, accordingly, are cheaper.
3. Check logs. Logs that were not used are more expensive than the logs in which
they dug and collected all the cream. Although it is more a matter of your
conscience.
The average price for 1MB of logs from a keylogger is $ 0.1-0.15.

The average price for 100 kb of logs from a stealer or grabber is $ 2-5.
Selling individual accounts.
If you do not feel sorry for your time, then you can dig in the logs and dig up a
lot of interesting things. Twist your time will pay off.
As in the first option, logs can be sold but with a sample (it costs even more),
that is, the buyer needs the accounts of a certain site. It is better to search for
them in
your database using a special checker. But in this case, your base becomes use and
minted.
But instead of waiting for a client who asks for a sample, you can check your base
on the accounts of the most common resources and submit an advertisement for the
sale of accounts of certain sites. Turn some accounts in a single copy cost more
than your entire base.
Telegram - @CashOutGangMarket - @CashOutGang1337 -

The most valuable accounts of such resources as - mailers, social networks,

Internet auctions, e-wallets, game servers, site and server admins, various forums
(mostly closed forums or forums for earning where reputation and registration date
are valued)
Most bought accounts:

Google.com (mail, social network, channel);
Webmoney.ru (Mini);
Vk.com;
Facebook.com;
Odnoklassniki.ru;
Instagram.com;
Twitter.com;
Ebay.com;
Administrators of sites are also well bought, and accounts of carding, hacker, spam
forums are especially closed. On such sites, the registration date and
reputation are very valuable, and some of them simply cannot be accessed. But
people from such forums are searched and accounts of these systems come across very
rarely.
Shopping / Selling sites such as - Shoppy, Sellix, Atshop, Sellify, Rockter
Carding Autshops - Unicc, Yale, Genesis and more
IMPORTANT POINT:
Before selling accounts, review them manually, sometimes you come across very
valuable accounts, especially on social networks. For example,
accounts of administrators of large groups or accounts with a large number of
friends and subscriptions. I think very few people will be able to use such
accounts to their advantage ;)
Bitcoin mining
Many of you have a great idea of what bitcoins are and how to get them. But since
the course is focused on beginners and they probably are present, it will not be
superfluous to mention what it is.
Bitcoin (bitcoin) is a digital currency (cryptocurrency). Bitcoins are mined using

a client program that, at the expense of computer resources, calculates the headers
of the hashes of the blocks, at the expense of which bitcoins are given. For the
generation of one block, 25 coins are given. The mining of bitcoins itself is
called "mining" which in translation means mining or mining / mining.
Bitcoin mining compares well to the miner's craft. Miners (i.e. we) are miners, and
bitcoins are ore (let's say gold). It is difficult for one to mine ore, so miners
are united in groups (pools) where all mining is distributed equally among the
workers. And the deeper we dig the mine, the more difficult it is to extract ore,
plus every day we have more competitors who also came to extract the same ore,
which by the way is not endless.
But you and I are not some miners who work day and night to get the coveted penny
for our work. For our purpose, we will recruit several hundred, and maybe thousands
of slaves who will do our "dirty work" absolutely free! First of all, we need to
decide on the client with which we will mine through our bots. There are plenty of
such programs, but in my opinion it is preferable to use Phoenix 2.0.0.
This program is attached to the course, and you can download it here -
bitcointalk.org/index.php?topic=75786
Downloaded, now we run the file phoenix.exe and we have the file phoenix.cfg. This
is the configuration file for our miner. We open it.
We need to register the mining parameters in it. They should look like this:
[general]
autodetect = + cl –cpu
backend = http: // user @ host : port
backups = http: // user @ host : port
logfile = log
[cl: 0: 0]
autoconfigure = true
aggression = 5

The line "autodetect" indicates with what we will mine.

You can mine in 2 ways - using the CPU (Processor) and GPU (Video card). As a rule,
video cards have better performance, so we specify the "cl" parameter, which just
denotes the video card.
The strings "backend" and "backups" indicate the addresses of the pool, the main
(backend) and backup (backups). We need to replace the values http: // user @
host : port with your address in the pool.
Everything under the line [cl: 0: 0] refers to the graphics parameters that assign
the load on the video card / processor. The "aggression" line sets the speed at
which our video card or processor will mine. The higher the speed, the higher the
load. I do not recommend setting the "aggression" parameter more than 5, otherwise
our victims will understand that something is wrong with their computers due to the
heavy and frequent load on their video cards. We figured out the settings. Next, we
need to select the pool through which we will mine.
In short, a pool is a server where many users unite who simultaneously generate a
block, after which the reward is distributed equally among all participants in the
process.
I personally recommend the 50btc.com pool for many reasons. I think almost everyone
who mines or tried to mine in Russia uses it.
Other popular pools:

mining.bitcoin.cz
deepbit.net
bitminter.com
btcguild.com
btcmine.com
We register in it and get the address that we enter into the file phoenix.cfg in
the lines "backend" and "backups". Here's an example of how it should look:

IMPRESSIVE Botnet Guide

Uploaded by

Copyright:

Available Formats

You might also like

IMPRESSIVE Botnet Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IMPRESSIVE Botnet Guide

Uploaded by

Copyright:

Available Formats

Botnet

`` Computer network of devices infected with

In this context, a bot is usually called a device (computer, smartphone) controlled

A botnet has huge computing resources and brings tangible profits to

Botnets are classified by architecture and network protocol.

From an architectural point of view, botnets with a control center and

The classification of zombie networks by protocols is explained by the interaction

The objects of influence of botnets are government agencies and commercial

The most dangerous group of developers of such programs are organized

In early March 2017, researchers discovered a vulnerability in the security system

It is also helpful to monitor device activity. If it is working hard during idle

The most dangerous

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

The most dangerous botnets

In early 2012, another version of Zeus GameOver was discovered: it contained a

Treatment of Zeus is very difficult: it successfully bypasses antivirus programs

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

It was relatively easy to notice the symptoms of infection if you monitored

As a result, the investigation reached a dead end, and the administrators of

An interesting feature of ZeroAccess is "live bait fishing" for breaking off

To increase survivability, we added TCP-based P2P for distributing our modules, as

The ZeroAccess example illustrates the principle of Occam's razor-don't multiply

To date, nothing is known about the creators of Emotet, so there will be no

Stub is an important part of the cryptor code. During encryption, according to a

A signature is a set of bytes by which AV determines whether a file is infected or

Let's consider this moment in more detail.

Where to get the IP address.

Click on "Sign up now".

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

How it's done?

There are 2 ways:

The beauty of public cryptors is that they are free.

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

Plus, manual encryption is a very lengthy process, because signatures are

Test our encrypted backdoor for faintness?

Naked backdoor no crypto

Where can we get public cryptors?

One of the best options, in my opinion, is the Spanish forum -

Hints are attached to such encrypted passwords - abbreviations of cryptographic

OPSEC LEGAL INFO FOR

Now everything is in order.

1. Distribution through game launchers.

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

Spreading the backdoor through games is effective and cost-effective in terms of

2. Distribution through game bot programs

3. Distribution via torrent trackers

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -

4. Distribution through questionnaires

The method is as old as my great-grandmother.

In general, we create an archive with a photo and glue it to our backdoor.

For this we go to nic.reg3.ru, (or to any other site selling domains).

Sale of game currency and accounts

Using this method, we will sell in game currency.

Consider both options:

To do this, it is desirable for us to have several characters on each of the

Here are some examples:

It is desirable to sell at a lower price, because it is important for us to sell as

Telegram - https://t.me/CashOutGangMarket - https://t.me/CashOutGang1337 -