First tutorial! Hope you enjoy! Let me know that you used it by liking this!
Step 1: Find a builder kit (3 minutes)
Using a combination of search terms, you can usually find a link to a version of a popular builder kit in 3 minutes or less. Our chosen kit was originally an underground - yet commercial - product based on the ZeuS code, and originally cost $600 for a hardcoded command-and-control (CnC) server and $1,800 for an unlimited builder license. But considering that you’re building a botnet to steal massive amounts of sensitive data, we’ll assume that you have no qualms about using a pirated copy.
Our bot has the following core components:
- A settings.txt file for configuring the CnC callback channel
- The Full_builder.exe file for compiling the bot payload
- CnC host files. This is a PHP-based website used for reporting and CnC functions
- bot-bc.exe. This process allows your malware to back-connect through the Socket Secure (SOCKS) protocol for remotely controlling compromised machines
Figure 1: The builder kit's settings.txt file[/caption]
Figure 1 shows the settings.txt file, highlighting a number of options. The “URL Masks†section lets you specify certain actions if the user of the compromised machine visits a website whose URL matches a given text string. These URLs can be anything you want. In Figure 1, the URL masks include ebay.com and owa (Outlook Web access, for gaining control of the target’s corporate email account).
The “URL Masks†options enable any of the following when the user visits any of the sites defined in the URL Masks section:
- N — do not write data in reports
- S — make screenshot with mouse clicks on the page area
- C —preserve all cookies associated with that site and block access to it
- B — block access to the site
[caption id="attachment_2536" align="alignnone" width="540"]
Figure 2: Example use-cases of the "Injects" functionality[/caption]
In Example 1, the contents of the accountOverview section are uploaded to the CnC server whenever the compromised host goes to a URL containing “https://www.payment-site.com/*/webscr?cmd=_login-done*.†With this handy report of users’ account balances, you can focus on targeting those with the most money in their accounts.
In Example 2, a "Big Bank Corp" site viewed by a compromised system would show an additional field on the password page asking for user’s “ATM PIN.†Because your grafted-in field is designed in the same style as the standard page, it looks like it belongs there. Sensing nothing amiss, many computer users would not hesitate to enter this information — which is immediately sent to you, the attacker.
Those are only two examples. As a botnet owner, you could create all sorts of targeted injects files to steal new and useful information. If that’s too much work, you can download ready-to-use injects definitions that serve as recipe books of sorts for specific attacks. Need to target end-users in France? Simply download the French Banks injects pack containing recipes for the purely illustrative and imaginary “La Banque Centrale†or “Crédit Françaisâ€, among others.
Step 2: Build your payload (5 minutes)
Once your injects file is ready, open the easy-to-use GUI interface to build the executable malware file (see Figure 3).
You’ll need two pieces of information to build the malware:
- The URL to your setting.txt file (you’ll store the file on your CnC server so you can change it at will)
- A symmetric-key encryption key to embed in the payload, so that it can communicate securely with your CnC server. This key can be any string of characters
Figure 3: The builder GUI for compiling the malware payload[/caption]
After you have compiled the malware, you’ll run your executable through a file compressor or obfuscator, also known as a packer or a crypter. Originally designed to reduce the file size of an executable file, these packers have the added benefit of disguising files when scanned by anti-virus software. For this example, I have used popular compressors which is this example I have called packers "A" to "C".
To see whether the compressed files are sufficiently camouflaged, you’ll submit your files to VirusTotal, a free site that scans uploaded files using a number of anti-virus engines. "(Note: if you were a real cybercriminal, you’d probably choose a different virus-scanning site such as Scan4You, Chk4Me, or ElementScanner. VirusTotal shares its scanning results with anyone — including IT security companies — which could