Monday, July 13, 2009

Quick update: Botnet lab test

It took quite a time to get this src up and kickin', and finally this seems to be working just fine, if not great. I had been planning to take up the botnet session, upon which I posted earlier here Botnet: The Silent Threat I and Botnet: The Silent Threat II. As most of us are already aware of the theory, it made little sense to me for just going ahead only with plain words and pics.

So I started setting up a test lab. And little had I known, this is going to be interesting; spent several nights up, and surrounded by dozens of bot sources. I checked out every source one by one. Public sources are usually broken, modules missing and need to be checked carefully. well, most of the src will compile smooth; but either they didn't connect back to the ircd, or start behaving undefined and in some cases, reached out to their respective mother ship.

As of now, I've been able to fix rx src, ago src runs fine but is backdoored. Some variants of rx, ago, phat etc n other private src absurdly starts up port scan of the ircd!!

I know rx is quite old, but I believe it is good enough for the lab test n video tutorial (rx variants are still out even today).

Anyways, this is what I have been able to test on rx 7.6 src:

1. DDoS - icmpflood, synflood, tcpflood, udpflood etc.
2. Spreader - dcom135 hitting a windows 2k box
3. Misc funcns - Keylogging, screen/webcam capture, remote shell etc.

I am using unrealircd for the irc server, wireshark/tcpview on the hosts for watching connections as they open and xchat client for attacker. I am hoping to add some new exploits to the rx src if I can get some time this week.

There's few other src here which I will focus on now that rx is up. These src have aim/msn and several other spreader functions besides common windows sploits. Hope to get these up before weekend.

Ok, I guess I'll take a break off for few hours now. The morning sun is about to rise and shine.

Best Regards.

No comments:

Post a Comment


The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.