SD Bot Tutorial by: Achillean

Page: 2 of 3 (View All)

Procurement:

The sdbot can be spread like any Trojan however some methods are easier and more effective than others. I prefer to scan entire ISP netblocks using the DSNX bot (another type of Trojan bot) with the portscan plugin added for known Trojan ports. Once the DSNX has reported back a list to me I usually run that list through superscan for windows to grab the banners and save some time weeding out useless hosts. Once I know which are indeed viable hosts I will then connect with the Trojan’s client and upload and execute my bot. After I've done this I will remove the original Trojan to preclude anyone else from getting into the host and getting your bot. It is also worthwhile to rename the exe to something vulgar and place it into peer2peer file sharing folders on infected hosts. If you happen to get packeted by an sdbot botnet then you can sometimes steal those bots. First you take a list of the IPs that packeted you and run them through superscan looking for Trojan ports. When you find one then connect and look for the bot. You can usually run a netstat and find where the bot is connecting to and that will tell you the server the bots reside on. The bot itself will usually be in the system or system32 folder depending on the version of windows. You should be able to look at the processes running and find which one is the bot. Once you have the bot you can then use something like win32dsm to decompile it and look at the strings. If you get some kind of weird output look at the size of the file, the bot should be about 15kb if its been packed, try using UPX to unpack it and then decompile again. If cannot get the server/channel/pass from the decompiled bot then you can infect yourself with the bot and use a sniffer to see where it connects to. Then you can spy on the channel and wait until someone logs in, this will give you the password. Now simply update the bots and they belong to you.

Protection:

Now that I've told you how to steal someone else’s sdbots you'll need to know how to protect your own botnet. First of all it's wise to voice a few of the bots and +m the channel. While the bots will accept commands in private messages at least someone can't come into your channel and update them all at once. You can also specify how many simultaneous logins to allow in the source code. Only allowing one person to be logged in to the bots at once can be very helpful in keeping people from updating or removing the bots. Always +s the channel your bots stay in. You can also specify what version the bots will reply when they are CTCP versioned. Make the version reply something so that if you have any questions whether a host is a spy or a bot you can simply version it and see.