>>1obvious disclaimer: don't use this information for anything malicious and don't put your're are malware on computers you don't own. VMs are a good tool for this kind of malware lab: just give them all IPs in range and make one of them a C&C server and have fun. FBI plz don't arrest me
I used to have a small botnet (around 200 devices) many years ago, when SlowLoris was the main tool for DDoSing things. as your're aren't interested in getting people to install it, I'll skip that part (unless anyone's interested) and get to the design.
at heart, a botnet is a bunch of slave nodes which receive commands from a server, so start with making that. polling a server is generally better than listening for connections because of firewalls. then, try to figure out the way to avoid hardcoding the server's address - the most common way of doing that is by making a domain-generation algorithm (DGA). the idea of a DGA is simple - it generates deterministic domain names based on current time. you then register those (or just edit
/etc/hosts when making an academic/research pseudo-botnet) and point them towards your server. you should make a DGA as confusing as possible to make the job harder for reversers but at first a simple state machine would be enough so that people won't see your domains when running
strings on your're are executable.
I was thinking of ditching DGAs altogether and making some sort of peer2peer botnet with a public key instead of C&C server, which would accept commands from anyone who signed them with a matching priv-key and send them to known peers, but I couldn't figure out a way of doing that without listening on a port and therefore getting firewalled. if your're are smarter than me maybe you'll work on this ideathe other issue with stealth is hiding executables from antivirus software. avoiding file/section signatures is trivial so I won't talk much about that - what you really need to worry about are heuristics. the oldschool way of dealing with them is as follows:
1. obfuscate, compress and encrypt the machine code of malicious parts of your're are program
2. put that as an array of bytes
3. write simple assembly to reverse the process and mark the section as executable
4. ???
5. PROFIT!
this is so oldschool that antivirus became good at detecting it so don't rely on it too much. a better way is to create multi-stage programs: a downloader which downloads and installs the client, the client that polls the server and payloads which do what the server wants. the payloads are usually encrypted/obfuscated but they're rarely machine code because decrypting machine code is seen as suspicious. instead, they're usually one of the scripting languages recognized by default by the target system. as target system is usually windows, they'll be batch, jscript and powershell. bonus points for fileless execution of payloads - but even better if you design a truly devious malware which doesn't even have executing payloads as an overt functionality. think of an intentionally vulnerable, easy to exploit client that is being hacked by its own server.