I want to make a botnet, maybe with virtual machines or something. I've heard that some botnets are IRC-based. Any ideas about where to start for making a botnet? I am less concerned with the getting-people-to-install-shit angle, and more interested in the concepts of stealth, steganography, command & control, and distributed systems stuff.
Name:
Anonymous2018-05-28 17:05
How would malware detect that a researcher is analyzing or reverse-engineering it?
How should malware respond to anti-malware software? Should it be "shy" and uninstall itself if certain tools or antivirus programs are installed, or do you prefer to be more ballsy and go for persistence rather than stealth? Should your malware attempt to uninstall or disable antivirus software, or would that raise suspicion?
Would it be better to develop malware for macOS and/or Linux considering that Windows users are more likely to run antivirus software (since macOS and Linux people sometimes think malware is a Windows-only problem)?
What about domain sinkholing? Or what if someone reverse-engineers the DGA in your malware? How else can you authenticate C2 commands (with more than just the domain it's coming from)?
How often should a bot try to connect to the C2 server?
How often should DGA domains be rotated? Maybe a new domain for every week or something? Minimum registration is like a year, and that can be, what, 10bux for a .com domain?
Would networks that monitor DNS traffic (such as a business rather than a home) be able to see the lookups for the DGAs and flag it as suspect or something? Can DNScrypt or whatever be helpful to make it stealthier? Or maybe some alternative DNS server?
Would tor or tor2web be helpful at all in a botnet?
Should you create some sort of killswitch or dead man's key in case of law enforcement?
How can you incorporate polymorphism into your malware project so that the checksums, filenames, directories, etc. are different from computer to computer so that it's not trivially easy to label certain files as malicious?
Are portable executable packer things important? Which ones should you use? I have only heard of UPX, but I don't know if that's good enough for most use-cases. Should you check if things get detected using VirusTotal, or is that a bad idea?
If I code botnet-related software in my host OS and test it out in a VM, will my anti-malware software detect and/or remove it?
Firewalls usually accept outgoing requests, but not inbound ones. So the bot client has to establish a connection with the C2 server(s), not the other way around. Is that right?
For a domain-generating algorithm, how would you go about registering the domain names? Bitcoin, or what? Stolen credit cards?
Should you even bother with mobile malware? Maybe have a "free APK" site for Android (since a lot of Android users have shitty devices that don't get Google Play but they still want apps)? How do you get computer users to install your malware? Email attachments with word macros? Social engineering? Torrent trackers and trojanized "cracked" versions of free games? Youtube tutorials with links to Mega or something in the description? Not that I'd actually do anything like that, since this will all just be local on my own computer. But it's good to know what other people do. Are 0-days and remotely exploitable things (like remote code execution) rare? I'd imagine that exploit-based virus propagation is less common than in the past, and instead you rely on social media and link shorteners or watering hole attacks and things like that.
What do people even do with botnets once they're established? Aside from DDoSing, do people still do email spam, like for fake viagra or something? Do you use it to make your own version of Tor (for bouncing traffic between relays)? Do you use it for ransomware, or cryptocurrency mining, or what?
I am focusing on how you build a botnet, but let's say you have established a botnet with a lot of bots and you're not worried about law enforcement. Then what? After you've made it, what do you even do with it?
As I said, I am just interested in malware research from a purely academic standpoint. I think it'd be cool to become a malware analyst one day. But that involves knowing how malware works.
You don't learn about how malware works by following shitty tutorials that tell you how to only install Kali in a VM or use Dark Comet RAT or Sundown EK or Citadel or something. That's cargo cult malware. There are tutorials (and groups of people) who only focus on learning how to install things other people made. But you learn much more by actually doing things yourself (though it's good to know what design considerations other projects have). I know there are pitfalls with things like DIY cryptography, so you should see what other people are doing. But it's good to think about how to do it on your own, even if, in some ways, it's like needlessly reinventing the wheel. But the point is that it's a learning experience, not necessarily a real-world thing.