{"id":2662,"date":"2015-10-30T03:15:32","date_gmt":"2015-10-30T03:15:32","guid":{"rendered":"http:\/\/www.pir8geek.com\/?p=2662"},"modified":"2015-10-30T03:15:32","modified_gmt":"2015-10-30T03:15:32","slug":"zib-trojan-the-open-tor-botnet","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=2662","title":{"rendered":"ZIB-Trojan &#8211; The Open Tor Botnet"},"content":{"rendered":"<div><b>General information and instructions.<\/b><\/div>\n<div><\/div>\n<div><strong>The Open Tor Botnet<\/strong> requires the installation and configuration of bitcoind, however I neglect to detail this here out of a lack of time.<\/div>\n<div>This bot-net is fully undetectable and bypasses all antivirus through running on top of Python27&#8217;s pyinstaller, which is used for many non-Trojan computer programs. The only hypothetical possibility of detection comes from the script, however, the script contains randomized-looking data through using a randomized AES key and initialization vector, meaning this is a non-issue.<\/div>\n<div><\/div>\n<div><strong>ZIB.py is the main project file.<\/strong><\/div>\n<div>intel.py is the chat bot for handling automatic transactions and client authentication.<\/div>\n<div>compileZIB.py is used by intel.py, and is started in the background using chp.exe<\/div>\n<div>ZIB_imports.txt contains all the Python module imports that ZIB uses. They&#8217;re appended to the script during compilation.<\/div>\n<div>btcpurchases.txt includes all the Bitcoin payments that are pending. Pending transactions older than 24 hours are deleted.<\/div>\n<div>channels.txt includes all completed BTC payments.<\/div>\n<div>Point your webserver to C:\\Python27\\dist\\ for hosting the bot executables.<\/div>\n<div>chp.exe is required in the local dir.<\/div>\n<div>For the IRC server, run bircd, set up an oper with the username Zlo and password RUSSIA!@#$RUSSIA!@#$RUSSIA!@#$RUSSIA!@#$. For the max users per ip set to 0 because tor users all connect from 127.0.0.1 and look the same to the IRCd. Keep all scripts in C:\\Python27\\Scripts.<\/div>\n<div>Put nircmd in the local directory for editing file dates.<\/div>\n<div><\/div>\n<div><b>Features<\/b><\/div>\n<ul>\n<li>ZIB is an IRC-based, Bitcoin-funded bot network that runs under Tor for anonymity.<\/li>\n<li>ZIB is coded totally from scratch.<\/li>\n<li>ZIB uses the Department of Defense standard for encryption of Top Sercret files as one methods of generating fully undetectable binaries every time!<\/li>\n<li>ZIB creates a new binary for every client with varying file sizes, creation dates, and rot13-&gt;zlib-&gt;base64-&gt;AES-256(random key+IV) encrypted strings.<\/li>\n<li>ZIB is fully undetectable (FUD) to Anti-Virus.<\/li>\n<li>ZIB has an automated system for handling payments, providing bot-net binaries, and creating bot-net IRC channels.<\/li>\n<li>All bot networks on a ZIB network require a password to join.<\/li>\n<li>ZIB uses passworded user-based authentication, handled through our Zlo intelligence bot, so you don&#8217;t have to worry about channel password, main password, or bot compromise. Normal users can&#8217;t create their own channels. All IRC functionalities are handled by the Zlo IRC intelligence bot. You can do authenticated, single bot commands through Zlo, or set up a user session on your bots, which is slightly less secure.<\/li>\n<li>Paid users get unlimited bot space per channel.<\/li>\n<li>Our bot has been tested on and is fully compatible with Windows Server 2008 R2 32-bit, Windows XP SP1 &amp; SP3 32-bit, Windows 7, and Windows 8 64-bit.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<div><\/div>\n<div><b>Features<\/b><\/div>\n<ul>\n<li>Multi-threaded HTTP\/s (layer7 [Methods: TorsHammer, PostIt, Hulk, ApacheKiller, Slowloris, GoldenEye]), TCP\/SSL, and fine-tuned UDP flooding. Ability to flood hidden services, or attack via the clearnet. 66 randomized DDoS user-agents and referers. All methods send randomized data, bypass firewalls, filtering, and caching. ZIB also comes with FTP flood, and TeamSpeak flood.<\/li>\n<li>Undetectable ad-fraud smart viewer that&#8217;s fully compatible with Firefox, Tor Browser Bundle, Portable Firefox, Internet Explorer, Google Chrome, Opera, Yandex, Torch, FlashPeak SlimBrowser, Epic Privacy Browser, Baidu, Maxthon, Comodo IceDragon, and QupZilla.<\/li>\n<li>Download &amp; Execute w\/ optional SHA256 verification.<\/li>\n<li>Update w\/ optional SHA256 verification.<\/li>\n<li>Chrome password recovery.<\/li>\n<li>Each bot can act as a shell booter and utilize external php shells for attacks.<\/li>\n<li>Replace Bitcoin addresses in clipboard with yours.<\/li>\n<li>FileZilla password recovery.<\/li>\n<li>Fully routed through Tor.<\/li>\n<li>File, registry, startup folder, and main\/daemon\/tor process persistence.<\/li>\n<li>Installation and use is completely hidden from bots.<\/li>\n<li>0\/60 Fully undetectable to Antivirus.<\/li>\n<li>File download\/upload.<\/li>\n<li>Process status, creator, and killer.<\/li>\n<li>Undetectable, instant obfuscation when generating new binaries.<\/li>\n<li>Self spreading.<\/li>\n<li>All bot files are SHA256 hash verified. Broken\/corrupted files get replaced.<\/li>\n<li>Bypasses AntiVirus Deep-Scan.<\/li>\n<li>Bot location varies, depending on administrative access.<\/li>\n<li>IRC nickname format: Country[version]windows version|CPU bits|User Privileges|CPU cores|random characters. Ex: US[v2]XP|x32|A|4c|F4L0s4kpN5. 64-bit detection may be having issues (shows up as 32-bit).<\/li>\n<li>Disables various windows functions WITHOUT giving the user warnings!<\/li>\n<li>Disables Microsoft Windows error reporting, sending additional data, and error logging &#8211; System-wide as administrator, and on a per-user basis.<\/li>\n<li>Disables User Access Control (UAC) &#8211; System-wide as administrator, and on a per-user basis.<\/li>\n<li>Disables Windows Volume Shadow Copy Backup Service (vss) &#8211; System-wide as administrator.<\/li>\n<li>Disables System Restore Service (srservice) &#8211; System-Wide as administrator.<\/li>\n<li>Disables System Restore &#8211; System-Wide as administrator.<\/li>\n<li>Melts on execution. Original file gets deleted. Should delete the file out of the temporary folder, if used with a binder.<\/li>\n<li>Multi-threaded mass SSH scanner that saves servers are on the bot&#8217;s HDD encoded with base64 without duplicates, or honeypots. Four integrated password lists of increasing difficulty [A,B,C,D], or brute force with min\/max characters (supports numbers, upper\/lowercase letters, symbols). Cracked routers are used for UDP\/TCP\/HTTP\/ICMP flooding. UDP flood requires having the routers download a python script, and the majority of routers won&#8217;t have Python. Has the ability to be used to take down DDoS-protected servers from scanning with just one bot. The Open Tor Botnet optionally will scan under Tor, multiple ports at once, ip range\/s [A\/B\/C] or randomized IPs, optionally block government IPs, blocks reserved IPv4 addresses aside from the user&#8217;s LAN. BotKiller with file scanning [kills .exe, .bat, .scr, .pif, .dll, .lnk, .com] in AppData, Startup, etc and has been successful against NanoCore, Andromeda, AGhost Silent Miner, Plasma HTTP\/IRC\/RAT, and almost every HackForums bot. The botkiller utilizes process scanning with file deletion, and registry scanning.<\/li>\n<li>Mutex. No duplicate IRC connections.<\/li>\n<li>Amazing error handling, install rate, detection ratio, and persistence.<\/li>\n<li>Completely native malware. No .NET framework, or Python installation required!<\/li>\n<li>Installs to the startup folder &amp; AppData with a registry RUN key.<\/li>\n<li>Kills all popular anti-virus and prevents A\/V installation. Will disable Anti-Virus which have rootkits, through deleting important A\/V dlls.<\/li>\n<li>BotKiller, scanner, and A\/V killer are optional. You could easily run the Open Tor botnet as a back-up for your bots, or install other software on them as back-up. The network control system is highly scaleable. Duel-process and duel-file persistence. Files processes are re-created nearly instantly, after being removed.<\/li>\n<li>Recovers File-Zilla logins, which is great for getting SSH, and FTP logins.<\/li>\n<li>Automatically removes some ad-ware.<\/li>\n<li>Contains an Omegle spreader which spreads either a link through social engineering tactics, or a Skype account with every line of text being completely unique in order to avoid detection. Always waits for the Omegle stranger to type a message before responding with a reply. Shows stranger typing, and writes messages human-like. Multi-threaded.<\/li>\n<li>Deletes zone identifier on all bot files, Tor, download &amp; executed files, and update files. This means that you don&#8217;t get the &#8220;Would you like to run this program?&#8221; dialog, and it runs completely hidden.<\/li>\n<li>Detects all Windows operating systems from Windows 95, ME, to 8. Will show Windows 10 as just Windows, or W8. Text-To-Speech with speaker detection.<\/li>\n<li>Duplicate nick-name handling, and ping-out handling.<\/li>\n<li>Tor is downloaded directly from the Tor Project &#8211; It only needs to be downloaded once, but still has persistence.<\/li>\n<li>Grabs the bot IP address on startup, has the ability to disable\/enable bot command response, view status of ssh scanner\/omegle spreading\/ddos\/botkiller and start\/stop them.<\/li>\n<li>Functionality to kill the bot instance, uninstall ZIB, grab full OS info, check if a host on a certain port is online\/offline using TCP connect and a full HTTP request whilst checking the reply for server status related information.<\/li>\n<li>Check if a process is running, how many are running, and list directories. Use \\ instead of C:\\, e.x !dir \\ as some people run their main operating system on non-standard drive letters, especially on servers.<\/li>\n<li>Upload specific files of your choosing that exist on a bot&#8217;s computer to your FTP server. Files that can be uploaded could include BTC wallets.<\/li>\n<li>Read files in plain-text off zombie computers. View amount of scanned SSH servers. Kill processes. The bot will tell you about missing command parameters, if a certain parameter contains the wrong data-type, etc. Errors from executing a command are outputted to the IRC channel without flooding the chat.<\/li>\n<li>Commands are ran mutli-threaded and con-currently. This means your bots wont freeze up each time you run a command.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<div style=\"text-align: center;\"><b><a href=\"https:\/\/github.com\/whitepacket\/ZIB-Trojan\" target=\"_blank\" rel=\"noopener noreferrer\">Download Zib-Trojan<\/a><\/b><\/div>\n","protected":false},"excerpt":{"rendered":"<p>General information and instructions. The Open Tor Botnet requires the installation and configuration of bitcoind, however I neglect to detail this here out of a lack of time. This bot-net is fully undetectable and bypasses all antivirus through running on top of Python27&#8217;s pyinstaller, which is used for many non-Trojan computer programs. The only hypothetical<\/p>\n","protected":false},"author":1,"featured_media":2663,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[570,554,587,491],"tags":[],"class_list":["post-2662","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-botnet","category-malware","category-shell","category-stress-testing"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2662"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/2662\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}