Sunday, August 29, 2010

Build your own botnet with open source software

Traditionally botnet's have recked more havoc then good. By effectively controlling millions of unsuspecting user PC's, modern botnets have demonstrated the ability to manage a global infrastructure on an unimaginable scale. By applying the same techniques and approaches used in botnets within your computing environment you'll be capable of handling any demands placed on you or your infrastructure.

This how-to article will take a closer look at using common open source components to create your very own botnet for the purposes for securing, protecting, load testing and managing your global internet infrastructure.

Introduction to Botnets Good Vs Evil As in any internet technology, it can be used for good or for evil. The purpose of this article is to examine some of the positive uses of botnet technology in business applications.

Darknet Vs Botnet A darknet is a private virtual network where users connect only to people they trust.

A Botnet is a term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of computers controlled remotely.

Business Usages Moores Law describes an important trend in that the number of transistors that can be inexpensively placed on an integrated circuit is increasing exponentially, doubling approximately every two years. Almost every measure of the capabilities of digital electronic devices is linked to Moore's Law: processing speed, memory capacity, etc. All of these are improving at (roughly) exponential rates as well.

As business become more and more compute centric, the need for additional sources of compute capacity has become a critical competitive aspect in many IT focused businesses.

By applying some of the key approaches found in today's modern botnet army's; companies can build more powerful, self healing and adaptive computing environments. Some of the these applications include (but are not limited to) the following,

Cloud Computing Cloud computing is a new (circa late 2007) label for the subset of grid computing that includes utility computing and other approaches to the use of shared computing resources. Cloud computing is an alternative to having local servers or personal devices handling users' applications.

Grid Computing / Computational The creation of a "virtual supercomputer" by using spare computing resources within an organization.

Application / Website Scaling Application load balancing is a technique to spread work between two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, throughput, or response time.

Load Testing Load testing is the process of creating demand on a system or device and measuring its response.

Fault Tolerance Fault-tolerance or graceful degradation is the property that enables a system to continue operating properly in the event of the failure of (or one or more faults within) some of its components.

Feel free to add your own use case.

How To Build a Botnet Difficulty Level (Medium to Hard) Tricky, but not impossible. If you're a decent computer geek you'll have no trouble.

What You'll Need
  • Access to several computers or a on-demand compute utility such as Amazon EC2
  • High Speed Internet access
  • Experience configuring Linux or Windows Networking
  • Experience with server Virtualization

1. Allocate computers / Servers At the heart of any botnet are the physical machines that execute the various processes. RAM, Storage and system/network I/0 will be your main limitations. A cluster of Mac Mini's will work just fine, although a cluster of Intel quad core servers will perform significantly better.

You also have the option to use pay per use compute utilities such as Amazon EC2 or even a VPS or dedicated web hosting environment. For the purposes of this how-to we will assume you have local hardware at your disposal, we're using several mac mini's with 2GB of RAM, 2GHZ dual core processors.

2. Choose Operating Environment (Server Virtualization) When looking at your various options it is good to stick with the operating system your most familiar with. Our preference is Linux, but Windows, OS X or BSD could also work just fine.

Just enough operating system (JEOS) When looking at the management of large numbers of slave machines, the OS size will become an import aspect to keep in mind. Operating systems with graphical desktops tend to be a lot larger, so for that reason we recommend the use of a small virtual machines also known as Just enough operating system (JEOS) A popular option includes the JEOS system provided by Ubuntu.

Server Virtualization There are number of different approaches that can be taken when deploying a botnet. The most typical is provided in the form of malware that sits on a users desktop PC and propagated via email or other subversive means.

Our preferred method involves the use of server virtualization. Server virutalization allows for many operating systems to running in parallel on a single computer or server.

What is Virtualization? The Wikipedia defines virtualization as "a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource."

So why do you need virtualization? Basically virtualization provides a more portable and easily adapted infrastructure capable of instantly changing to the demands placed on it.

Blue Pill Server Virtualization According to the author of the original blue pill Joanna Rutkowska, by using hardware accelerated virtualization to enable a virtual machine to run in parallel to the host operating system, malicious code could effectively enable a secondary operating environment to trap a running instance of the operating system into a undetectable virtual machine, and would then act as a hypervisor, with complete control of the host computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable"

Since our botnet is meant for more positive purposes, we recommend a more adaptive approach using server virtualization.

Enomalism Elastic Computing Platform In our example we're using an open source virtualization management platform called the Enomalism Elastic Computing Platform, which is geared to the easy management of several types of virtual environments including Xen, KVM, OpenVZ, and VMware. Enomalism makes the setup of a distributed multi server and geographically disperse virtualized environment significantly easier trough an easy to use web based dashboard. Enomalism isn't limited to one data center and can be setup to running across the globe.

3. Configure Networking When configuring your botnet one of the most important aspects will be the networking and dealing with securing remote and possibly untrusted network environments.

The best and easiest ways to deal with secure networking within a globally diverse computing environment is to use a Virtual Private Network VPN. We recommend using OpenVPN, a free and open source VPN program for creating point-to-point encrypted tunnels between host computers.

OpenVPN Technical Overview OpenVPN allows peers to authenticate to each other using a pre-shared secret key, certificates, or username/password. It is available on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, and Windows 2000/XP.

4. Configure Command & Control A fundamental aspect of setting up a botnet is the "master" (Command & Control - C&C) and Zombie Machine (Slave). The slave is where the work gets done. In the early days, botnet C&C were typically deployed via the IRC, although lately most IRC networks are taking measures to block access to botnets, controllers must now find their own servers such as exploited PC's.

eXtensible Messaging and Presence Protocol There has also been a shift in the C&C from IRC based communications to eXtensible Messaging and Presence Protocol (XMPP) which requires no open ports, is encrypted and is extremely difficult to detect from regular IM traffic. XMPP also works behind firewalls, by using HTTP or HTTPS binding.

The decentralized architecture of the XMPP network is similar to email; anyone can run their own XMPP server and there is no central master server. 99% of the botnet can go offline without actually bringing down the overall botnetwork.

If configured correctly, it is almost impossible to take the XMPP based Command & Control system down. SO BE CAREFUL!

5. Define User Access 6. Applications & Monitoring 7. Auto discovery


  1. love your blog!!

  2. I like your stuff. Check mine out sometime.

  3. fawlaaaaaaaaaaaah!!:D

  4. Gotta read this again. Lots of info, and maybe over my head!

  5. hi bro, nice post today..
    i'll sure keep coming to check the news
    so bring that shit up!
    also, i might post about that thing i told you tomorrow
    be sure to check it out
    take care :)