Skip to content

The Open Tor Botnet (ZIB); Python-based forever-FUD IRC Trojan

License

Notifications You must be signed in to change notification settings

insecuritea/ZIB-Trojan

 
 

Repository files navigation

Project

The Open Tor Botnet (ZIB) Official Release

General information and instructions.

The Open Tor Botnet requires the installation and configuration of bitcoind, however I neglect to detail this here out of a lack of time.
This bot-net is fully undetectable and bypasses all antivirus through running on top of Python27's pyinstaller, which is used for many non-Trojan computer programs. The only hypothetical possibility of detection comes from the script, however, the script contains randomized-looking data through using a randomized AES key and initialization vector, meaning this is a non-issue.
ZIB.py is the main project file.
intel.py is the chat bot for handling automatic transactions and client authentication.
compileZIB.py is used by intel.py, and is started in the background using chp.exe
ZIB_imports.txt contains all the Python module imports that ZIB uses. They're appended to the script during compilation.
btcpurchases.txt includes all the Bitcoin payments that are pending. Pending transactions older than 24 hours are deleted.
channels.txt includes all completed BTC payments.
Point your webserver to C:\Python27\dist\ for hosting the bot executables.
chp.exe is required in the local dir.
For the IRC server, run bircd, set up an oper with the username Zlo and password RUSSIA!@#$RUSSIA!@#$RUSSIA!@#$RUSSIA!@#$. For the max users per ip set to 0 because tor users all connect from 127.0.0.1 and look the same to the IRCd. Keep all scripts in C:\Python27\Scripts.
Put nircmd in the local directory for editing file dates.

Credits/Attribution

WhitePacket

Legal

The Open Tor Botnet is for legal, research purposes only.
Please don't use this for malicious purposes. This was released out of good will for the benifit of others.

Features

ZIB is an IRC-based, Bitcoin-funded bot network that runs under Tor for anonymity.
ZIB is coded totally from scratch.
ZIB uses the Department of Defense standard for encryption of Top Sercret files as one methods of generating fully undetectable binaries every time!
ZIB creates a new binary for every client with varying file sizes, creation dates, and rot13->zlib->base64->AES-256(random key+IV) encrypted strings.
ZIB is fully undetectable (FUD) to Anti-Virus.
ZIB has an automated system for handling payments, providing bot-net binaries, and creating bot-net IRC channels.
All bot networks on a ZIB network require a password to join.
ZIB uses passworded user-based authentication, handled through our Zlo intelligence bot, so you don't have to worry about channel password, main password, or bot compromise. Normal users can't create their own channels. All IRC functionalities are handled by the Zlo IRC intelligence bot. You can do authenticated, single bot commands through Zlo, or set up a user session on your bots, which is slightly less secure.
Paid users get unlimited bot space per channel.
Our bot has been tested on and is fully compatible with Windows Server 2008 R2 32-bit, Windows XP SP1 & SP3 32-bit, Windows 7, and Windows 8 64-bit.

Features

Multi-threaded HTTP/s (layer7 [Methods: TorsHammer, PostIt, Hulk, ApacheKiller, Slowloris, GoldenEye]), TCP/SSL, and fine-tuned UDP flooding. Ability to flood hidden services, or attack via the clearnet. 66 randomized DDoS user-agents and referers. All methods send randomized data, bypass firewalls, filtering, and caching. ZIB also comes with FTP flood, and TeamSpeak flood.
Undetectable ad-fraud smart viewer that's fully compatible with Firefox, Tor Browser Bundle, Portable Firefox, Internet Explorer, Google Chrome, Opera, Yandex, Torch, FlashPeak SlimBrowser, Epic Privacy Browser, Baidu, Maxthon, Comodo IceDragon, and QupZilla.
Download & Execute w/ optional SHA256 verification.
Update w/ optional SHA256 verification.
Chrome password recovery.
Each bot can act as a shell booter and utilize external php shells for attacks.
Replace Bitcoin addresses in clipboard with yours.
FileZilla password recovery.
Fully routed through Tor.
File, registry, startup folder, and main/daemon/tor process persistence.
Installation and use is completely hidden from bots.
0/60 Fully undetectable to Antivirus.
File download/upload.
Process status, creator, and killer.
Undetectable, instant obfuscation when generating new binaries.
Self spreading.
All bot files are SHA256 hash verified. Broken/corrupted files get replaced.
Bypasses AntiVirus Deep-Scan.
Bot location varies, depending on administrative access.
IRC nickname format: Country[version]windows version|CPU bits|User Privileges|CPU cores|random characters. Ex: US[v2]XP|x32|A|4c|F4L0s4kpN5. 64-bit detection may be having issues (shows up as 32-bit).
Disables various windows functions WITHOUT giving the user warnings!
Disables Microsoft Windows error reporting, sending additional data, and error logging - System-wide as administrator, and on a per-user basis.
Disables User Access Control (UAC) - System-wide as administrator, and on a per-user basis.
Disables Windows Volume Shadow Copy Backup Service (vss) - System-wide as administrator.
Disables System Restore Service (srservice) - System-Wide as administrator.
Disables System Restore - System-Wide as administrator.
Melts on execution. Original file gets deleted. Should delete the file out of the temporary folder, if used with a binder.
Multi-threaded mass SSH scanner that saves servers are on the bot's HDD encoded with base64 without duplicates, or honeypots. Four integrated password lists of increasing difficulty [A,B,C,D], or brute force with min/max characters (supports numbers, upper/lowercase letters, symbols). Cracked routers are used for UDP/TCP/HTTP/ICMP flooding. UDP flood requires having the routers download a python script, and the majority of routers won't have Python. Has the ability to be used to take down DDoS-protected servers from scanning with just one bot. The Open Tor Botnet optionally will scan under Tor, multiple ports at once, ip range/s [A/B/C] or randomized IPs, optionally block government IPs, blocks reserved IPv4 addresses aside from the user's LAN. BotKiller with file scanning [kills .exe, .bat, .scr, .pif, .dll, .lnk, .com] in AppData, Startup, etc and has been successful against NanoCore, Andromeda, AGhost Silent Miner, Plasma HTTP/IRC/RAT, and almost every HackForums bot. The botkiller utilizes process scanning with file deletion, and registry scanning.
Mutex. No duplicate IRC connections.
Amazing error handling, install rate, detection ratio, and persistence.
Completely native malware. No .NET framework, or Python installation required!
Installs to the startup folder & AppData with a registry RUN key.
Kills all popular anti-virus and prevents A/V installation. Will disable Anti-Virus which have rootkits, through deleting important A/V dlls.
BotKiller, scanner, and A/V killer are optional. You could easily run the Open Tor botnet as a back-up for your bots, or install other software on them as back-up. The network control system is highly scaleable. Duel-process and duel-file persistence. Files processes are re-created nearly instantly, after being removed.
Recovers File-Zilla logins, which is great for getting SSH, and FTP logins.
Automatically removes some ad-ware.
Contains an Omegle spreader which spreads either a link through social engineering tactics, or a Skype account with every line of text being completely unique in order to avoid detection. Always waits for the Omegle stranger to type a message before responding with a reply. Shows stranger typing, and writes messages human-like. Multi-threaded.
Deletes zone identifier on all bot files, Tor, download & executed files, and update files. This means that you don't get the "Would you like to run this program?" dialog, and it runs completely hidden.
Detects all Windows operating systems from Windows 95, ME, to 8. Will show Windows 10 as just Windows, or W8. Text-To-Speech with speaker detection.
Duplicate nick-name handling, and ping-out handling.
Tor is downloaded directly from the Tor Project - It only needs to be downloaded once, but still has persistence.
Grabs the bot IP address on startup, has the ability to disable/enable bot command response, view status of ssh scanner/omegle spreading/ddos/botkiller and start/stop them.
Functionality to kill the bot instance, uninstall ZIB, grab full OS info, check if a host on a certain port is online/offline using TCP connect and a full HTTP request whilst checking the reply for server status related information.
Check if a process is running, how many are running, and list directories. Use \ instead of C:\, e.x !dir \ as some people run their main operating system on non-standard drive letters, especially on servers.
Upload specific files of your choosing that exist on a bot's computer to your FTP server. Files that can be uploaded could include BTC wallets.
Read files in plain-text off zombie computers. View amount of scanned SSH servers. Kill processes. The bot will tell you about missing command parameters, if a certain parameter contains the wrong data-type, etc. Errors from executing a command are outputted to the IRC channel without flooding the chat.
Commands are ran mutli-threaded and con-currently. This means your bots wont freeze up each time you run a command.

Notes

The default server won't accept new channels unless the client purchases one.
This is filled with *some* wrong information, non-commented code, etc. This is because I originally wrote it for myself, and decided to release it for other legal and ethical security researchers to learn from.

Contact

Email: chris@whitepacket.com
Jabber: whitepacket@xmpp.is
Twitter: @WhitePacket
BTC address: 1QASXpprwocj7Y65DghSjjgTXxrUHe6XEN
PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFXNfgwBCACtq4nznr/SVM57LSgeXy+DfmdBIkUTi0mCHrY2nI1ekYHHozeW
FCo1yacPx7TzGQ6wILvHvgt8yKi8ke1FAGGA7O2fCCNNJ3j7jibhWI9LSUGNa5DO
Ek3iv4UsDS+QuZq1s+4cDA6E028a17JXW1Vtq/29Oy4f8B6MiBBFfe33pIBP0/az
FZg821A2IvRo1vNDNHMKM/RkOLmGI+bzl55wFp/5r5c80z7d67hZreY99d4WiIPQ
8/rO9tgaJwq1+zciLuLErxgz13mkKbQgbQ79gbd76vcZ+FhqkKK9WstD3Qr2ZHDE
astA8cTcPYv51DZ0Zue3xsvNUsyLrVGn4PNvABEBAAG0JVdoaXRlUGFja2V0IDx3
aGl0ZXBhY2tldEBzaWdhaW50Lm9yZz6JATkEEwEIACMFAlXNfgwCGwMHCwkIBwMC
AQYVCAIJCgsEFgIDAQIeAQIXgAAKCRCyuaK7+vbuLuB+B/9vplRJNzmGx0MPiYX3
AJZiBaQAAimDDbkpz6xN+KjRJqd+z0D/TfT9CE0REscPV4APpxE8kVMUwSgOya+Q
IDzfKu1eONiBhzIB2N7xkc9TGbkbkH9OaRRZEfHmYEFHuLZvXC6ply8a3y1Nsg7c
uxbXlTCCr19Yq9TowvUFjhYcOOLYijo0ew0TReVDVquH1M6od+ijVhuT9ged0aZe
YUOg1whWFjGSToFEu4S0y4SUNo5q0x2Wn18uPQXqnKrDjiQKNsWvZUXMqh6em3RF
3Ga87IMroQYq5lzob4AwMgYKSPCKG1FTz8460xdWO8xQOIfjeIcnT7qJ3dA58dSq
2ftyuQENBFXNfgwBCADsMzQ7X1ZbibgqHzpWf/C0vBce9Arr9Mcz7yGtZqFylw+Q
mWGNRmd5sHVDXu33vDFNYLMsTJZ/7jTnpg8P/GLQC7m1GzB9dq5k0icbax7I8tRX
3Peedrvi91ST7/U2N1xm2AHRbZzdtHB07eWk1/4rcEoHUwxESqtn6FnWMZPKf2+x
8lYWipMRDrgefYTKDeOjntNsvRWqQQ5jIEHYtFBscblvyGjO4iJP2veuRlUUI2uY
Mit9KINsjwIgoJ4v+sUdZAiVZC+sXBYcO9BpXB46tBOedn9ekGeYPvZUW4B+Ae3D
F9GbkFNixgCNtSzxaygYZZUdaF+q445icm0wsIcJABEBAAGJAR8EGAEIAAkFAlXN
fgwCGwwACgkQsrmiu/r27i50+gf/f2iacXu2b+Tz5nJOjq8JHzSOKOU7IE7sjbSZ
IPnRLffMqM3/qc8viZJ2P+YMYgx9t0qz16VjUbtu/kOB0FIQ0aYVWIOGrVAJjTA1
mWsy1buztRQwd9H+DGfIZiciAYi+TCBAuyWt7ZUoiDb4gmqWDAzapbtCJXBvIO2j
7zaZbKhjBuaI42lWhJwPoXnySWRteIs4ii+oAF6+jDnUmY1M8lCr21Ukj9JUhZrM
HoZDP9YN8jXC+25hF3Z34z6jJ8W4VeI5ViL6XmreA8wB9yyjnAxG5WXv1vkhsogB
vXT/kDEIeMeXl+yI8D+nzi3J1BdSn+4Xk3WsWFcv/G/1qc2ynQ==
=++w/
-----END PGP PUBLIC KEY BLOCK-----

About

The Open Tor Botnet (ZIB); Python-based forever-FUD IRC Trojan

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%