xxx GT-BOTS xxx
____________________
1. introduction
2. infection methods
3. bot attacks
4. botting vs. hacking
5. securing bots
6. login idea's
7. protecting yourself from GT-Bots
8. reporting a botnet
9. references
10. Editorial
__________________
1. introduction
GT-Bots are Mirc based trojans that can be ran hiddenly on computers that use windows operating system using a program called hidewndw ,also GT-Bots have the ability to spread itself in many ways. I will include NetBIOS and IIS in this tutorial.
2. infection methods
2.1. NetBIOS (Network Basic Input Output System)
NetBIOS is used to identify to remote computers to execute commands and print remotely. sometime ago 'some-one' thought he can exploit that by cracking it's pass and he succeeded. most people have limited knowledge on computers so they wont bother changing the default password and username ,so they will be vulnerable to hackers ,Trojans ,viruses and worms. The mirc script that I saw for a NetBIOS infector from (GTsev2) runs a timer that opens the scan sockets ,when the socket is opened without any errors ,the script will run a batch file (.bat) that will try to crack its password and username using some default passwords such as administrator ,User ,root.....etc. After the password and username are cracked ,the batch file executes a program called PSEXEC ,that will try to send the predetermined spread file.
2.2. IIS UNICODE (Microsoft's Internet Information Server)
Microsoft Internet Information Server (ISS) versions 4.0 and 5.0 which usually runs on Windows NT4 and Windows 2000 all have the Unicode extensions installed by default. Unicode allows characters that are not used in the English language to be recognized by Web Servers. The Unicode ISS Exploit allows users to run arbitrary commands on the target web servers. The Unicode extensions loaded on ISS Servers are known to be vulnerable unless they are running the current patches within the server. The Unicode Exploit is mostly found with Microsoft’s ISS, but it don’t really matter what Operating System you are using on the machine. The reason why is because The Unicode Exploit is a Web Server specific hole. As long as you’re running Microsoft ISS 4.0 or 5.0 Web Server the hole will be exploitable.
3. Bot Attacks
3.1. TCP port flood (Transmission Control Protocol)
The TCP attack relies on half-open connections. When a system receives a SYN packet on a specified port, it responds with a SYN+ACK packet. It then keeps track of the fact that it is waiting for the final ACK for this connection. TCP flooding works by flooding the target with lots of SYN packets. This causes the target's buffer of half-open connections to fill until the a timeout is reached. However, the bot can continue to send SYN packets faster than the buffer timeouts occur, causing the target to be unable to open connections.
3.2. UDP port flood (User DataGram Protocol)
This type attacks is basically port-flooding a UDP address with misc. traffic ,it is mostly used against ICMP protected routers and other "MACHINES".
3.3. ICMP (Internet Control Message Protocol)
ICMP is designed to be used to help hosts control where they should be sending network traffic and how to respond to various error conditions. This makes sending unexpected ICMP packets a powerful method of confusing systems.
3.4. IGMP (internet group management protocol)
When a computer running Windows 95/98 receives a fragmented IGMP packet, the computer's performance may degrade or the computer may stop responding (hang) and require a reboot to restore functionality. but other system components prevent any performance degradation. because a fragmented IGMP packet may cause the TCP/IP stack to improperly gain access to invalid segments of the computer's memory.
4. botting vs. hacking
botting is in a way related to hacking ,when a bot wants to spread through NetBIOS it have to try to crack its password and username ,also when the bot wants to spread through IIS ,it has to exploit the UNICODE bug. this may called "Auto-Hacking" or "Mass-Hacking" botnets are mostly used by "WANNA-BE Hackers" and "Newbies" to be a l33t h4x0r. most of these "WANNA-BE hackers" get their public bots from bots.bl.am or bots.tux.nu and other bot sources. I'm not saying that all the botnet owners are wanna-be hackers but there is a difference between 10 bots with 10.000 bots.
5. securing bots
securing a bot means that you will protect it from botnappers ,doing that doesn't requires coding or programming skills ,you only have to delete ipc shares.
6. login idea's
6.1. IRCop login
this type of logins requires you to be an IRC-Operator on the bot's server ,some server doesn't allow the creation of new channels while the server is splited ,you can use that.
6.2. encrypted login
you can use blowfish.dll or mirc's $decode/$encode to encrypt your logins from botnappers.
6.3. login by notify
this login was first used by Q8Hackers on their GTbot. when the key nickname is online the bots will add the "host" to the userslist list ,the key nickname is often randomly picked so people wont know it.
7. protecting yourself from GT-Bots
7.1. install anti-virus software
7.2. avoid using WinXP/2000/NT
7.3. do not visit spam websites
8. reporting a botnet
you can report botnets to https://tips.fbi.gov
9. references
9.1. http://www.undiscovered.us/
9.3. http://bots.bl.am/
9.4. http://bots.tux.nu/
10. Editorial
this tutorial was written for the channel #e.l.i.t.e on DALnet irc network ,please stop asking for help on botnets and search the web for help.
this tutorial was written by some famous lamer ,guess who ?
----------------------------------------------------------------
i r nawt responsible fo eny damage taht miyt cum by reed|ng this shyt.
to Protector^ and HaMaNeY