Translate Blog to your language


Tuesday, November 6, 2012

[RELEASE] RDDK x86<->x64 botnet

I know someone who is almost finished coding this, any market for this on Opensc? Discuss!

Rddk is a new innovative bot which is unique in it?s class.
The bot is written as address independant code (shellcode) in a language with no dependencies and takes full advantage of advanced stealth techniques, injection without the use of NtWriteVirtualMemory and cross bit (x86, x64) injection.

Technical Details
The bot is written in Pascal (Lazarus)
The body is written as address independant code (Shellcode)
The bot consists out of only one x86 binary (Contains both x86 and x64 shellcode)
x86 -> x64 injection via selector 33h (Heavens Gate; More about this later)
No own process (Ultimate stealth, nothing to hide)
Full ring 3 rootkit (File and registry hiding)
File Persistance and Process Persistance
x86 and x64 dissassembler engine (for inline function hooking)
Custom crafted PE header with no imports (Except fake one for TLS)
Various anti-RE techniques
Custom API loader (via crc32 hashes)
Multiple encryption layers and native compression
Binary with everything included is ~80 KB (No plugins)
Uses Unicode API?s (For Asian and Arabian PC?s)
RDDK uses Thread Local Storage (Make sure your crypter supports TLS)
Does not have dependencies (Only uses system libraries)
Uses pipes for inter-process communication
Can hold up to 4 backup domains

Host Blocking (Block those AV sites or competitor?s C&C)
FTP Grabber (No stupid password decrypters, but direct grabbing by hooking Send functions)
Form Grabbing (Support: Chrome x86, Firefox x86 x64, IE x86 x64)
POP3 password grabber (Same as FTP)
Anti Malware (Bot hooks some functions to prevent malware installation)
Update system (Just upload a binary with a higher version number)
Download and Execute
SlowLoris and SlowPost DDOS
Reverse Socks5* (*Beta)
Clientside* Formgrabber Filters (Bots will filter the data they upload, not the server; so we don?t have superfluous traffic and don?t fill our database with useless crap)
Backup Domains (The bot can hold up to 5 encrypted domain names)

Powerpoint is attached. For those who don't think powerpoint is safe; there is an online version here: PPT RDDK
Attached Files Attached Files

No comments:

Post a Comment

back to top