The SOL Botnet(s)

| | Comments (0)
Over the last week or two, we've seen a couple of Botnets running infection files we haven't come across before. With a little further research, we discovered the tool used to create these Botnets, and  were able to learn a little bit more about these new nets.

The SOL Botnet system allows you to control up to 100 drones at a time, and (as you'll see) uses UDP to perform DDoS attacks against a target of your choosing. In addition, there are paid-for versions (so far, unreleased) that supposedly allow control of up to 200 drones at a time, Windows XP product key theft, "huge bandwidth attacks" through image spamming and "lifetime support".

Nice.

Shall we take a look at the SOL Botnet creation tool? Let's start by grabbing a snapshot of  what our budding Botnet builder will see on their desktop:

solbtnt1.jpg

I guess they're supposed to be circuit boards or something - almost reminds me of Tron. As with most hacking related creation tools these days, the emphasis is on being idiot proof and easy to use. Owning a Botnet has never been simpler - just fire up the Builder, and...

solbtnt2.jpg

Easy as pie. Enter the IP address you want your rogue executable to connect to (usually,  this would be your own IP address via a service like no-ip, so you can control your drones) and your file pops into life with yet another funky looking icon:

solbtnt4.jpg

Let's look inside the code.

Note the fake error message in the first line, and the wonderfully charming "you got owned" message further down (with nifty swear word removed):

solbtnt5.jpg

As you can see, "Winservice.exe" is going to end up in the System32 Folder, assuming the victim can be convinced to run the file (which usually isn't too hard).

This is the fake error message our unwilling Botnet participant will see if they run the file:

solbtnt6.jpg

...and here's the "Winservice" file, now resident and active in the System32 Folder:

solbtnt7.jpg

At this point, we move back to the attacker who has fired up the Admin console. Note our test drone is now connected to the person controlling the Botnet:

solbtnt8.jpg
Click to Enlarge

Simply enter the ip address of your target, hit "send" and...

solbtnt9.jpg
Click to Enlarge

...the attack is underway, ending (logically enough) when you hit the "Stop" button.

Compiled on the 15/03/09, this is probably the most straightforward Botnet creation tool we've seen - I imagine there'll be quite a few SOL nets out there over the coming weeks / months.

Even so, there's a few drawbacks for wannabe net owners - specifically, having to register a number of files in order to run the Admin console. It might not sound like much, but you'd be surprised how many leet kids give up their life of E-Crime when faced with an array of .OCX files and Windows directories.

Thank goodness...

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on March 30, 2009 4:54 PM.

Steamy Phishing was the previous entry in this blog.

iMess - Sharing IM Logins With The World is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.