Botnet documentation

[Sady]

Hi there!

I want to know if a documentation of den botnet arcitecture exists? Currently, I'm writing my own bot in Object Pascal and want to make it "Eggdrop compatible." That means that i want to link it to Eggdrops. Now you will say that I can look in the source-code. You're right, but I don't understand C and the code is to complex. Please help....

Sady

[Petersen]

afaik, nobody has ever documented the botnet protocol eggdrop uses. its easy to work out though. enable console debug in conf, and set your console +th to see what their traffic is, then experiment to see how they transfer info about everything.

[guppy]

If you make a doc, I'd love to see it And/or if you need some help with the botnet protocol .. I can help via e-mail and perhaps work on a document together.

Jeff

[Dakota]

I'm also interested in that. Some months ago I asked for an RFC, but the response was the same.

So I have my own list with some commands that can be useful.

[Wcc]

I may make a doc before the next release if I get time.

Wcc

[ppslim]

I would ask that some1 can produce some Tcl, or other code (or just the math) that converts eggdrop's non-standard version of BASE64, rather than me spending 3 1/2 hours to convert version numbers.

I have a basic guide to get a connection made, and working. Sending messages, and what not. How to make commands go to the correct destination.

The IDX of a connection is sent in BASE64 format, and this is where I need this conversion.

Can you help guppy?

Looking in the code, I can see how C does it, but I aint got a bloody clue how to do it in another language. If I can see it done on paper, I can replicate it in any language I like.

[guppy]

I just saw this tonight and figured what the heck ... I think this works :)

Ack, I discovered a bug when I linked a testbot into Eggdrop .. int_to_base64 1061103 was returning DDvE instead of EDDv. The fix was simple, change:

Code: Select all

	foreach {key value} [array get buf_base64] {
		append output $value
	}

to:

Code: Select all

	foreach {key} [lsort -integer [array names buf_base64]] {
		append output $buf_base64($key)
	}

Working code:

Code: Select all

set base64to [list \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 52 53 54 55 56 57 58 59 60 61 0 0 \
	0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 \
	15 16 17 18 19 20 21 22 23 24 25 62 0 63 0 0 0 26 27 28 \
	29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 \
	49 50 51 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \
	0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]

set tobase64 [list \
	A B C D E F G H I J K L M \
	N O P Q R S T U V W X Y Z \
	a b c d e f g h i j k l m \
	n o p q r s t u v w x y z \
	0 1 2 3 4 5 6 7 8 9 \[ \]]

proc base64_to_int {str} {
	set x 0
	for {set i 0} {$i < [string length $str]} {incr i} {
		set x [expr $x << 6]
		set x [expr $x + [lindex $::base64to [scan [string index $str $i] "%c"]]]
	}
	return $x
}

proc int_to_base64 {val} {
	set i 11
	if {!$val} {
		return [lindex $::tobase64 0]
	}
	while {$val} {
		incr i -1
		set buf_base64($i) [lindex $::tobase64 [expr $val & 0x3f]]
		set val [expr $val >> 6]
	}
	foreach {key} [lsort -integer [array names buf_base64]] {
		append output $buf_base64($key)
	}
	return $output
}

Working example:

Code: Select all

% set base64 [int_to_base64 1061103]
EDDv
% puts [base64_to_int $base64]
1061103

someone might be able to come up with a better version than this though. I wrote it in about 10 minutes w/ several minutes spent actually debugging it.

[ChEaSeR]

I`m working on a project like the project of Sady...
But with [censored]`n mIRC
...
I make some shitz ..
I see some commandz with sniffer when a link my botz :}}}}}
..but I can`t make my bot to link to eggdrop
becouse :
handshake <Some-Crypted-[censored]@Botnetnick>
...
but I don`t know how is encrypting this [censored] Some-Crypted-[censored] or with what KEY is it crypting it..
if some one can help me..
mail me at h4cf0r@abv.bg
:}
I had make all shitz over 3 days..
today is my 4 day and my computer is not working for not more then 24 hours..nevermind..but if some one can help
pleeeeeeeeeeaseeeeeeee help!
hey
if some one want to help me..contact me...you will need to know just little bit of mirc scripting..
if you don`t know any mirc scripting..you can be a betta tester..
please...
thanks in advance!!!

[ppslim]

Here is my current mirc script. I use this to link to eggdrop, so I can debug a Tcl script I am currently making (well, I have been saying that for the past 8 months).

It will link the bot to the botnet, handing the correct information to get the link in place. It will respond to compulsuory commands (pings) to keep the link established.

My Tcl script also relies on 3 other Tcl based bots, which I can't start on, until the first is complete, so there is also a quick hack, to fake the other 3 bots presence.

Code: Select all

alias F2 {
  sockopen egg123 $$?="Host" $$?="port"
}

alias cF2 {
  aline 8 @ $+ %eggsocktempsock Added user
  #sockwrite -n %eggsocktempsock j services loging A *A looking@what.you.are.doing.log
  #sockwrite -n %eggsocktempsock j services security A *B bouncer@the.door.wants.to.knock.you.out
  #sockwrite -n %eggsocktempsock j services linkbrige A *C bridge@link.abc.def.=blowfish.+Ji7d0dvs7bh9j34s5ffn
  #sockwrite -n %eggsocktempsock j services talkbrige A *D bridge@link.def.abc.=blowfish.+gdh6d7ghdfs0ddd3fnj9
  sockwrite -n %eggsocktempsock n logging services !D8Ji
  sockwrite -n %eggsocktempsock n chatserv services !D8Ji
  sockwrite -n %eggsocktempsock j chatserv chatuser A @Z chat@services.chat.space.1
}

alias cF3 {
  sockwrite -n %eggsocktempsock n testing services ! $+ $$?="h"
}

alias sF2 {
  set %eggtempd $$?="data"
  sockwrite -n %eggsocktempsock %eggtempd
  aline 6 @ $+ %eggsocktempsock %eggtempd
  unset %eggtempd
}

alias eggdropinput {
  return 0
}

on 1:input:@egg*:{
  if ($left($1,1) == .) {
    if ($eggdropinput($left($1-,-1)) == 1) {
      halt
    }
  }
  aline 6 @ $+ %eggsocktempsock CHAT: $1-
  sockwrite -n %eggsocktempsock c chatuser@chatserv A $1-
}

on 1:sockopen:egg*:{
  window -e @ $+ $sockname
  aline 4 @ $+ $sockname Opened eggdrop socket $sockname
  set %eggsocktempsock $sockname
  sockmark $sockname debug
}

on 1:sockread:egg*:{
  sockread %eggsocktemp
  var %in 1
  while ($sockbr != 0) {
    if (%in > 1) {
      sockread %eggsocktemp
    }
    if (%eggsocktemp == $null) return

    if ($right(%eggsocktemp,9) == nickname.) {
      sockwrite -n $sockname services
      aline 5 @ $+ $sockname : Sending handle: Services
    }
    set %thiseggsock $sockname
    if ($sock($sockname).mark == debug) {
      aline -p @ $+ $sockname $sockname $+ : %eggsocktemp
    }
    if ($eggdropcommand($sockname, %eggsocktemp) != $null) {
      aline -p 5 @ $+ $sockname : $ifmatch
    }
    inc %in
  }
}

on 1:sockclose:egg*:{
  aline 4 @ $+ $sockname Eggdrop closed the connection $sockname
}

alias eggver {
  if ($1 == 1.0.0.0) { return D0JA }
}

alias eggdropcommand {
  tokenize 32 $2-
  if ($1 == tb) {
    sockwrite -n $sockname tb services
    sockwrite -n $sockname n chatserv services - $+ $eggver(1.0.0.0)
    sockwrite -n $sockname j chatserv chatuser A @J chatuser@chatserv.services.egg.net
    sockwrite -n $sockname i chatserv J S9
    return Connected to $2
  }
  if ($1 == *bye) {
    return Disconnection from botnet
  }
  if ($1 == version) {
    sockwrite -n $sockname version 2000199 9 ServDrop v2.0.1 beta <Services agent>
  }
  if ($1 == passreq) {
    sockwrite -n $sockname aabbccdd
    return Password sent
  }
  if ($1 == *hello!) {
    sockwrite -n $sockname  *hello!
  }
  if ($1 == pi) {
    sockwrite -n $sockname po
    return Ping, Pong
  }
  if ($1 == c) {
    return 8< $+ $2 $+ > $4-
  }
  if ($1 == el) {
    sockwrite -n $sockname el
  }
  if ($1 == pt) {
    return *** ( $+ $2 $+ ) $3 has left the partyline ( $+ $5- $+ )
  }
  if ($1 == po) {
    return Pong, Ping :P
  }
  return $null
}

You will need to add a bot record on the eggdrop, for a bot called services, and give ti a password of aabbccdd.

Once done, and this script is loaded in mIRC, you can hit the F2 key (you may need to change the scritp aropund a bit if your keys are allready mapped). You enter the hostname of the bot, and the port in use for linking. mIRC will link to the bot. A debug window will open with all the information you require once linked.

[ChEaSeR]

Yeap thats good..
but can you mail me a text file with all commandz for the botnet linking ?

[ppslim]

As stated in the PM reply, there is no documentation.

If you had bothered to read the first question in this thread (the page you are reading now), you will see the same question, and the answer too it.

Simply ask a specific question, and people may look into it. Asking broad questions takes too much time, thus people are reluctant to answer.

Look at the script above, and you will see how eggdrop requests information from another bot. If not, simply changing the above code to display more output should tell you what is sent when, and why.

[ChEaSeR]

ok tell me for what is "j" ?!

[ppslim]

Used to state when a new bot has joined the botnet.

Command is in the format of
j <linked-to> <linked-bot> <A> <sock> <host>

<linked-to> = the botnick of the bot sending the message
<linked-bot> = the botnick of the bot that has just linked in
<A> = can't remember
<sock> = The base64 encoded socket number (note, this is not normal BASE64, and I have yet o to convert the above Tcl to miIRC, so I can convert the socket numbers)
<host> = A vanity host, that is displayed in a .dccstat

[ChEaSeR]

special 10x man
..
but can you send me all commandz that you know to my mail .. ?
(* MAIL: h4cf0r@abv.bg *)

[Chr1s]

I'm wondering what the 3 follow packets structures are:

Code: Select all

passreq <72303e8f308a@Lamestb2t>

whats the 72303e8f308a mean?

Code: Select all

el

Code: Select all

idle Lamestb2t 8 71