/GoBot2

Second Version of The GoBot Botnet, But more advanced.

Primary LanguageGoMIT LicenseMIT

GoBot2

After seeing another users Go based botnet i wanted to do more work on my GoBot, But i ended up building something a bit more. There is issues with this but it more of a advanced PoC.... I am not a good coder but i was able to make this buy doing some basic reading online. There was more i wanted to do with this project but i stopped, I am getting out of making Malware and virus's... I am going to move on to more legitimet things. Though i will be posting some of my old projects on my Github, and most of witch are malevolent i am putting them here to make it simpler for the 'good guys' to fight them and there kin.

C&C Features:

  • Written in Go
  • Cross-Platform
  • SQL Database for Information
  • Secure Login System
  • Hard-Coded Login System
  • Simple to use HTML & CSS C&C
  • Console Based C&C
  • Tight Security (No PHP!)
  • Encoded and Obfuscated Data
  • HTTPS or HTTP
  • Single, Selected, All Command Issuing
  • User-Agent Detection
  • More

Bot Features

  • Safe Error Handling
  • Have Unlimited Panels
  • Encoding and Obfuscation
  • Use HTTPS or HTTP
  • Old (>24Hr) Command Handling (Dont run commands that are old!)
  • Run PowerShell Scripts (Via URL, Parameters Accepted)
  • Advanced Torrent Seeder (uTorrent, BitTorrent Auto Download the client and runs hidden if needed)
  • Drive Spreader (with Name list)
  • Dropbox Spreader (with Name list)
  • Google Drive Spreader (with Name list)
  • OneDrive Spreader (with Name list)
  • Advanced Keylogger (Handles all keys, Window Titles, Clipboard, AutoStart, +more)
  • System Information (IP, WiFi, User, AV, IPConfig, CPU, GPU, SysInfo, Installed Software, .NET Framework, Refresher)
  • Screen Capture (Compression, Timed Capture, +more)
  • Download and Run (MD5 Hash Check, URL or Base64, Parameters, UAC Bypass, Zone Remover)
  • DDoS Methods (Threaded /w Interval, HTTPGet, TCPFlood, UDPFlood, Slowloris, HULK, TLSFlood, Bandwidth Drain, GoldenEye, Ace)
  • Bot Update (MD5 Hash Check, Admin, Zone Remover)
  • UPnP (Open TCP/UDP Ports)
  • Web-Server (Auto-UPnP port 80, Add/Edit Unlimited Pages)
  • Add Programs to Windows Firewall
  • HOST File Editor (Backup and Restore, Replace on Run, DNS Flusher)
  • Remote CMD
  • Detect Admin Rights
  • Bot ID Generation (Never the same)
  • Advanced Anti-Virus Bypass (Random Memory Allocation, Func HOP, Delays, Runtime Load DLLS /w Obf, Random Connection Times, + more)
  • Advanced Anti-Debug (isDebuggerPresent, Proc Detection, IP Organization Detection, File Name Detection, Reaction System)
  • Single Instance System
  • Reverse HTTP Proxy (Conf. Port, backend Servers)
  • Active Defense (Active Registry Defense, Active File Defense, Active WatchDog + more) Doesn't want to be killed.
  • UAC Bypass (Work all versions and current version of Windows 10 Pro 64Bit)
  • Advanced Install System (Dynamic Registry Keys, Dynamic File Names, Retain Admin Rights, Campaign Targeting (Only install in allowed Country's), Zone Remover, Adds self to Firewall)
  • Uninstall System (Removes all Traces)
  • Scripter (Batch, HTML, VBS, PS)
  • Run Shellcode (ThreadExecute)
  • Power Options (Shutdown, Restart, Logoff)
  • Startup Error Message
  • MessageBox (Returns Reply)
  • Open Website (Visible/Hidden)
  • Change Homepage
  • Change Background (URL or Base64)
  • Run .exe (UAC Bypass optimal)
  • Kill Self
  • Check if Proc is Running
  • Hide Process /w Active Mode
  • Disable/Enable (TaskManger, RedEdit, Command Prompt)
  • File Dropper (Place evedence on pc with no traces where it came from /w dir selection)

Some Info about the C&C

The C&C is a program, You can compile it for Windows, Linux, Mac systems. Its a self-running web-server that handles all connections on the selected port in the settings. it will serve the HTLM C&C to a connector if you allow it and it saves data about account, bots and commands as a SQL database and bots files (screenshots, keylogs, ect) as file under the bots own "Profile"
You can control the botnet from the program(more secure) or control it from the HTML C&C. The C&C's program is extremely stable, Go based servers are know for handling millions or requests at once without fail, just make sure you have a good connection.
The C&C has a build in hard-coded login (kinda like a Backdoor) you can use if you 'forgot' the account login. the C&C can have any number of accounts.
With it being a self-contained program this removes the issue of SQLi attacks on the C&C so its more SECURE.
The C&C can also run inside a Tor Hidden service if configured right and the client (bot) can connect to it using a onion.to or onion.cab forwarder if needed. Tor can also be used by the bot via a SOCKS proxy... Simple to do, Google it.

How to Build and Use

Bot Settings are located in "Variables.go" Server Setting are located in "Server.go"

Compile GoBot.go with correct settings, Make a MySQL Database and import db file, Compile Server.go with correct settings

  • go build -o GoBot.exe -ldflags "-H windowsgui" "C:\GoBot2\GoBot.go"
  • go build -0 Server.exe "C:\GoBot2\Console Server\Server.go"

Always compile with '-w -s' ldflags to strip any debug information from the binary.

Included Tools

  • Tool for the project (Obfuscator (Char+1) and other crap. w/ source in VB.net)
  • Downloader.go (GoLANG Download and Run Example)
  • DownloaderWithUAC.go (GoLANG Download and Run Example with UAC Bypass)

Obfuscator

It not really a Obfuscator all it does it move the Char +1 to and A = B, C = D, ect. Simple but it will slow down people wanting to mess with the program and also programs that search for keywords...

Packages Used

  • github.com/NebulousLabs/go-upnp
  • golang.org/x/sys/windows/registry
  • github.com/AllenDang/w32
  • github.com/atotto/clipboard
  • github.com/StackExchange/wmi

Images

Credits and Stuff

Other

Go is a amazing and powerful programming language. If you already haven't, check it out; https://golang.org/

Donations

Please Donate To Bitcoin Address: 1AEbR1utjaYu3SGtBKZCLJMRR5RS7Bp7eE

News

I just read a article on Bleeping Computer, https://www.bleepingcomputer.com/news/security/backdoored-torrents-infect-movie-tv-fans-with-gobot2-malware/ Seems someone has found a use for this project... I have no involvment with this group or person. I have nothing more to say on this matter.

-Crab Crab
----------Update Log---------------------

03/15/2017: Intial Upload...