Botnet Coursework | Help Centre

All Categories

Cyber Security and Cryptography

Botnet Coursework

Botnet Detection and Perimeter Defence Coursework

Last Update Unknown

rbot.zip - Controller and bot exe files:
bit.ly/napier_rbot

Expecting around 12 pages and 4000 words

Research

Recommended Research sites by Napier:

sciencedirect.com
ieee.com
dl.acm.org (login with napier)

Sample Snort Rules

sid:1000001 – Snort rule ID.

Remember all numbers smaller than 1,000,000 are reserved; this is why we are starting with 1,000,001. (You may use any number, as long as it’s greater than 1,000,000.)

var LAN_NET 172.16.105.0/24
var DMZ_NET 172.16.106.0/24
var PUBLIC_NET 10.211.0.0/16
    
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says takedown!"; content:"takedown"; depth:8; nocase; sid:1000001;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says hello!"; content:"hello"; depth:5; nocase; sid:1000002;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says get!"; content:"get"; depth:3; nocase; sid:1000003;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says look!"; content:"look"; depth:4; nocase; sid:1000004;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says goodbye!"; content:"goodbye"; depth:7; nocase; sid:1000005;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says code!"; content:"code"; depth:4; nocase; sid:1000006;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says keepalive!"; content:"keepalive"; depth:9; nocase; sid:1000007;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says connect!"; content:"connect"; depth:7; nocase; sid:1000008;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says capture!"; content:"capture"; depth:7; nocase; sid:1000009;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says loop!"; content:"LOOP3bbf158fca09f2e3ab0cf47ea53d2505582cef56c807a10816b9f10d7f9384c61da757baa5391580974abd673d8323c7b416ed3e6d45d29b4902ef60f095b9ac9cc06c01ffc28eb4c02f5236e123f185a65c032c4897c7af1643658ac0f652e7"; sid:1000010;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says loop!"; content:"LOOPad68a660b4325f130b32d9ef64e5d5d61fd4f61ad1b20f999b3c0c2b77f761c3509e9828b4f2ca6256655fba468da36da8c57309a1ff9931cf27d08fd832c82c2f1a50030ab608985201570bb2036619"; sid:1000000;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says generate!"; content:"generate"; depth:8; nocase; sid:1000011;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says failover!"; content:"failover"; depth:8; nocase; sid:1000012;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says test!"; content:"test"; depth:4; nocase; sid:1000013;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says snoopbot!"; pcre:"/SNOOPbot(\d{1,3}\.)(\d{1,3}\.)(\d{1,3}\.)\d{1,3}/sm"; sid:1000014;)
alert tcp $LAN_NET any -> $PUBLIC_NET any (msg:"Bot says hint!"; content:"hint"; depth:4; nocase; sid:1000015;)
    
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hello"; content:"Welcome to the gang..."; depth:22; sid:1000016;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to goodbye"; content:"sleep..."; depth:8; sid:1000017;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to code"; content:"Calvin never forgets transmogrification animal ... may be key..."; depth:64; sid:1000018;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to connect"; content:"microsoft.com"; depth:13; sid:1000019;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to connect"; content:"ibm.com"; depth:7; sid:1000020;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to connect"; content:"hpe.com"; depth:7; sid:1000021;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to connect"; content:"apple.com"; depth:9; sid:1000022;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to connect"; content:"twitter.com"; depth:11; sid:1000023;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to connect"; content:"bbc.co.uk"; depth:9; sid:1000024;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to generate"; content:"bgure pbzznaqf znl or ninvynoyr ... uvag uvag"; depth:45; sid:1000025;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to takedown"; content:"RVYRADPOERTV IU H GENUVBAATL IVOLHC XHCA IERILIW CQTEYTGYH VUPUXRG"; depth:66; sid:1000026;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to takedown"; content:"FAPDLPDXYX HPH NSNUXCQES ISET HDXI OU ISI ICUCESIGFGTJGP VEHEZRSXQWI FDG ELE"; depth:76; sid:1000027;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to takedown"; content:"HYEEK EFV TJU XMGEF UJ FRNFUQKRRR ? RSQBSPXISE RNTWCDWNXI OED RTGFPPGOSB IAAYSANAEK."; depth:84; sid:1000028;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"2bb3d86d95234affa7c5bd68c4bab606"; depth:32; sid:1000029;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"bbccdf2efb33b52e6c9d0a14dd70b2d415fbea6e"; depth:40; sid:1000030;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"749ab2c0d06c42ae3b841b79e79875f02b3a042e43c92378cd28bd444c04d284"; depth:64; sid:1000031;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"4015e9ce43edfb0668ddaa973ebc7e87"; depth:32; sid:1000032;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"72f15b250fdd58ccfae958dace1213f71d6d41ad"; depth:40; sid:1000033;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"557f255516719ea16f8f4a0aae1166054e2c9b43"; depth:40; sid:1000034;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to test"; content:"beda14763de0969a064921bfd97d425e109d47e21dd6085bd86f2e89f91cfae6"; depth:64; sid:1000035;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to loop"; content:"All Explained Successfully ... IV all the zeros"; depth:47; sid:1000036;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to failover"; content:"That took a while..."; depth:20; sid:1000037;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to snoopbot"; content:"mmmmm...my army grows"; depth:21; sid:1000038;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"4a2028eceac5e1f4d252ea13c71ecec6"; depth:32; sid:1000039;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"48a47a95e16adbba58888df370ff0324"; depth:32; sid:1000040;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"3b5949e0c26b87767a4752a276de9570"; depth:32; sid:1000041;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"a2a551a6458a8de22446cc76d639a9e9"; depth:32; sid:1000042;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"6c43c0a88fbf0f44ba944d00524e45c3"; depth:32; sid:1000043;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"1e4483e833025ac10e6184e75cb2d19d"; depth:32; sid:1000044;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to hint"; content:"ae7a9f31f296ffd4935056cfa158fa3a"; depth:32; sid:1000045;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to look"; content:"R0lGODlhAAQABP8AAA3nxHR973dumpNsGwUP4MNjVc4lLa7MnOIl0lBhmsFl/vtVpVTJeAAmwu9se3w5eJU0y9jGMDJfGyeSWB0nDP/RBhwKujpumtzN/2q/XyFl7Fq6LM/pn87I9ootNyDj/7bvmnVgL75bxTD7+THHn7sGLGvCbd8w6GdNQcOwQWK86v+0z8SrBbycX2ee7qadAFbOJwq0IJLWv7IOEu36qoPNPg4xE9D3WievJg54kfnBsEFt4RpYCMpt3hARnfLPorTk0LCXa+2G18zjBfmDX"; depth:293; sid:1000046;)
alert tcp $PUBLIC_NET any -> $LAN_NET any (msg:"Controller replies to get"; content:"/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAICAgICAgICAgICAgICAwMDAgIDAwQDAwMDAwQFBAQEBAQEBQUGBgcGBgUHBwgIBwcKCgoKCgoKCgoKCgoKCgr/2wBDAQMDAwQDBAcFBQcLCQcJCwwLCwsLDAwKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgr/wAARCAF3APoDAREAAhEBAxEB/8QAHQAAAAcBAQEAAAAAAAAAAAAAAgMEBQYHCAEJAP/EAFcQAAEDAgQEBAMEBgcEBQYPAAECAwQFEQAGEiEHEzFBFCJRYQgycRUjQoEzUpGhscEWFyRictHhCUPS8CWCkqKyNEVzk9PxJjU2RFNUZWaEhZSzwsTi/8QAGwEBAQEBAQEBAQAAAAAAAAAAAAECAwQFBgf/xABBEQEAAQMCAwQGCAIJBAMAAAAAAQIDERIhBDFBBRNRYRQiMnGR8EJSgaGxwdHh"; depth:500; sid:1000047;)

How to get the Source Code

rbot.zip - Controller and bot exe files:

bit.ly/napier_rbot

Source Code.zip - Controller and bot source code:

bit.ly/napier_rbot_source

On a Linux machine (can be VSOC Kali or Ubuntu) run:

The strings command prints the sequences of printable characters from a file, which is useful as it gives an idea of the modules used by the code.

Using the command above, we can see that the last line of the output says that the exe file is protected using “Spices.Net Obfuscator”, giving us an idea of what we need to do to make it readable again.

Instructions below are for Windows 10 VM on your local machine:

de4dot is a .NET deobfuscator and unpacker which supports Spices.Net.

Download the exe installer for de4dot from this github repo.

Run the installer

*Be aware this only works in Windows!*

Run the below commands in a command prompt window to deobfuscate the controller and bot exe files in turn.

dnSpy is a debugger and .NET assembly editor which allows us to view the deobfuscated source code.

Download dnSpy from this github repo.

Open the controller-cleaned.exe and bot-cleaned.exe files in dnSpy once installed and open up the folders in the left pane until you reach 'class1.cs', then click on that to view the code!

You can also click 'File -> Export to Project' to convert it into a Visual Studio Solution file (which is what is in the Source Code.zip from the link at the top)