Friday, 6 December 2013

Win32/Atrax.A

Atrax is a TOR botnet, you can read about it on the excellent post of Aleksandr.
Someone on kernelmode.info posted recently a fresh sample:
MD5: 44a6a7d4a039f7cc2db6e85601f6d8c1

Fun things also, the coder leaved a message:
"Nice blog post ESET 2013/07/24 Greetz to KernelMode.info"

Atrax advertising:
Programming language: C (No C++!)
OS: Win XP - 8.1 (all x86/x64)
Admin rights required: No
Special: Tor Integration, spawns no process -> x64/x86 Process injection, this is the first public bot which supports windows 8!
File size: ~1,2 MB (because of Tor integration and x64/x86 Code), you can get a free assembler web downloader ~2KB

Why Tor?
The bot communicates only via Tor with your panel. With Tor you can get a really nice anonymous Botnet. It is almost impossible (well, theoretically it is possible, but Silkroad is still online, so don’t worry) to get your server ip and put your server down. You get a Tor onion domain and this domain cannot be blacklisted (lasts “forever”). So to sum up: If you don’t do any configuration mistakes, your botnet will probably last very long.
You need a VPS or a dedicated server to host this tor botnet, because you need to set up a hidden service. Because of tor the botnet is consuming more hardware resources than typical botnets. Probably it is not possible to get a 10 Dollar/year VPS and trying to host over 1k victims.

Setting up hidden service instructions:
- https://www.torproject.org/docs/tor-hidden-service.html.en
- http://kendildonic.wordpress.com/2011/08/03/build-a-tor-hidden-service-onion-web-site-with-a-cheap-vps/
- A little manual to set it up on debian based linux systems is included

The bot consist of a core and various plugins/addons. Each plugin/addon costs some money. Every plugin also communicates over tor.
(If somebody is interested in developing a plugin -> contact me)

Some basic features:
- Autostart, Persistence
- x86/x64 Code, x86/x64 Injection with Heavens Gate technique
- Anti-Analyzer (Protection against e.g. anubis.iseclab.org, malwr.com)
- If you need: Anti-VM (Please request it explicitly)
- Anti-Debug/Anti-Hook Engine
- Doesn't use suspicious windows apis like GetProcAddress/GetModuleHandle
- Plugins are saved to disk with AES-128-CBC encryption (random key)
- Communication over tor is already encrypted, so no extra communication encryption
- Every Plugin and the core is watermarked. Leak -> No updates/support. (All updates are free)
- Everything UNICODE

Panel:
- http://www0.xup.in/exec/ximg.php?fid=11907674
- http://www0.xup.in/exec/ximg.php?fid=68935688
- http://www0.xup.in/exec/ximg.php?fid=20127007
- http://pixs.ru/showimage/2ci7png_4898170_9693543.png
- http://pixs.ru/showimage/ekahjpg_4965220_9693535.jpg
- Login Bruteforce protection, panel will be locked after x failed logins (captchas are not secure)
- SQL-Injection proof
- No IonCube

Standard Features:
- Kill
- Update
- Download (over Tor), Execute (Commandline-Parameter allowed)
- Download (over Tor), Execute (Commandline-Parameter allowed) in memory (Your file doesn't need to be FUD)
- Install Plugin
- Installation List (A list with all installed applications)

The Core has only a few functions, but they are already pretty useful. Yes you can e.g. start your own uncrypted Bitcoin Miner with the "Download over Tor, Execute Memory" function.
I will give you a plain bitcoin miner exe or just use the binaries you can find in this board.

A bot addon is integrated in the main EXE, so no extra file.
A bot plugin is not integrated, you will receive extra file(s).

Addon - DDOS:
- Full IPv6 ´+ IPv4 support.
- UDP Flood
- TCP Flood
- TCP Connect Flood (Some idiots call this "SYN-Flood")
- HTTP Slowloris (based on http://ckers.org/slowloris/)
- HTTP RUDY (R-U-Dead-Yet, based on https://code.google.com/p/r-u-dead-yet/)
- HTTP File Download (Good if your target hosts a file >1MB)
- If you need some more methods, contact me.

Addon - Form Grabber:
- Firefox, Internet Explorer x86/x64, Chrome SSL HTTP POST Grabber
- Anti-Hook Engine (Removes hooks from other bots)
- Own Hook Engine (No copy/paste crap)
- Tested with Browser: Internet Explorer v7/v9/v10, Firefox v11/v21/v22/v24, Chrome v27/v30
- Tested with Website: PayPal, Amazon, Bitcoin.de, Mt. Gox, eBay, Googlemail, vBulletin Boards
- SPDY v3 support
- IE 7/8/9/10 (Enhanced) Protected Mode Support
- Grabs only important POST Form Requests.
- Searches automatically for Username/Password/Email and CC (Possible CC will be displayed in panel)
- Screenshot: http://www0.xup.in/exec/ximg.php?fid=24471254

Addon - Socks 5 Reverse Socks:
- You need a 2nd VPS/dedicated Server to keep your main C&C server secure!
- Server is a Java application to achieve complete platform independence -> All OS supported!
- Socks 5 with and without authentication
- Controlled via tasks
- You can run different instances of the proxy sever for different purposes
- Works on all clients because it is a reverse socks (No SSH crap!)
- Panel screenshot: http://www0.xup.in/exec/ximg.php?fid=15537396

Plugin - Stealer:
- Steals all current browser versions.
- Steals: CHROME, FIREFOX, SAFARI, INTERNET EXPLORER, OPERA, FILEZILLA, PIDGIN, JDOWNLOADER v1 + v2, GIGATRIBE, THUNDERBIRD, WINDOWSKEY, FLASHFXP, ICQ, MSN, WINDOWS LIVE, OUTLOOK, PALTALK, STEAM Username Only, TRILLIAN, MINECRAFT, DYNDNS, SMARTFTP, WSFTP, Bitcoin Wallet (Armory, Bitcoin-Qt, Electrum, Multibit)
- If you need something more -> ask me.
- Special: JDownloader v1/v2, Bitcoin Wallet Stealer (whole wallet.dat will be uploaded), IE10 + IE11 support!

Plugin - Coin Mining (Experimental)
- Bitcoin / Litecoin Miner
- Hash Rate displayed in panel
- Based on Ufasoft Miner v0.68 (updated regularly)
- Mining with tasks http://www0.xup.in/exec/ximg.php?fid=60729560

Price:
Core: $250 (Launch price! Read information below)
Addon DDOS: $90
Addon Form Grabber: $300
Addon Reverse Socks: $400
Plugin Stealer: $110
Plugin Coin Mining: $140 (Experimental)

Payment only with Bitcoin. Market price from https://www.bitcoin.de "Current Bitcoin price" - 10%, because of high exchange rate fluctuations!
Bugfix Updates and Support is free of course.
Please keep in mind: This Core Price will be higher soon. This Bot is currently in beta stage, so probably there are still some bugs. Get it now pay less + maybe bugs, wait: pay more and bot is stable

- Builder available?
No, your tor domain will last forever if you don't lose the RSA key.

- Is the bot bin FUD?
No, you need a crypter. This bot should work with all crypters, but .NET Crypters are special. Tell me what .NET crypter you want to use and we will see.
I can give you a free .NET Crypter to get you started!

- The bot is too expensive, noob!
I don't care if you think it is too expensive.

- The filesize sucks, noob!
I don't care.

Alright, let's have a look on the C&C of the sample posted on kernelmode.
estrgnejb7sjly7p.onion >> 46.183.219.xxx
The httpd is not properly configured to run with the IP
So, let's have a look from TOR.

Login:

Statistics:

Plugin statistics:

Spreader statistic:

Bots:

Bot legend:

Bot information:

AtraxStealer plugin logs:

Formgrabber plugin logs:

Formgrabber plugin logs detail:

Plugins:

Tasks:

Create a new task:

Task setting for 'Download & Execute':

Task execution:

Edit a task:

Settings:






7 comments:

  1. very nice idea to buy bots from honeypots :D

    ReplyDelete
  2. ip release http://46.183.219.145:2014/index.php?action=login
    (port 2014 don't return the plain like 80)

    ReplyDelete
  3. nice,...what anime is that?

    ReplyDelete
  4. How did you get the IP from the onion domain?

    ReplyDelete
  5. "How did you get the IP from the onion domain?"

    - ill second that, is there some exploit to get ip's behind TOR?
    thank you,

    ReplyDelete
  6. how can we get the atrax pack @ steve need one to check it out

    ReplyDelete