1
00:00:00,390 --> 00:00:03,220
Welcome to part four of this module.

2
00:00:03,330 --> 00:00:08,670
It's finally time to talk about botanists before we get started.

3
00:00:08,790 --> 00:00:17,340
I do have to say that the amount of practical demonstration in this video is going to be somewhat light

4
00:00:18,060 --> 00:00:23,250
and that is because the legalities surrounding botanists is very tricky.

5
00:00:23,430 --> 00:00:25,550
From region to region.

6
00:00:25,950 --> 00:00:32,580
So you're not going to see me infect one of my own machines and then try to connect to it or anything

7
00:00:32,580 --> 00:00:33,680
like that.

8
00:00:33,780 --> 00:00:39,660
But we are going to go over what botanists can do and we're going to be taking a look at a botnet that

9
00:00:39,660 --> 00:00:46,860
actually more or less comes built in to Cali with just a few downloads being necessary.

10
00:00:47,190 --> 00:00:56,070
So first off what is a botnet in this very simplistic terms a botnet is a network of computers that

11
00:00:56,070 --> 00:01:03,290
have been infected with malware and can be given orders to perform certain tasks remotely.

12
00:01:03,300 --> 00:01:10,260
The most common architecture is to have a command and control server usually a virtual private server

13
00:01:10,260 --> 00:01:13,820
with bullet proof hosting somewhere out on the Internet.

14
00:01:13,890 --> 00:01:22,740
The CNN SI as it is called is where the bots connect to and receive their orders from the bot malware

15
00:01:22,740 --> 00:01:27,260
is then disseminated to victim computers through some other means.

16
00:01:27,270 --> 00:01:31,090
We've seen examples of how this is done in prior videos already.

17
00:01:31,440 --> 00:01:38,010
The victim becomes infected with the bot and their computer is effectively owned by the person controlling

18
00:01:38,010 --> 00:01:39,770
the botnet.

19
00:01:39,900 --> 00:01:47,370
Nets are most commonly used for distributed denial of service attacks which are universally illegal

20
00:01:47,460 --> 00:01:54,780
and will land you in very hot water distributed denial of service or D.D. OS basically involves having

21
00:01:54,780 --> 00:02:01,980
a lot of machines flood a particular target with traffic and requests to overload its capability and

22
00:02:01,980 --> 00:02:06,180
cause it to either crash or become completely jammed.

23
00:02:06,180 --> 00:02:13,020
This is why services like CloudFlare exist to create a buffer and defend against such direct attacks

24
00:02:13,020 --> 00:02:14,990
which have become all too common.

25
00:02:15,030 --> 00:02:22,440
But DNS attacks are for people with no imagination bought nets are capable of far more subtle insidious

26
00:02:22,440 --> 00:02:23,080
things.

27
00:02:23,100 --> 00:02:28,140
One very low level example is click fraud.

28
00:02:28,140 --> 00:02:35,970
Having many infected computers visit a particular site usually without the users being aware of it.

29
00:02:36,600 --> 00:02:42,600
And it isn't for the purpose of crashing the site but to increase the view counter.

30
00:02:42,600 --> 00:02:51,100
Giving the illusion of increased traffic which in turn generates money usually through advertising revenue.

31
00:02:51,120 --> 00:02:58,380
Another use that has become popular only in the last few years is to use a botnet to simulate real people

32
00:02:58,380 --> 00:03:02,010
on the Internet to manipulate opinion on certain topics.

33
00:03:02,010 --> 00:03:09,990
For instance having a network of bots using dummy accounts all post the same general comments on Reddit

34
00:03:10,530 --> 00:03:19,980
for Chan YouTube etc. creating the illusion that a great many people seem to think a certain way or

35
00:03:19,980 --> 00:03:27,810
to bury contrary opinions under a block of spam posts in some cases this has even been used to influence

36
00:03:27,810 --> 00:03:35,490
things like stock prices by creating a false impression that a stock is worth more than it is or less

37
00:03:35,490 --> 00:03:41,430
than it is perhaps the most famous type of bot net involves banking trojans.

38
00:03:41,430 --> 00:03:49,350
These sorts of bots are based on the original zoo's botnet code and are benign to most users machines.

39
00:03:49,350 --> 00:03:55,260
They seek only to spread themselves from computer to computer automatically until they find machines

40
00:03:55,260 --> 00:04:01,350
used in online banking either as a customer or heaven forfend as a server.

41
00:04:01,410 --> 00:04:08,220
Their only function is to steal large amounts of money and many millions of dollars have been stolen

42
00:04:08,220 --> 00:04:09,260
in this way.

43
00:04:09,270 --> 00:04:12,230
These are just a few uses for a botnet.

44
00:04:12,240 --> 00:04:15,520
I'm sure you can probably think of more right.

45
00:04:15,540 --> 00:04:20,370
So with this in mind how do people create or obtain such a network.

46
00:04:20,370 --> 00:04:24,690
Surely you need super mega hacking coding skills to achieve it.

47
00:04:24,690 --> 00:04:28,280
Right well not anymore.

48
00:04:28,310 --> 00:04:34,560
Now it is absolutely the case that the most dangerous hackers write their own bought code.

49
00:04:34,610 --> 00:04:42,170
Having the skill to do this allows for the greatest flexibility and new code is much less likely to

50
00:04:42,170 --> 00:04:49,130
be detected as malicious even if it is not put out through some sort of crypto or or some other method

51
00:04:49,130 --> 00:04:50,710
of obfuscation.

52
00:04:50,720 --> 00:04:55,750
For more information on how that happens please see the prior videos on Metis Floyd.

53
00:04:56,000 --> 00:04:59,450
But you don't need any skills to start aborting that really.

54
00:04:59,510 --> 00:05:07,210
The basic code for the famous zoo's botnet banking Trojan is available right here on github.

55
00:05:07,250 --> 00:05:13,190
In fact all of the most famous bot nets are available free to download.

56
00:05:13,220 --> 00:05:19,190
They can be reverse engineered with a minimum of coding skill a person could just use them as they are

57
00:05:19,610 --> 00:05:23,270
install the CMC and then distribute the client component.

58
00:05:23,360 --> 00:05:30,710
Although any antivirus worthy of the name will absolutely detect these older and more out of date bought

59
00:05:30,710 --> 00:05:37,610
nets as they have been around forever even using a crypto is not likely to be enough to hide them simply

60
00:05:37,610 --> 00:05:40,660
slipping past antivirus for the initial infection.

61
00:05:40,790 --> 00:05:45,520
Doesn't mean the board won't still be detected during subsequent scans.

62
00:05:45,560 --> 00:05:52,820
This code and other code like it is mainly useful for people who want to see how it all works and then

63
00:05:52,820 --> 00:05:54,510
develop their own.

64
00:05:54,650 --> 00:06:03,140
But what if someone isn't a coder but still wants their network to function newer sleeker more dangerous

65
00:06:03,140 --> 00:06:06,310
botnet software particularly banking trojans.

66
00:06:06,320 --> 00:06:11,690
That seems to be one of the main interests are being manufactured and sold illicitly.

67
00:06:11,690 --> 00:06:16,340
Of course most of these are coming out of the Russian Federation.

68
00:06:16,490 --> 00:06:21,390
The purchase of such software by itself is almost certainly illegal.

69
00:06:21,530 --> 00:06:26,800
Depending on your regional world though the use of it most definitely is.

70
00:06:26,810 --> 00:06:32,630
So hopefully this explanation is clear so far as I said at the beginning I will not be creating a bot

71
00:06:32,640 --> 00:06:34,040
bottom hand in this video.

72
00:06:34,130 --> 00:06:39,360
That would be illegal and would violate the terms of use of this platform.

73
00:06:39,380 --> 00:06:47,670
However there is a question that usually comes up and it is this how do all these kids deeds OS people.

74
00:06:47,720 --> 00:06:55,070
How do teenagers with no appreciable coding skills seem to have access to bought nets.

75
00:06:55,070 --> 00:07:02,480
Surely they did not purchase one for hundreds or thousands of dollars from some Russian coder set up

76
00:07:02,480 --> 00:07:08,900
a VPN as a command and control server then somehow infect thousands of people with malware successfully.

77
00:07:08,960 --> 00:07:12,190
So what gives.

78
00:07:12,190 --> 00:07:16,170
Well we live in the future and that's what gives.

79
00:07:16,240 --> 00:07:23,800
Ten years ago maybe even five years ago if someone wanted to access a powerful botnet the only answer

80
00:07:23,800 --> 00:07:32,980
was to create one from scratch who now live in an age of public resources and access UFO net is a tool

81
00:07:32,980 --> 00:07:34,840
for Cally Linux.

82
00:07:34,850 --> 00:07:39,660
This is something you will see me demonstrate in a very limited way.

83
00:07:39,790 --> 00:07:47,590
I want to stress that it is absolutely illegal to use this software to perform distributed denial of

84
00:07:47,590 --> 00:07:49,110
service attacks.

85
00:07:49,120 --> 00:07:54,670
This information is being presented so that students of this class know how such a thing can be done

86
00:07:54,940 --> 00:08:01,570
without any actual skills so that they can then defend against it in their roles as system administrators

87
00:08:01,630 --> 00:08:03,730
and lawful penetration testers.

88
00:08:03,730 --> 00:08:10,280
I must say again obey the laws at all times with that very important disclaimer out of the way.

89
00:08:10,510 --> 00:08:17,080
All we actually need to do to install UFO net and by the way I will be using virtual box for this not

90
00:08:17,140 --> 00:08:18,460
the virtual private server.

91
00:08:18,460 --> 00:08:20,340
You've seen me use up until now.

92
00:08:20,770 --> 00:08:27,400
Although a black hat would want to use a G.P.S. or some other remote machine not connected to their

93
00:08:27,400 --> 00:08:32,260
personal identity you have phone it can be installed on most distributions of Linux.

94
00:08:32,260 --> 00:08:35,800
So this sort of attack can be performed from anywhere really.

95
00:08:35,800 --> 00:08:44,900
At any rate the first thing we need to do is clone the link like so popular clipboard and now we're

96
00:08:44,900 --> 00:08:49,460
going to minimize the browser and we're gonna open up our terminal.

97
00:08:49,460 --> 00:08:58,170
Go ahead and maximize it so all we're going to do is type get clone and then we're gonna go ahead and

98
00:08:58,170 --> 00:09:01,920
paste in that link that we just copied.

99
00:09:02,070 --> 00:09:07,590
This will take just a moment and it should download everything we need.

100
00:09:07,650 --> 00:09:08,870
Downloading now.

101
00:09:09,000 --> 00:09:09,930
It's pretty small.

102
00:09:09,930 --> 00:09:13,800
It shouldn't take more than a few more seconds and there we go.

103
00:09:13,800 --> 00:09:20,250
So we're going to go ahead and minimize the terminal window where it come over to our final manager.

104
00:09:20,340 --> 00:09:26,280
And here we can see in our home directory UFO net has been downloaded to make this a little easier and

105
00:09:26,280 --> 00:09:27,290
more straightforward.

106
00:09:27,300 --> 00:09:32,690
Let's go ahead and move it to the desktop and we'll come back to our terminal and now we're going to

107
00:09:32,690 --> 00:09:41,660
see into our desktop and we'll see into U.S. phone at K.

108
00:09:42,060 --> 00:09:54,800
Now we need to modify certain permissions so we're gonna type C H mod plus x u Setup Dot P Y

109
00:09:57,710 --> 00:10:07,400
AND WE'RE GOING TO TYPE C H mod plus x U.S. phone at set up may or may not be needed.

110
00:10:07,560 --> 00:10:12,800
I've installed it already and I think newer versions don't require you to run it that way.

111
00:10:13,380 --> 00:10:15,710
But what's one extra command right.

112
00:10:15,720 --> 00:10:24,450
So if we need to run setup and I don't think we do it's just period forward slash Setup Dot p y.

113
00:10:25,320 --> 00:10:25,610
Okay.

114
00:10:25,710 --> 00:10:27,340
Well that wasn't really necessary.

115
00:10:27,450 --> 00:10:36,900
So to load it we're just going to do period forward slash UFO net.

116
00:10:37,090 --> 00:10:45,330
And as you can tell this is running the UFO net script and should give us the title page right.

117
00:10:45,340 --> 00:10:47,840
And here we have the title page.

118
00:10:47,980 --> 00:10:52,800
This gives us information on how to use the tool via the command line.

119
00:10:53,730 --> 00:10:55,560
If we scroll up a little bit.

120
00:10:57,480 --> 00:11:03,480
We can see all of the various arguments that we can supply.

121
00:11:03,500 --> 00:11:13,010
So now we're going to type period forward slash you a phone at Tak tak or dash dash help.

122
00:11:13,030 --> 00:11:18,610
And that gives us even more information in this case the specific arguments we need such as target to

123
00:11:18,610 --> 00:11:21,060
target list places rounds.

124
00:11:21,400 --> 00:11:24,070
What type of bots to use et cetera.

125
00:11:24,070 --> 00:11:27,910
Now I want to stress that we don't actually have a working botnet yet.

126
00:11:27,910 --> 00:11:38,050
This is a script that is going to effectively connect to a kind of open source botnet so to speak.

127
00:11:38,050 --> 00:11:44,040
Now this is where things get tricky and by tricky I don't mean they get hard.

128
00:11:44,140 --> 00:11:54,370
I mean that they get tricky a black hat wishing to abuse this software would type period forward slash

129
00:11:54,850 --> 00:12:07,540
UFO net tack tack or dash dash download TAC zombies were one to do this it would result in downloading

130
00:12:07,540 --> 00:12:16,030
a list of infected computers for UFO net to use several thousand at the time this video is being recorded

131
00:12:16,510 --> 00:12:23,500
and the number is ever growing you will not see me press the Enter key nor should you attempt to do

132
00:12:23,500 --> 00:12:30,550
this yourself downloading this list is sort of the equivalent of loading a gun and it can get you into

133
00:12:30,550 --> 00:12:32,810
a lot of trouble just by itself.

134
00:12:32,830 --> 00:12:40,120
The term zombies by the way is just the colorful language that the creators used to describe infected

135
00:12:40,240 --> 00:12:44,880
computers that have been infected with the bought client software.

136
00:12:44,920 --> 00:12:51,220
I want to stress again our purpose here is not to test this piece of software but to be aware of what

137
00:12:51,220 --> 00:12:58,510
it is and how it works and other tools like it and there are a great many so that we can defend against

138
00:12:58,510 --> 00:12:59,000
it.

139
00:12:59,080 --> 00:13:02,050
So do not download this bought list.

140
00:13:02,110 --> 00:13:09,250
We also see commands that would allow someone to upload zombies which is a way of sharing computers

141
00:13:09,610 --> 00:13:16,980
that have been infected to the public list so that all the other users of UFO net can make use of them.

142
00:13:16,990 --> 00:13:24,430
The configuration attack options have to do with what you're trying to do some abuse for DNS attacks

143
00:13:24,880 --> 00:13:29,090
redirect was for click fraud and that sort of thing.

144
00:13:29,140 --> 00:13:35,740
Obviously the software is not sophisticated enough to allow for some of the attacks that I mentioned

145
00:13:36,040 --> 00:13:44,050
such as influencing public opinion through bots and dummy accounts UFO net and other tools like it or

146
00:13:44,050 --> 00:13:49,960
a blunt instrument for those lacking the skill to create a network of their own or those without the

147
00:13:49,960 --> 00:13:56,920
resources to purchase professionally made software again illegally.

148
00:13:56,970 --> 00:14:04,620
In other words kids with Cowley use this and other tools like it to DS OS each other and feel like big

149
00:14:04,620 --> 00:14:06,810
scary hackers.

150
00:14:06,810 --> 00:14:08,500
It's so easy.

151
00:14:08,550 --> 00:14:14,700
They often do not realize that launching an attack of this kind is against the law but because these

152
00:14:14,700 --> 00:14:21,150
resources are so widely used it makes attribution for an attack exceedingly difficult.

153
00:14:21,150 --> 00:14:26,340
And in the case of more the more skilled hacker who actually knows what they're doing.

154
00:14:26,370 --> 00:14:33,180
This is why as a system administrator we need to assume that such tools are being used in a purposeful

155
00:14:33,180 --> 00:14:34,050
way.

156
00:14:34,050 --> 00:14:37,780
Even if 80 percent of the time it's just a bunch of script kiddies.

157
00:14:37,830 --> 00:14:46,770
In any case let's pretend that I downloaded the bot net list or zombies as this tool calls them and

158
00:14:46,770 --> 00:14:54,190
proceed as if I had so to begin with we're going to type period forward slash UFO net.

159
00:14:54,350 --> 00:15:00,880
And this time we're going to supply the argument Tak tak gooey for graphic user interface.

160
00:15:01,910 --> 00:15:07,790
This may take a moment or two to load particularly in a virtual box as we can see we have another title

161
00:15:07,790 --> 00:15:17,090
page and in just a moment we should be presented with what appears to be a web based interface though

162
00:15:17,090 --> 00:15:18,310
it is local.

163
00:15:18,410 --> 00:15:26,700
So to examine this we're going to click the Start mothership button and from here we click or rather

164
00:15:26,700 --> 00:15:32,960
hover over this worm hole icon and then click bot net.

165
00:15:33,000 --> 00:15:39,960
It says that I have one of each type of bot but that is because this software counts itself.

166
00:15:39,960 --> 00:15:45,560
If I had downloaded that public bought list there would be several thousand listed.

167
00:15:45,570 --> 00:15:49,770
So now we're going to come down here and win we're going to click on attack.

168
00:15:49,770 --> 00:15:53,710
Now this is all pretty self-explanatory.

169
00:15:53,800 --> 00:15:57,620
Here you would set the target.

170
00:15:57,670 --> 00:16:06,150
So for example w w w dot this is not a real web page.

171
00:16:06,280 --> 00:16:08,020
One two three.

172
00:16:08,020 --> 00:16:11,960
Bubble bubble blah bunch of gibberish dot com.

173
00:16:12,040 --> 00:16:16,960
And just in case you can't tell that is not a real you U.R.L. at least I hope not.

174
00:16:16,960 --> 00:16:18,810
But we won't be clicking attack anyway.

175
00:16:18,820 --> 00:16:27,970
You could also enter in a specific IP address rather than a target U.R.L. if you had one and then you

176
00:16:27,970 --> 00:16:30,940
can specify the exact place to attack

177
00:16:33,940 --> 00:16:44,600
put desktop and then the number of rounds that the attack will consist of 500 would seem to be a good

178
00:16:44,600 --> 00:16:45,400
number.

179
00:16:45,410 --> 00:16:53,870
Now if we go to configure requests this sub window will pop up as you can see a proxy server can even

180
00:16:53,870 --> 00:16:54,650
be used.

181
00:16:55,130 --> 00:17:07,220
So doing this from a VPN is paid for anonymously using a VPN or and or Tor with proxy chains to connect

182
00:17:07,220 --> 00:17:10,000
and then a proxy server on top of it.

183
00:17:10,070 --> 00:17:16,120
Then factor in that with this network getting used by so many kids.

184
00:17:16,340 --> 00:17:22,070
I mean notice that this whole thing looks like a video game it's pretty much meant to attract kids.

185
00:17:22,070 --> 00:17:30,600
Well the bottom line is tracing the source of a real serious attack becomes virtually impossible anyway.

186
00:17:30,830 --> 00:17:38,500
The number of threads we would set to something like 50 and of course this information can be changed

187
00:17:38,510 --> 00:17:46,900
a proxy server can be used perhaps tor cetera you would click the set button.

188
00:17:46,900 --> 00:17:49,130
I will not be clicking attack.

189
00:17:49,240 --> 00:17:54,750
You get the idea that you are all the you are L that I entered is not real.

190
00:17:54,760 --> 00:18:02,720
Obviously most people who use the software don't even bother taking any kind of a precaution.

191
00:18:02,830 --> 00:18:09,180
They use it from their home computers in the clear UFO and that is just one example of a public botnet.

192
00:18:09,190 --> 00:18:16,840
And these things exist not because anyone cares about giving you know kids the ability to knock each

193
00:18:16,840 --> 00:18:23,860
other off x box live but because it makes real use of them that much more difficult to trace.

194
00:18:24,050 --> 00:18:30,160
And because it allows other people to contribute bots to the network creating a shared resource that

195
00:18:30,160 --> 00:18:36,260
perpetually grows a little research is all it takes to find other tools like this.

196
00:18:36,310 --> 00:18:39,590
Some of them may even be more sophisticated.

197
00:18:39,640 --> 00:18:47,620
There is one more thing about bought nets that bears mentioning serious botnet software often has a

198
00:18:47,620 --> 00:18:51,690
failsafe built in that can be rather easily set up.

199
00:18:51,820 --> 00:18:55,030
At the time the client bought is generated.

200
00:18:55,030 --> 00:19:04,300
What I mean by this is it might be perfectly reasonable to conclude after what you've just heard that

201
00:19:04,300 --> 00:19:09,150
the best way to eliminate a botnet would be to track down the command and control server.

202
00:19:09,400 --> 00:19:12,440
After all the bots have to connect to it.

203
00:19:12,460 --> 00:19:16,390
So taking it out should logically collapse the entire network.

204
00:19:16,390 --> 00:19:25,720
Sometimes this is even an option when so-called bullet proof hosting is not used or some dumb black

205
00:19:25,720 --> 00:19:29,260
hat runs the CMC on their home computer.

206
00:19:29,410 --> 00:19:33,430
The computer gets seized by authorities and presto and a botnet.

207
00:19:33,430 --> 00:19:39,390
That is why most modern botnet software includes these so-called fail safes.

208
00:19:39,400 --> 00:19:40,740
It goes like this.

209
00:19:40,870 --> 00:19:47,560
If a bot cannot connect to the command and control server after a certain number of unsuccessful attempts

210
00:19:47,980 --> 00:19:53,930
it will attempt to connect to another command and control server or even another after that.

211
00:19:53,950 --> 00:20:03,270
In short a hacker or a group of hackers might have a dozen virtual private servers or servers all bullet

212
00:20:03,270 --> 00:20:04,810
proof hosting.

213
00:20:04,900 --> 00:20:11,980
If the current CSC get shut down the bots will automatically migrate over to the next CNBC in the list.

214
00:20:12,040 --> 00:20:17,920
After so many failed attempts to connect to the first one then the next and provided the botnet owner

215
00:20:17,920 --> 00:20:25,660
still controls one of the established senses sees the bots can be updated even after infection with

216
00:20:25,660 --> 00:20:32,650
new failsafe instructions thus taking out the command and control server is not a sure way to eliminate

217
00:20:32,680 --> 00:20:34,260
a particular botnet.

218
00:20:34,300 --> 00:20:38,650
Thus large powerful networks are able to fester and grow.

219
00:20:38,830 --> 00:20:42,340
Let sleeping giants awaiting orders.

220
00:20:42,340 --> 00:20:51,760
It isn't that figuring out where the CMC is is impossible just that doing so isn't always enough.

221
00:20:51,760 --> 00:20:56,790
Now I know you're tired of hearing this but please be lawful at all times.

222
00:20:56,800 --> 00:21:01,000
Please do not use anything presented here in a way that breaks the law.

223
00:21:01,060 --> 00:21:07,390
And remember that actually using these bots during a pen test is almost certainly illegal because even

224
00:21:07,420 --> 00:21:13,900
if you have permission from the target to test their server in that way you may not have permission

225
00:21:13,900 --> 00:21:17,350
from all of the machines that have become infected.

226
00:21:17,500 --> 00:21:19,090
So just don't do it.

227
00:21:19,840 --> 00:21:26,950
If you are interested in learning more about botnet code github is a supremely useful resource to examine

228
00:21:27,220 --> 00:21:33,760
what other people have done and then you can tailor tailor your defenses accordingly for the servers

229
00:21:33,790 --> 00:21:36,100
that you administrate.

230
00:21:36,160 --> 00:21:36,610
Thank you.