Build Your Own Botnet – BYOB

Last Commit: 05/13/2019

Build Your Own Botnet – BYOB

Introduction

BYOB (Build Your Own Botnet) is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet. This framework should help you in intentions to improve your ability for counter-measures development against malware and to deepen your understanding on how they works/infects a huge number of devices every year.

Disclaimer: This project should be used for authorized testing or educational purposes only.

BYOB: Build Your Own Botnet

BYOB framework allows you to easily implement your own code and add new features without having to write a RAT (Remote Administration Tool) or a C2 (Command & Control server) from scratch.

The RAT’s key feature is that arbitrary code/files can be remotely loaded into memory from the C2 and executed on the target machine without writing anything to the disk.

Server

usage: server.py [-h] [-v] [--host HOST] [--port PORT] [--database DATABASE]

Command & control server with persistent database and console

  • Console-Based User-Interface: streamlined console interface for controlling client host machines remotely via reverse TCP shells. It provides direct terminal access to the client host machines.
  • Persistent SQLite Database: lightweight database that stores identifying information about client host machines, which allows reverse TCP shell sessions to persist through disconnections of arbitrary duration and enabling long-term reconnaissance.
  • Client-Server Architecture: all python packages/modules installed locally are automatically available. You don’t have to write them to the disk of the target machines.

Client

usage: client.py [-h] [-v] [--name NAME] [--icon ICON] [--pastebin API] [--encrypt] [--obfuscate] [--compress] [--compile] host port [module [module ...]]

Generate fully-undetectable clients with staged payloads, remote imports, and unlimited modules

  • Remote Imports: you can remotely import third-party packages from the server. You don’t have to download/install or write them to the disk.
  • Nothing Written To The Disk: clients never write anything to the disk – not even temporary files.
  • Zero Dependencies: client runs with just the python standard library, remotely imports any non-standard packages/modules from the server. You can compile it with a standalone python.
  • New Features With 1 Click: any python script, module, or package you to copy to the ./byob/modules/ directory automatically becomes remotely importable & directly usable by every client while your command & control server is running
  • Write Your Own Modules: a basic module template is located in ./byob/modules/ directory where you can write your own modules.
  • Run Unlimited Modules Without Bloating File Size: use remote imports to add unlimited features without adding a single byte to the client’s file size
  • Fully Updatable: each client will periodically check the server for new content available for remote import. It will dynamically update its in-memory resources.
  • Platform Independent: everything is written in Python. You can compile clients into portable executable or bundle them into an standalone application.
  • Bypass Firewalls: clients connect to the command & control server via reverse TCP connections, which will bypass most firewalls because the default filter configurations primarily block incoming connections.
  • Counter-Measure Against Antivirus: it will block all processes with names of well-known antiviruses from spawning
  • Encrypt Payloads To Prevent Analysis: the main client payload is encrypted with a random 256-bit key which exists solely in the payload stager which is generated along with it
  • Prevent Reverse-Engineering: clients will abort execution if detect a virtual machine or sandbox.

Modules

Post-exploitation modules that are remotely importable by clients

  1. Keylogger (byob.modules.keylogger): logs the user’s keystrokes & the window name entered
  2. Screenshot (byob.modules.screenshot): take a screenshot of current user’s desktop
  3. Webcam (byob.modules.webcam): view a live stream or capture image/video from the webcam
  4. Ransom (byob.modules.ransom): encrypt files & generate random BTC wallet for ransom payment
  5. Outlook (byob.modules.outlook): read/search/upload emails from the local Outlook client
  6. Packet Sniffer (byob.modules.packetsniffer): run a packet sniffer on the host network & upload .pcap file
  7. Persistence (byob.modules.persistence): establish persistence on the host machine using 5 different methods
  8. Phone (byob.modules.phone): read/search/upload text messages from the client smartphone
  9. Escalate Privileges (byob.modules.escalate): attempt UAC bypass to gain unauthorized administrator privileges
  10. Port Scanner (byob.modules.portscanner): scan the local network for other online devices & open ports
  11. Process Control (byob.modules.process): list/search/kill/monitor currently running processes on the host

Core

Core framework modules used by the generator and the server

  1. Utilities (byob.core.util): miscellaneous utility functions that are used by many modules
  2. Security (byob.core.security): Diffie-Hellman IKE & 3 encryption modes (AES-256-OCB, AES-256-CBC, XOR-128)
  3. Loaders (byob.core.loaders): remotely import any package/module/scripts from the server
  4. Payloads (byob.core.payloads): reverse TCP shell designed to remotely import dependencies, packages & modules
  5. Stagers (byob.core.stagers): generate unique payload stagers to prevent analysis & detection
  6. Generators (byob.core.generators): functions which all dynamically generate code for the client generator
  7. Database (byob.core.database): handles interaction between command & control server and the SQLite database
Download Box