OK, first off I'd have to agree that Trojans are the lame tools of weak minded script kiddies who have nothing better to do than cause massive destruction and chaos however some Trojans DO have their place. As we all know there are times when access to a DDoS drone net are very helpful in self defense during IRC wars and port redirects are always helpful for staying anonymous online. The sdbot has a few useful features that merit its discussion. While there are many IRC Trojan bots out there the sdbot is one of the most popular and it also one of the easiest to use. It comes as a zip file with source code that you will need to configure and compile. I prefer using lcc to compile it and then use upx to pack it, packing it makes it much smaller and this saves upload time. I'm going to attempt to show you how to quickly procure a small botnet, protect that botnet, and eventually how to remove the sdbot in case you've been infected.
Download the latest version of sdbot and unzip. Now open up the file with a .c extension and edit it. Add in all the info you want customized (i.e. server, channel, channel pass, bot pass, bot ID, version reply, etc.) and save the configured code. Now, one small tip would be using a dynamic hostname from somewhere like dyndns.org or no-ip.com as the server will save you a lot of lost bots should they be found on a server. You can simply go into the dns and switch server IPs and the bots will connect to that server. Now that you've gotten your source configured with a dynamic host and all the other info you need to compile it with lcc. Make sure you have lcc installed. Now go to a command prompt and type make-lcc and the bot should compile. Now rename the bot something inconspicuous and pack it with upx. Now you're done and ready to build your botnet.
The sdbot can be spread like any Trojan however some methods are easier and more effective than others. I prefer to scan entire ISP netblocks using the DSNX bot (another type of Trojan bot) with the portscan plugin added for known Trojan ports. Once the DSNX has reported back a list to me I usually run that list through superscan for windows to grab the banners and save some time weeding out useless hosts. Once I know which are indeed viable hosts I will then connect with the Trojan
If you notice that your bandwidth is being consumed or that your computer is acting weird you might be infected with the sdbot. The sdbot source can be customized greatly so it can be hard to remove if you are dealing with a higher order of script kiddie. I will show you how to remove a standard sdbot that hasn't been modified. The sdbot will make a registry entry in :
so to remove it find these entries, if its a standard sdbot that hasn't been configured the registry entry will probably be "Configuration Loader". Remove the entry in run and run services (making a note of the filename for these keys) and reboot. Now go into the system or system32 folder depending on what version of windows you run and deleted the exe that was associated with that registry entry, now you should be clean. Do a netstat to make sure you don't see the bot connected to an IRC server, if you don't, you should be fine now.
This was a quick tutorial I wrote for some friends of mine. I hope you enjoyed it. Remember that DDoS attacks as well as entering someone else
No Comments for this page.