Skip navigation.

Dbot v3 - Source code


This is actually a commercial bot, and being used in the wild as of date.

Since RAR file(s) can't be uploaded here directly, I used rapidshare.

Cheers :)




source code?

Vals, is it allowed here?


We allow that here but you can't upload it automatically. Its best to email it to me directly, in a password protected zip file. And then I will make a post, and give you credit unless you want to remain anonymous.

The idea here is that the more we know about the malware, the more we can defeat it. Having the source is the ultimate way to know about what its capabilities are.


You're right, but isn't

You're right,
but isn't there a risk that OC becomes like a coders forum? ..remember most of them have been shut down.


The idea here is that the

The idea here is that the more we know about the malware, the more we can defeat it. Having the source is the ultimate way to know about what its capabilities are.

I have a large quantity of malware source code… Admittedly, most of it is identical to each other, but I have examples of each of the major IRC Bot families. If the whole "Hosting malicious source code" issue it too much of an issue, I can sit down, and analyze the samples, and post analysis… but that takes time which I have very little of these days.

Let's see, I've got… find . -name \*.[ch] -exec cat {} \; | wc -l 453196 lines of code here, and that collection only goes up until late 2004/early 2005. (Again, ~90% redundant code.) (I haven't even had much of a chance to look at the more recent stuff [most recent: ~Feb 2007]) I've seen enough of it however, to spot a lot of poor coding practices on the part of the authors; Most likely exploitable, oh the irony.

However, since doing this analysis is on my todo list at work *coughcough* but may never become a high enough priority to do something about it, and if I did work on it at work, it'd become the property of my employer… I might be able to talk management into just publishing it all as a whitepaper, or on a web site somewhere, as a martketing… thingy. (Publishing useful research is another thing on my todo list.) (No, I don't work for an A/V company.)

… Or I can just toss all of the source code archives up on a server somewhere.

Oh, wait, I forgot to find the .cpp files, that should be 1719471 lines of code to analyze.

i would love

to take a look at source code for malware, especially anything more recent. If anyone has any source code samples, please email me and let me know.


First Glance... WTF?

------ Printing dbot3.1/dbot/features.txt

Dbot v3.0 (price: 100 usd):
- stable irc bot
- multicommand topic parsing
- multicommand chat parsing
- irc connection timeout
- unlimited number of irc servers
- xor encoded strings (antivirus anti-heuristic)
- md5 protected important commands (download, remove) - if the command is
  long enough, NOONE can steal your bots
- copy to 3 different possible locations, but not windows or system32 dir
- registry startup
- win xp sp2 firewall bypass
- anti-sandbox
- multithreaded ftpd
- cftp supported
- ability to change cftp parameters while bot is running
- scanner:
        * distinguese wan and lan bots; eg. lan bots using cftp, wan using ftp
        * ability to use ftp or cftp
        * multithreaded scanning
        * every single thread checks for all ports (less threads needed for
          more exploits)
        * random or sequential scan
        * ability to define range for lan bots to scan
- anti-botkiller protection with nulling all expired strings, coping to
  alternative locations instead of windows or system32 dir
- tcpip.sys patcher (ver 1&2)
- botkiller

VNC Password Scanner + Universal VNC rooter (price: 100 usd):
- finds authbypass, no passworded and passworded vncs
- user defined wordlist
- every RFB3.8 server is checked for authbypass exploit first, if it fails
  scanner switch to password checking
- 99,9% accurate scanner, at the time of scanning ALL vncs work!
- alternative VNC rooting via task manager (universal for all languages)
  that works on win2000 and win xp
- reporting to irc: vnc version, desktop name, ip and password
- myvnc password reporting

Hey… wait a second…

------ Printing dbot3.1/dbot/ftpd.cpp

        send(consock, "220 Hello!\r\n", 12, 0);
        while (1) {
                iRecvd = recv(consock, szBuffer, sizeof(szBuffer) - 1, 0);
                szBuffer[iRecvd] = '\0';
                sscanf(szBuffer, "%s %s", szParam1, szParam2);
                if (strcmp(szParam1, "USER") == 0) {
                        sprintf(szParam3, szParam2);
                        sprintf(szBuffer, "331 Password required for %s.\r\n", szParam2);
                        send(consock, szBuffer, strlen(szBuffer), 0);

There's a format string bug, right there… I bet that if you sent a username of %p%p%p%p, you would get the first four DWORDs off the stack.

(Also Val, can you turn the <pre> tags back on, I don't want to have to fill this stuff with &nbsp;)


The <pre> tag has been reenabled.

got the point ;) but when

got the point ;)
but when analysing a malware in your AV world :-p,you don't have the source code with you,and you have to deal with all sort of obstacles to discover all these listed features.
..I agree it is still cool to have a look at these source codes tho.

was programmed by a guy

was programmed by a guy named dej...if you look around he's not too hard to find. The bot is based off of nzyme (RxBot base) which I'm sure most of the people here are familiar with. Kind of funny that the public release of this a month or two ago corresponded with huge increases in vnc scanning for a period of time.

where can i find this guy

where can i find this guy 'dej' who designed this vnc bot