Tag Archives: windows

ZIB – The Open Tor Botnet

The Open Tor Botnet requires the installation and configuration of bitcoind:
apt-get install -y git-core build-essential libssl-dev libboost-all-dev libdb5.1-dev libdb5.1++-dev libgtk2.0-dev

git clone https://github.com/bitcoin/bitcoin.git
cd bitcoin/src

make -f makefile.unix clean; make -f makefile.unix USE_UPNP= bitcoind

This bot-net is fully undetectable and bypasses all antivirus through running on top of Python27’s pyinstaller, which is used for many non-Trojan computer programs. The only hypothetical possibility of detection comes from the script, however, the script contains randomized-looking data through using a randomized AES key and initialization vector, meaning this is a non-issue.

ZIB.py is the main project file.

Continue reading ZIB – The Open Tor Botnet


ARDT – Akamai Reflective DDoS Tool

Akamai Reflective DDoS Tool

Attack the origin host behind the Akamai Edge hosts and bypass the DDoS protection offered by Akamai services.

ARDT - Akamai Reflective DDoS Tool
ARDT – Akamai Reflective DDoS Tool

How it works…

Based off the research done at NCC: (https://dl.packetstormsecurity.net/papers/attack/the_pentesters_guide_to_akamai.pdf)

Akamai boast around 100,000 edge nodes around the world which offer load balancing, web application firewall, caching etc, to ensure that a minimal amount of requests actually hit your origin web-server beign protected. However, the issue with caching is that you cannot cache something that is non-deterministic, I.E a search result. A search that has not been requested before is likely not in the cache, and will result in a Cache-Miss, and the Akamai edge node requesting the resource from the origin server itself.

What this tool does is, provided a list of Akamai edge nodes and a valid cache missing request, produces multiple requests that hit the origin server via the Akamai edge nodes. As you can imagine, if you had 50 IP addresses under your control, sending requests at around 20 per second, with 100,000 Akamai edge node list, and a request which resulting in 10KB hitting the origin, if my calculations are correct, thats around 976MB/ps hitting the origin server, which is a hell of a lot of traffic.

Finding Akamai Edge Nodes

To find Akamai Edge Nodes, the following script has been included:

# python ARDT_Akamai_EdgeNode_Finder.py

This can be edited quite easily to find more, it then saves the IPS automatically.


KeeFarce – Extracts Passwords From A Keepass 2.X Database From Memory

KeeFarce allows for the extraction of KeePass 2.x password database information from memory. The cleartext information, including usernames, passwords, notes and url’s are dumped into a CSV file in %AppData%

General Design

KeeFarce uses DLL injection to execute code within the context of a running KeePass process. C# code execution is achieved by first injecting an architecture-appropriate bootstrap DLL. This spawns an instance of the dot net runtime within the appropriate app domain, subsequently executing KeeFarceDLL.dll (the main C# payload).

The KeeFarceDLL uses CLRMD to find the necessary object in the KeePass processes heap, locates the pointers to some required sub-objects (using offsets), and uses reflection to call an export method.

Prebuilt Packages

An appropriate build of KeeFarce needs to be used depending on the KeePass target’s architecture (32 bit or 64 bit). Archives and their shasums can be found under the ‘prebuilt’ directory.

In order to execute on the target host, the following files need to be in the same folder:


Copy these files across to the target and execute KeeFarce.exe


Open up the KeeFarce.sln with Visual Studio (note: dev was done on Visual Studio 2015) and hit ‘build’. The results will be spat out into dist/$architecture. You’ll have to copy the KeeFarceDLL.dll files and Microsoft.Diagnostic.Runtime.dll files into the folder before executing, as these are architecture independent.

KeeFarce has been tested on:

KeePass 2.28, 2.29 and 2.30 – running on Windows 8.1 – both 32 and 64 bit.

This should also work on older Windows machines (win 7 with a recent service pack). If you’re targeting something other than the above, then testing in a lab environment before hand is recommended.

Sharp Needle by Chad Zawistowski was used for the DLL injection tesh.
Code by Alois Kraus was used to get the pointer to object C# voodoo working.


BSD License, see LICENSE file


firewall evasion – BarbaTunnel


BarbaTunnel is software that helps you to bypass firewall and internet censorship, it is a Peer to Peer tunnel so you need a server outside of firewall network. In most case you can simply use VPN or any proxies but when you use VPN, firewall knows that you use a VPN, it does not know what you do, VPN and some other proxies does not hide their fingerprint. BarbaTunnel is a layer on your network and try to make existing VPN packets look at traditional packets. Actually BarbaTunnel does not work alone and it work with VPN. So if you have VPN and you don’t have any issue with it, you do not need BarbaTunnel, but if the firewall blocks your VPN connection or your VPN connection speed decreased by firewall, BarbaTunnel may helpful for you.

Attention: BarbaTunnel is not standalone tunnel and you should run a tunnel application or use a standard VPN connection after running BarbaTunnel.


BarbaTunnel requires .NET Framework 4.5 for “Barba Monitor” and “Barba Service”, but BarbaTunnel.exe does not need .NET Framework, so you can run it manually on both client and server side without .NET Framework.
Configure Server

Login to your Windows Server.
Download BarbaTunnel and extract it.
Open “barbatunnel.ini” in BarbaTunnel folder and set “ServerMode=1”
Go to BarbaTunnel folder and open “config\servername” folder then open “HTTP-Retunnel.ini” file.
Set “ServerAddress” to your server ip address (required).
Run “Install.vbs”
Run “Run.Vbs”
Server already configured for specific ports, for custom configuration see “config.ini”.
Configure Client Machine

Login to your Windows Client.
Download BarbaTunnel and extract it.
Copy “config” folder and its config files that you have already created them in the server machine.
Run “Install.vbs”
Run “Run.Vbs”
Try to establish a VPN connection to your server

It is recommended to rename “servername” folder to your server name or server ip (optional).
Ensure the major version of BarbaServer and BarbaClient is same. Such 1.0 and 1.1
Make sure both server config file and client config file is same.
Make sure the enterprise firewall does not block tunnel ports.
Make sure your Local Firewall such as Windows Firewall does not block tunnel ports or BarbaTunnel.
Make sure you have access to reboot your system if you lose the connection to your server, before run BarbaTunnel you can create a timer-job to restart your server if you have limited access to your server reboot.


windows – jellyfish gpu r.a.t. (rootkit)

Developers of team Jellyfish  have posted a PoC of a portable executable gpu remote access tool. They already posted a linux version earlier this week.

Tapping an infected computer’s GPU allows malware to run without the usual software hooks or modifications mallware makes in the operating system kernel. Those modifications can be dead giveaways that a system is infected.

Advantages of gpu stored rootkits:

  • No gpu malware analysis tools available on web
  • Can snoop on cpu host memory via DMA
  • Gpu can be used for fast/swift mathematical calculations like xor’ing or parsing
  • Stubs
  • Malicious memory may be retained across warm reboots. (Did more conductive research on the theory of malicious memory still being in gpu after shutdown)

It is just a mather of time untill a version emerge that runs on graphics processors integrated into CPUs.