Thursday, July 7, 2016

Citadel 0.0.1.1 (Atmos)




Includes the following features:

- Formgebung/Injections for Firefox/IE (latest version)
- Automatic balances grabber https:// links (multi currency)
- Updated grabber CC algorithm LUHN10
- Updated videologger http/https links with the VP9 codec in .mkv format and flexible settings.
- New VNC technology, full compatible with Win7/8.1/10(IE,Chrome,FF)
- Backconnect Socks & Command Line(+PowerShell)
- Case-Sensitive Keylogger processes
- Instant loading of web injections through the admin panel
- Local WebProxySrv: equivalent to a web server, write/read data in the local storage, and creating backconnect connection/video at any time, directly from the injections. Execution of your scripts on any website
- Support to inject code into Zeus format+UTF8
- Block/redirect by URL-masks
- Videologger applications
- Integrated port scanner
- Search files by mask (Bitcoin-grabber, exception rules)
- Full set of legacy web features: FTP Iframer, Mailer, Note, Crypts interface, Notes
- Powerful analyzer of behavioral factors, statistics for URL am
- Support to configuration via https://

- Automatic file check using scan4you service
- Screenshots
- Built-in Online Player video files
- Jabber notification according to numerous parameters
Interface to encryption exe.
- GeoIP
- Statistics gathering: set software, browser, screen resolution, version of the antivirus, firewall
- Data-Miner: convenient micro-parser logs
- Adding the additional database when working with logs
- API: VNC/CMD/SOCKS/VIDEO team






For Samples Contact : 
Skype : suriya.cyber

For More Research Details :  Citadel decrypte

Note : For educational Stuffs not to harm anyone ( only for malware researchers ) 

          Configuration  
  • url_config1-10 [up to 10 links to configuration files; 1 main for your web admin panel and 9 spare ones. To save the resources, use InterGate button in the builder to place config files on different links without setting up admin panel. Spare configs will be requested if the main one is not available during first EXE launch. Don't forget to put EXE and config files in 'files/' folder]
  • timer_config 4 9 [Config file refresh timer in minutes | Retry interval]
  • timer_logs 3 6 [Logs upload timer in minutes | Retry in _ minutes]
  • timer_stats 4 8 [New command receiving and statistics upload timer in minutes | Retry in _ minutes]
  • timer_modules 4 9 [Additional configuration files receiving timer | Retry in _ minutes. Recommending to use the same setting as in timer_config]
  • timer_autoupdate 8 [EXE file renewal timer in hours]
  • insidevm_enable 0/1 [Enable execution in virtual machine: 1 - yes | 0 - no]
  • disable_antivirus 0/1 [1 - Disable built-in 'AntiVirus' that allows to delete previous version of Zeus/Citadel/Citra after EXE lauch |  0 - leave enabled(recommended)]
  • disable_httpgrabber 0/1 [1 - Disable http:// mask grabber in IE | 0 - Enable http:// mask grabber in IE]
  • enable_luhn10_get 0/1 [Enable CC grabber in GET-requests http/https]
  • remove_certs 0/1 [Enable certificate deletion in IE storage]
  • report_software 0/1 [1 - Enable stats collection for Installed Software, Firewall version, Antivirus version | 0 - Disable]
  • disable_tcpserver 0/1 [1 - Enable opening SOCKS5 port (not Backconnect!) | 0 - Disable]
  • enable_luhn10_post 0/1 [Enable CC grabber in POST-requests http/https]
  • disable_cookies 0/1 [1- Disable IE/FF cookies-storage upload | 0 - Enable | use_module_ffcookie - duplicates the same]
  • file_webinjects "injects.txt" [File containing injects. Installed right after successful config files installation. Renewal timer is set in timer_config]
  • url_webinjects "localhost/file.php" [Path to 'file.php' file. Feature of 'Web-Injects' section for remote instant inject loading]
  • AdvancedConfigs [Links to backup configuration files. Works if !bot is already installed on the system! and first url_config is no longer accessible]
  • entry "WebFilters" [Set of different filters for URLs: video(# character), screenshot(single @ character - screenshot sequence after a click in the active zone. double @ character '@@' - Full size screenshot), ignore (! character), POST requests logging (P character), GET request logging (G character)]
  • entry HttpVipUrls [URL blacklist. By default the follwing masks are NOT written to the logs "facebook*" "*twitter*",  "*google*". Adding individual lines with these masks will enable logging for them again]
  • entry "DnsFilters" [System level DNS redirect, mask example - *bankofamerica.com*=159.45.66.100. Now when going to bankofamerica.com - wellsfargo.com will be displayed. Not recommending blocking AV sites to avoid triggering pro-active defenses]
  • entry "CmdList" [List of system commands after launch and uploading them to the server]
  • entry "Keylogger" [List of process names for KeyLogger. Time parameter defines the time to work in hours after the process initialization]
  • entry "Video" [Video recording settings | x_scale/y_scale - video resolution | fps - frame per second, 1 to 5 |  kbs - frame refresh rate, 5 to 60 | cpu 0-16 CPU loading | time - time to record in seconds | quality 0-100 - picture quality]
  • entry "Videologger" - [processes "" - list of processes to trigger video recording. Possible to use masks, for example calc.exe or *calc*]
  • entry "MoneyParser" [Balance grabber settings | include "account,bank,balance" - enable balance parsing if https:// page contains one of the following key words. | exclude "casino,poker,game" - do NOT perform parsing if one of the following words is found]
  • entry "FileSearch" [File search by given mask. The report will be stored in 'File Hunter' folder. Keywords can be a list of files or patterns ** to for on the disk. For example, multibit.exe will search for exact match on filename.fileextension, *multibit* will report on anything found matching this pattern. | excludes_name - exclude filenames/fileextensions from search. excludes_path - exclude system directories macros, like, Windows/Program Files, etc | minimum_year - file creation/change date offset. The search task is always on. Remove all the parameters from this section to disable it.]
  • entry "NetScan" [hostname "host-to-scan.com" - list of local/remote IP addresses to scan. scantype "0" - sets the IP address range, for example, scantype "0" scans a single IP in the 'hostname', scantype "1" creates a full scan of class C network 10.10.10.0-255, scantype "2" creates a full scan of class B network 10.10.0-255.0-255]
  • Example 1 {hostname "10.10.0-255.0-255" addrtype "ipv4" porttype "tcp" ports "1-5000" scantype "2"}
  • Example 2 {hostname "10.10.1.0-255" addrtype "ipv4" porttype "tcp" ports "1-5000" scantype "1"}]
  • entry "WebMagic" [Local WebProxySrv, web server with its own storage. Allows to read and write bot parameters directly, for example, when using injects. This saves time and resources since it doesn't generate additional remote requests for different scripts that are generally detected by banks anti-tampering controls. It also allows to bypass browser checking when requesting https:// resource hosted remotely and to create backconnect connection. Full settings description is located in F.A.Q section]


Commands
  • user_execute [execute given file]
  • user_execute -f [execute given file, manual bot update that overwrites the current version]
  • user_cookies_get [Get IE cookies]
  • user_cookies_remove [Remove IE cookies]
  • user_certs_get [Get .p12 certificates. Password: pass]
  • user_certs_remove [Remove certificates]
  • user_homepage_set [Set browser home page]
  • user_flashplayer_get [Get user's .sol files]
  • user_flashplayer_remove [Remove user's .sol files]
  • url_open [open given URL in a browser]
  • dns_filter_add [Add domain name for redirect(blocking) *bankofamerica.com* 127.0.0.1]
  • dns_filter_remove [Remove domain name from redirect(blocking)]
  • user_destroy [Corrupt system vital files and reboot the system. Requires elevated privileges]
  • user_logoff [Logoff currently logged in user]
  • os_reboot [Reboot the host]
  • os_shutdown [Shutdown the host]
  • bot_uninstall [Remove bot file and uninstall it]
  • bot_update [Update bot configuration file. Requires to use the same the crypt. The path is set in url_config]
  • bot_bc_add socks [Connect Bot > Backconnect Server > Socks5 | Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for Proxifier/Browser...]
  • bot_bc_add vnc [Connect Bot > Backconnect Server > VNC Remote Display |  Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for UltraVNC client]
  • bot_bc_add cmd [Connect Bot > Backconnect Server > Remote Shell | Run backconnect.exe listen -cp:1666 -bp:9991 on BC server / -bp is set when the command is launched, -cp is required for telnet/putty client ]
  • bot_bc_remove [Disconnect from the bot and hide connections from 'netstat' output]
  • close_browsers [close all browser processes]


Saturday, May 7, 2016

Pony (Win32/Fareit)

Pony Stealer leaked (advanced stealers included)


Pony botnet is notorious for banking, bitcoin stealing, and stealing other things..

The Bitcoin theft is in addition to a slew of credentials, over 700,000, that Pony pilfered from September 2013 to January including: 600,000 website login credentials 100,000 email account credentials 16,000 FTP account credentials 900 Secure Shell account credentials 800 Remote Desktop credentials - See more at: http://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463#sthash.f17KzXK0.dpuf

Pony steals more than 30 concurrency wallets, and is very good at what it does. Some of the botnet is based off the Zeus src source. I personally used this botnet for a year and moved on to more updated malware, but at the time that I used it, it worked fantastically. Most of the panel is in russian, along with the builder, but we were able to translate the russian in the builder.











version : 1.9 , 2.0 ( updated password modules )

 for more details u can contact me @ 

Skype: suriya.cyber




Thursday, March 26, 2015

Exploit for Malware


 Link to Exploit Site


Link to Exploit Site, as it name suggests, refers to the presence of links to malicious websites inside a legitimate website without the knowledge of the administrator. Once users click on the link, they are redirected to a website with malicious code that takes advantage of vulnerabilities in outdated programs or plugins in your device to download and install malware.
Contact : 
ym : cybersuriya73@gmail.com
skype : suriya.cyber




Beta Botnet

Beta Botnet 1.7.0.1 Full Setup 
Contact : cybersuriya73@yahoo.com
skype: suriya.cyber




Version 1.7.0.1

Bot
File search now is more configurable:
  a) Allows folder exclusions (To help prevent useless results/search time)
  b) Allows files with certain strings found in their filename to be uploaded
  c) Maximum search terms increased to 128, maximum filename terms is 64
  d) Parameter "nocache" allows you to have already sent files uploaded again
Botkiller updated once again. New techniques added and existing code revised.
Fixed issue where IE would freeze on load when Avast! was disabled by the AV killer
Injector now more compatible with games/anti-cheat components
Fixed issue with formgrabber sometimes uploading the wrong part of captured form content in Firefox and Chrome
Bot now uploads select header fields with each formgrab capture (when available): User-Agent, Referer, Cookie and Accept-Languages
Fixed DNS Modifier not working with latest versions of Firefox (22+). Another function had to be hooked.
Fixed issue where sometimes UAC prompt would come up even after accepting it because there was a delay in processing messages from the window queue
A couple tweaks to installation code
Misc beneficial changes to bot protection (persistence) code
Fixed a few issues with updater
Windows Defender is now thoroughly disabled instead of just turned off

Panel
Extended the GeoIP information displayed (ASN Name, City information) when available. *
Fixed IE formgrab logs sometimes appearing as "Unknown" browser
Fixed formgrab "view detail" page content sometimes causing table to stretch too far, distorting other table cells.
Fixed issue where searching bots with comments would return zero results
Fixed invalid links for page numbers
Misc fixes to panel HTML code

Notes
The size of the geolite imports is quite large so if users have no use for this, they can simply choose not to import it


Bot - Major
64-bit userkit
POP3 grabber
Chrome grabber / DNS redirection support
File search - Search all files' content for keywords and upload files containing matches to panel
Config editor to edit builds -- Change group names, and modify other minor settings/initial behavior
Block installation of some bootkits (Mainly Rovnix(Carberp) - Can toggle on/off from panel)
Enhanced bot resource protection (persistence) on some systems (around 40%~) (Much harder to remove in some cases)

Bot - Minor
Run DLL/Jar files
File size now less than 140kb
Fetches UAC social engineering translations from panel
ESET AV Killer now works on Vista+, AV Killer updated to include Ahnlab v3 Lite (XP only), BitDefender (on minimal config)
Better support for Avast sandbox. All sandbox prompts are now automatically accepted to increase download/exec rate.
Proactive bypasses updated (Trend Micro/McAfee now fully bypassed, BitDefender bypass finished but not 100% reliable)
PuTTY Live login grabber now works with latest update (0.63). New code locations and improper typecasting previous caused crash in latest version (0.63)
Improved crypter compatibility
Added new detection techniques to botkiller and increased overall efficiency

Panel - Minor
Enhanced search features
TOR Blacklist
Remove bot/other buttons on bot list
Graphs added to statistics page / Panel settings reorganized
Can now delete individual form/login grab entries
Can now add lists of formgrab url masks at a time (Instead of just one at a time)
Modify main bot list view settings (Change display order and maximum number of bots displayed per page)
Main index now displays top 5 countries graph and world map based on bot count
GeoIP updated

Panel - Major
Notes system. Leave notes for single/all user(s)
Task failure tracking
AV Checker (s4y)
Event logs page added in panel settings
Bot grouping via group names
Formgrabber filter management options increased, form search enhanced and other useful changes to formgrab feature
Login grabber can now be toggled on/off


Fixes/Tweaks
Fixed issue where large amounts of page numbers would take up entire webpage
Fixed issue with formgrab filter management not properly handling some SQL queries
Fixed issue with task processing where if bot received more than 3 tasks at once, it would only process first 3, and may sometimes crash while attempting to parse the 4th one
Fixed crash issue related to thread creation in some processes
Fixed rare issue in process injector where an improperly initialized structure could result in fatal crash
Fixed a few memory leak issues
Fixed formgrabber compatibility with Firefox versions >= 22
Fixed issue with hook restorer not restoring system call hook
Fixed formgrabber for Windows 8, however, userkit is still having issues
Tweak: Systems configured to use a proxy for internet access are now supported if bot cannot access directly after cycling through C&C list
Tweak: HTTP Component now handles `302 Found` issues better. However, issue is considered *not* completely resolved.
Tweak: More AVs detected and displayed on panel statistics
Tweak: Grabbed logins exports are now in standard ftp://user:pass@domain.com -OR- type://user:pass@domain.com:port
Tweak: UAC Social engineering trick no longer uses cmd.exe on Windows 7 systems
Tweak: Duplicate bot issue should be *less* of a problem now. However, not completely fixed

Friday, July 4, 2014

SOLAR BOTNET Downloade


hello guys 

          today i am back with new botnet which is called SOLAR BOTNET  and its an latest botnet which it help to hack secure browser like chrome etc..



for more details u can contact me @

SKYPE: suriya.cyber

yahoo: cybersuriya73@yahoo.com






Technical Details
Coded in Lazarus (Pascal)
Code is fully relocatable (Shellcode)
Uses custom CRC32 API loader
Uses BeaEngine Disassembler for x86 and x64
Uses named pipes for inter-process communication
Multpiple layers of encryption and compression
Global Ring 3 rootkit and No own process
Fully Unicode
No dependencies (Only standard system DLLs)
Multiple Anti-Debug methods
Unique Server->Bot traffic encryption
Anti bot installation



Features


Internet Explorer Formgrabber
Mozilla FireFox Formgrabber
Google Chrome Formgrabber
SPDY Grabbing
FTP and POP3 Grabber
SlowLoris DDOS and SlowPost DDOS
GET Flood
UDP DDOS
Update and Download System
MD5 Verified Update and Download System
Reverse Socks 5








Carbon Form Grabber (C++)


Hello Guys, 

                   I am back after long days with new stuff which is call Carbon Form Grabber .Its coded in the language of  C++ .It have lot of cool Features  like




Features


* Startup ( Hidden)
* Userkit(x86 & x64 )
* Injection
* Chrome SSL & HTTP Grabber
* Firefox SSL & HTTP Grabber
* Internet Explorer SSL & HTTP Grabber
* Intuitive PHP Panel
* Escalate to Administrator Privileges.



Features to be Added
    Persistence | Regex patterns | Delete all logs button to





For More Details You Can Contact here



yahoo: cybersuriya73@yahoo.com
skype: suriya.cyber



Sunday, September 29, 2013

8 Ways To Protect Your Website From DDoS Attack




1. Efficiency
DDoS is a war of attrition ? efficient use of resources is a key defence. Applications need to be designed from the ground up with efficiency in mind:

- well architected and designed
- efficient code and algorithms
- proper memory allocation and clean up
- configurable time outs and resource restrictions

====================================

2. Excess Capacity
If your site is running at 90% capacity with normal traffic ? it is a sitting duck for a DDoS attack.

The more excess capacity (throughput) you have the better ? cloud infrastructure that allows you to dynamically add capacity is ideal

====================================

3. Testing and Planning
DDoS attacks can be simulated as part of performance testing. Testing helps you to understand how your application bares the stresses of a DDoS ? so that you can plan a defence

====================================

4. Layer 4 Network Equipment
Switches and routers generally built in defences for layer 4 attacks.

Effective layer 4 defences include bogus IP filtering, traffic shaping, TCP splicing and rate limiting. Work with your ISP or network equipment vendor to understand the features of your network.

====================================

5. Bandwidth Management
Bandwidth management hardware allows you to classify incoming traffic as priority, regular or dangerous. It event of a DDoS attack non-priority requests can be dropped

====================================

6. Intrusion Detection Systems (IDS)
IDS look for attack patterns in incoming traffic and can drop suspicious packets.

====================================

7. Custom Defence
Many layer 7 attacks require a custom on-the-fly defence. Typically, web developers analyse traffic patterns for irregular:

- IPs
- request signatures
- http headers
- form parameters

Once a pattern is determined filters can be implemented on the web server to drop matching requests

====================================

8. Blackholing and Sinkholing
Severe DDoS attacks may require Blackholing ? sending all requests to a non-existent server. This brings the website down but relives the pressure on the server.

Sinkholing sends all requests to a logger that logs some statistics and then drops the requests. Sinkholing can help developers establish attack patterns
====================================