OP 05 June, 2020 - 11:55 AM
(This post was last modified: 05 June, 2020 - 11:57 AM by armyofbot.)
Reply
Hi all,
I've been involved with the administration and detection of remote servers for a decade. As it turns out, there's a secret behind the successful operation and maintenance of nearly all effective remote servers, whatever the particular in question. The secret is
money, a lot of money, to spend on the server. If you're thinking of getting involved with this pursuit, you should go in ready to shell out, and prepared to go bust. I understand if you don't take your money elsewhere, so here's a quick checklist of things that successful servers have, and how much everything costs. All quoted prices are current, more or less, taken from successful actors. This is to say they are prices that are based both on supply and demand. I cannot and will not say that if you spend this much money toward the acquisition of these tools, you will be successful, or that you can't do it cheaper. But yeah, you get what you pay for.
1. Hosting: ah yes. Hosting. You probably are looking at bulletproof providers, wondering how to choose between different 12 dollar per month DMCA ignored offshore outfits with 120 percent uptime and 24/7 technical support. Here are some things to keep in mind. You almost certainly want a domain for your server. Obviously use a registrar that serves anonymous purchase. Also consider the geopolitical attitudes of different countries toward the software you are running. It is more likely that domains of basically insignificant countries will be ignored outside of those countries, making them good targets. Unless, of course, you're working with clients in that country. That would be bad. As for the server, unless you are planning on holding access to a bunch of clients for an extended period of time, cheap and cheerful is probably fine. Don't be a cheap bastard and end up with a host which explicitly bans whatever you're doing. A provider that allows for scanning but NOT for botnet or RAT applications is much more likely to check for those kinds of traffic than just some normal, weird hosting in Latvia. Go with Latvia. In either case, your server will either eventually go down, or you'll get bored (leaving the server to atrophy, and then go down). Splash out 5 bucks a month for cheap obscure hosting.
2. Software: ah, yes. Software. You might be searching nulled right now, figuring out what tool is best suited for your sneaky pursuits of ill-gotten-gains. Answer? Nothing here, but all of the RATs are probably fine. RATs are the primitive, idiot stepchild of the malware world. They are very powerful and also super basic. The real power in remote administration comes from controlling a bunch of clients and batching remote tasks, and for various reasons, RATs aren't really designed for remote admin of a shit ton of clients. (note: this is what botnets are for.) They tend to have big dumb payloads and aren't going to last too long with any AV running. ESET and a couple of less prominent AVs are going to sniff you out pretty quickly because of the way that Nod32 handles detections in memory (note: very well). So just get whatever shitty RAT people seem to say is stable and, just as importantly, that people say is cryptable. RATs are good here because their payloads are relatively shitty compared to more advanced software solutions, many of which have tiny payloads. The payload on Smoke Bot, for instance, is around 16 kb. Is that a good thing? from the perspective of spreading, sort of. whether or not a small file size correlates to more infections really depends on distribution method. But really, the devs make payloads that small to avoid cracking. it works, by the way. The smoke dev has been coasting for years, has more money than you, and emerges every few months with a file that he has "cleaned", supposedly. there is no current crack including any of the modules, which are the only real reason to use smoke in the first place. So, choices. 1. get a shit RAT for free. here are your criteria: 1) stability; 2) it needs to be native. dependencies are your new swear word. You hate dependencies. Antivirus packages laugh at your shitty dependent RAT, as instead of an infection, your targets receive harmless reminders to install the newest JRE, which they prompty ignore. Option two: private software. The best reviewed RAT costs 150 bucks a month. Smoke, upwards of a 1400 purchase with useful modules, though you actually get to own it. a credential stealer will run you $200 including server. Monthly. HVNCs are shit. HRDPs are about 1k monthly.
3. Exploitation vector: Hey, cool. Software and a server. Did you save money? cool. You'll probably want to spend it now. A remote access tool is only as good as its clients. If you want to buy them, the cost from install exchanges is about $1400 average for 1000 installs in rich countries. Many of those installs will come from big zip files collecting tools that are distributed on sites like this one. They are not VHQ, or even HQ. They are MQ, and the m stands for meh. You'll want to get traffic of your own, this means, and now is your chance to prove to the world that you've got what it takes to be a super duper RAT man, because the only feasible way to make this all work is if you have the criminal underlord equivalent of a business model. You need to be able to infect x clients using y method, and you need to know how to monetize those clients, keeping in mind whether your installs are likely to be rich dudes (nice SE job!), poor bastards scraping by on kali linux (go team!), or sad sacks on work machines where the administration controls AV settings, but doesn't really know that much about AV. If you don't have a business model, that is ok, but recognize that you are not going to accidentally make money doing this. Probably. If you want to spread using web traffic, you'll need an exploit kit, and that exploit kit only attacks IE, because only IE is succeptible to exploits in terms of major browsers. That's not quite true, but if you're reading this you probably can't get an audience with anyone who is working on chrome. Those guys are for real. Spam, you'll need to learn redirects. Whatever your plan, you likely need a cloaker. Of course, you can find turnkey solutions for all of these things. All of them, by the way, are going to require that you create a FUD file, and just to dispel any confusion, FUD is basically a stupid term in a stupid system wherein we evaluate our crypters based on how well they can make a file FUD. Some fun facts. 1) FUD ain't free, so stop googling. good crypts are expensive, and if you're sniffing for someone's financial credentials, your tools should be expensive. Think risk/reward. 2) FUD refers to a file that has zero detections. What kind of detections? Well, we want runtime, so ensure that you see a runtime scan before paying a crypter. Also, make sure that you see a runtime scan of a file that you have actual AV data on. If a crypt ADDS runtime detections, it's no bueno. If your crypter returns a CLEAN runtime test, they are probably full of shit, as your dirty shit free RAT has 5-6 runtime detections native, and you're lucky if a crypt bumps it down by one at most. A clean runtime suggests you got played. Also, people are idiots when it comes to distributing their files, just throwing them all over the place, which means more detections quicker. how does that effect you? Unless your crypt is polymorphic, You're swapping virtual spit with everyone else on your stub. One idiot sinks the ship, and idiots abound. Pay well for a quality crypt. Usually you'll want to pay per instance by a known individual who claims to use polymorphic code or to otherwise alter every stub to have a unique footprint. You are not a crypter, even if you have a builder. Pay a guy. Pay him money. Average cost here is $25, which isn't much. Oh, but you'll need rebuilds if you want to hold clients, even with a private stub. Also, by the way, remember that your private stub isnt worth shit as soon as you have a detection on windefender. That could happen in 5 minutes or 5 hours, but will likely happen before 5 days. A crypting service which allows for refuds daily for a month, should cost like $1500-2k. Unless you wanted like, an excel macro. Then that'll be another k on top.
At the end of the day, you will be poor, but you will have something more important than money. You will have pride. Also a lot of bots. Continue to prod them with a stick and run funny things in their command lines remotely, dreaming of life after covid. It will all be great fun. You will not conquer the world armed only with your own grit, some FUD script from github, kali tools, and your enormous cock. But if you are lucky, sources claim to experience the feeling of absolute power along the way.
now go C&C! you can bitch at my assistant on telegram (hi_sexbot), but if you ask her to help you set up your server, she's going to backdoor your software herself, and when you least expect it, she will red team your ass very hard, indeed.
jk!
I've been involved with the administration and detection of remote servers for a decade. As it turns out, there's a secret behind the successful operation and maintenance of nearly all effective remote servers, whatever the particular in question. The secret is
Show ContentSpoiler:
money, a lot of money, to spend on the server. If you're thinking of getting involved with this pursuit, you should go in ready to shell out, and prepared to go bust. I understand if you don't take your money elsewhere, so here's a quick checklist of things that successful servers have, and how much everything costs. All quoted prices are current, more or less, taken from successful actors. This is to say they are prices that are based both on supply and demand. I cannot and will not say that if you spend this much money toward the acquisition of these tools, you will be successful, or that you can't do it cheaper. But yeah, you get what you pay for.
1. Hosting: ah yes. Hosting. You probably are looking at bulletproof providers, wondering how to choose between different 12 dollar per month DMCA ignored offshore outfits with 120 percent uptime and 24/7 technical support. Here are some things to keep in mind. You almost certainly want a domain for your server. Obviously use a registrar that serves anonymous purchase. Also consider the geopolitical attitudes of different countries toward the software you are running. It is more likely that domains of basically insignificant countries will be ignored outside of those countries, making them good targets. Unless, of course, you're working with clients in that country. That would be bad. As for the server, unless you are planning on holding access to a bunch of clients for an extended period of time, cheap and cheerful is probably fine. Don't be a cheap bastard and end up with a host which explicitly bans whatever you're doing. A provider that allows for scanning but NOT for botnet or RAT applications is much more likely to check for those kinds of traffic than just some normal, weird hosting in Latvia. Go with Latvia. In either case, your server will either eventually go down, or you'll get bored (leaving the server to atrophy, and then go down). Splash out 5 bucks a month for cheap obscure hosting.
2. Software: ah, yes. Software. You might be searching nulled right now, figuring out what tool is best suited for your sneaky pursuits of ill-gotten-gains. Answer? Nothing here, but all of the RATs are probably fine. RATs are the primitive, idiot stepchild of the malware world. They are very powerful and also super basic. The real power in remote administration comes from controlling a bunch of clients and batching remote tasks, and for various reasons, RATs aren't really designed for remote admin of a shit ton of clients. (note: this is what botnets are for.) They tend to have big dumb payloads and aren't going to last too long with any AV running. ESET and a couple of less prominent AVs are going to sniff you out pretty quickly because of the way that Nod32 handles detections in memory (note: very well). So just get whatever shitty RAT people seem to say is stable and, just as importantly, that people say is cryptable. RATs are good here because their payloads are relatively shitty compared to more advanced software solutions, many of which have tiny payloads. The payload on Smoke Bot, for instance, is around 16 kb. Is that a good thing? from the perspective of spreading, sort of. whether or not a small file size correlates to more infections really depends on distribution method. But really, the devs make payloads that small to avoid cracking. it works, by the way. The smoke dev has been coasting for years, has more money than you, and emerges every few months with a file that he has "cleaned", supposedly. there is no current crack including any of the modules, which are the only real reason to use smoke in the first place. So, choices. 1. get a shit RAT for free. here are your criteria: 1) stability; 2) it needs to be native. dependencies are your new swear word. You hate dependencies. Antivirus packages laugh at your shitty dependent RAT, as instead of an infection, your targets receive harmless reminders to install the newest JRE, which they prompty ignore. Option two: private software. The best reviewed RAT costs 150 bucks a month. Smoke, upwards of a 1400 purchase with useful modules, though you actually get to own it. a credential stealer will run you $200 including server. Monthly. HVNCs are shit. HRDPs are about 1k monthly.
3. Exploitation vector: Hey, cool. Software and a server. Did you save money? cool. You'll probably want to spend it now. A remote access tool is only as good as its clients. If you want to buy them, the cost from install exchanges is about $1400 average for 1000 installs in rich countries. Many of those installs will come from big zip files collecting tools that are distributed on sites like this one. They are not VHQ, or even HQ. They are MQ, and the m stands for meh. You'll want to get traffic of your own, this means, and now is your chance to prove to the world that you've got what it takes to be a super duper RAT man, because the only feasible way to make this all work is if you have the criminal underlord equivalent of a business model. You need to be able to infect x clients using y method, and you need to know how to monetize those clients, keeping in mind whether your installs are likely to be rich dudes (nice SE job!), poor bastards scraping by on kali linux (go team!), or sad sacks on work machines where the administration controls AV settings, but doesn't really know that much about AV. If you don't have a business model, that is ok, but recognize that you are not going to accidentally make money doing this. Probably. If you want to spread using web traffic, you'll need an exploit kit, and that exploit kit only attacks IE, because only IE is succeptible to exploits in terms of major browsers. That's not quite true, but if you're reading this you probably can't get an audience with anyone who is working on chrome. Those guys are for real. Spam, you'll need to learn redirects. Whatever your plan, you likely need a cloaker. Of course, you can find turnkey solutions for all of these things. All of them, by the way, are going to require that you create a FUD file, and just to dispel any confusion, FUD is basically a stupid term in a stupid system wherein we evaluate our crypters based on how well they can make a file FUD. Some fun facts. 1) FUD ain't free, so stop googling. good crypts are expensive, and if you're sniffing for someone's financial credentials, your tools should be expensive. Think risk/reward. 2) FUD refers to a file that has zero detections. What kind of detections? Well, we want runtime, so ensure that you see a runtime scan before paying a crypter. Also, make sure that you see a runtime scan of a file that you have actual AV data on. If a crypt ADDS runtime detections, it's no bueno. If your crypter returns a CLEAN runtime test, they are probably full of shit, as your dirty shit free RAT has 5-6 runtime detections native, and you're lucky if a crypt bumps it down by one at most. A clean runtime suggests you got played. Also, people are idiots when it comes to distributing their files, just throwing them all over the place, which means more detections quicker. how does that effect you? Unless your crypt is polymorphic, You're swapping virtual spit with everyone else on your stub. One idiot sinks the ship, and idiots abound. Pay well for a quality crypt. Usually you'll want to pay per instance by a known individual who claims to use polymorphic code or to otherwise alter every stub to have a unique footprint. You are not a crypter, even if you have a builder. Pay a guy. Pay him money. Average cost here is $25, which isn't much. Oh, but you'll need rebuilds if you want to hold clients, even with a private stub. Also, by the way, remember that your private stub isnt worth shit as soon as you have a detection on windefender. That could happen in 5 minutes or 5 hours, but will likely happen before 5 days. A crypting service which allows for refuds daily for a month, should cost like $1500-2k. Unless you wanted like, an excel macro. Then that'll be another k on top.
At the end of the day, you will be poor, but you will have something more important than money. You will have pride. Also a lot of bots. Continue to prod them with a stick and run funny things in their command lines remotely, dreaming of life after covid. It will all be great fun. You will not conquer the world armed only with your own grit, some FUD script from github, kali tools, and your enormous cock. But if you are lucky, sources claim to experience the feeling of absolute power along the way.
now go C&C! you can bitch at my assistant on telegram (hi_sexbot), but if you ask her to help you set up your server, she's going to backdoor your software herself, and when you least expect it, she will red team your ass very hard, indeed.
jk!