Black Hat DomainerBlack Hat Techniques for Domains

Every REAL Black Hat Seo who lives up to its name has his own botnet, in order to easily link spam or social vote (among other actions). This post will teach you, in detail, how to build one of your own!

What these bots do is they receive orders and act accordingly. Either, visit a simple url, fill a form or click on a button.

So, what do you need to code? You need to code a bot that:
- Self extracts itself when running another program and quietly installs
- Runs hidden every time the PC starts
- Periodically checks a given URL for new orders
- Executes orders

There is however some ethic involved! What it DOES NOT do:

- No personal information what-so-ever is collected from the zombie PC. It means behaving better than most spyware and even G itself which calls home on Chrome with all your sexual fetishes.
- Absolutely no harm is done to the zombie. Even the resources’ usage is kept low. (memory and cpu)
- It will self-destruct in x days.

First select your language: Visual Basic, Delphi or C. Forget .net or C#. Anyway this post will be about what to call and where, so it’s good for all languages.

It is no longer possible (since XP) to hide (the easy way) an application from the service tab, so be ingenious on naming it. You can and should however hide it from task list applications. Doing this is easy on VB using Me.Hid. On C use SW_HIDE. When I say ingenious I mean naming it after something an average user will believe its part of windows.

First thing the bot does is to check if this is a first time run. If it is, then it must install. You do this by checking the registry key. If it’s already there, it’s not a first time run. Use wscript.shell to read and write to the registry. It’s the most reliable and safe way to do it these days.

You will create a key on \Software\Microsoft\Windows\CurrentVersion\Run so that it runs every time the PC starts. Don’t use HKEY_LOCAL_MACHINE, because you will need admin rights to write there, use HKEY_CURRENT_USER instead.

An important thing to notice is that you can’t use the string “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” on your app. It will get detected by most recent antivirus. There’s however a cool way to trick them: use some very simple encrypt algorithm and decode the string only at run time. A simple replacement on “o” for “0” will do the trick.

Back on track, if the key is not there, it’s a first time run and you must install. When installing you need to extract the program. You must also let the parasite program run. (They both are the same on this example)

Where will write the app to? Forget about writing to c:\Program Files\ or even c:\. Everything you will get on VISTA is virtual paths. Use CSIDL_APPDATA to get a nice real path like: C:\Users\admin\AppData\Local.

(Instead of checking the registry key, you can also check if your program is already dropped. If it’s there, it’s not a first time run)

As it’s a first time run, let’s install. Install has three steps. Write the key to the registry as explained above, copy the program itself to the path you found, and rename it (don’t forget windows runs anything, it does not need to be an .exe) flag it to system and hidden, and finally do something to entertain the victim. You can shell call anything, from ie with a page to painter with an image.

That’s it, we’re set to go. Next time the user restarts it will load our bot.

Now how do we make contact? Well, forget about Mail and FTP. You would be noticed in no time. You should always hit a web page: either to collect orders or send reports.

Best way to do this is using Microsoft.XMLHTTP’s msxml2.xmlhttp object and the Dom document: MSXML2.DOMDocument. Simple, fast, asynchronous and stealth.

And how do you know user is connected? Well, again forget about checking the InternetGetConnectedState on wininet.dll. You have to do the most basic of all the things: use Microsoft.XMLHTTP object to hit Yahoo.com and see if it’s there, then you’ll know. (Don’t hit Google.com)

Now put it on a timer and check your site.php page to read instructions from time to time. These instructions can also include a self destruction order! In that case, you would delete the key and that’s it. You can also delete the app itself, but it’s more complex. No need to do that, it will just lay there forever.

On part II of this tutorial we will see how to pass orders to the bot and, most important, how to get the bot to obey. It’s fairly simple and best of all, on all sites we hit, we will be behaving just like if were the normal user of that PC surfing and voting on pages and social networks. No need to melt our brain on complex Javascript routines with dubious results and that are dependent on XSS holes that get patched on no time these days.

Now imagine you were about to launch a new website. How about having all your bootnet to vote for it o Digg, Stumble it, tweet it, and link it all over? It would be great, wouldn’t it?

No, it would not. This is not the way it is done. You simply can’t raise head too much above water or you’ll get caught in no time. Will see how this is done in part two, but I think you must been having an idea about it by now.