C++

Forum

 
[Simple Anti-Virus] Botnet Killer [EPIC]

closed account (ozUkoG1T)
Hi,

I have been recently been infected with a Bot , a Malicious Botnet, called the Barracuda Bot which has infected many 1000's computers across the globe. I found that I was infected during when I was making a Controlled Malware. I love Analyzing Malwares and Worms. So anyway , then as any Malware analyst would try end the process to see protections the Malware has. Then I noticed a other untrusted process in my Task-Manager with , suspision I tried ending it. It worked fine but then I rebooted my Computer to find it start up again so this time I found where the File was executing from which was from a unknown folder. Then I went on looking for it then , I found a thread in Hack Forums considering Barracuda Botnet so then I saw it saying it was Unkillable, in which case it was not so now I am going to make the Remover for the Bot. CODE:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
#include <Windows.h>
#include <Aclapi.h>

bool SetFilePrivileges(__in wchar_t* m_pwszFilePathName, __in DWORD m_dwPermissions, __in bool m_bDenyOrNot) {
        if ( m_pwszFilePathName == 0 || lstrlenW(m_pwszFilePathName) < 1 )
                return false;
 
        PACL              m_paDACL   = 0;
        EXPLICIT_ACCESS_A m_stDeny   = { 0 };
        EXPLICIT_ACCESS_A m_stAllow  = { 0 };
        DWORD             m_dwError  = 0;
 
     
        BuildExplicitAccessWithNameA(&m_stDeny, "CURRENT_USER", m_dwPermissions, (m_bDenyOrNot)?DENY_ACCESS:GRANT_ACCESS, NO_INHERITANCE);
 
        // Prepare ACL
        if ( (m_dwError = SetEntriesInAclA(1, &m_stDeny, 0, &m_paDACL)) != ERROR_SUCCESS )
                return false;
 
        // Set new DACL
        if ( (m_dwError = SetNamedSecurityInfoW(m_pwszFilePathName, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, m_paDACL, NULL)) != ERROR_SUCCESS ) {
                LocalFree(m_paDACL);
 
                return false;
        }
 
        return true;
}
 
int BarracudaKiller()
{
        wchar_t m_wszBarracuda[MAX_PATH];
        wchar_t m_wszUsers[MAX_PATH];
        wchar_t m_wszAllUsers[MAX_PATH];
        wchar_t m_wszValueName[256];
        DWORD   m_dwType            = REG_SZ;
        DWORD   m_dwSize            = _countof(m_wszBarracuda);
        DWORD   m_dwNameLength      = _countof(m_wszValueName);
        DWORD   m_dwNumWrote        = 0;
        HKEY    m_hKey              = 0;
        HANDLE  m_hFile             = 0;
        UINT    i                   = 0;
 
        // Initialize
        memset(m_wszBarracuda, 0, sizeof(m_wszBarracuda));
        memset(m_wszValueName, 0, sizeof(m_wszValueName));
        memset(m_wszUsers, 0, sizeof(m_wszUsers));
        memset(m_wszAllUsers, 0, sizeof(m_wszAllUsers));
 
        if ( ExpandEnvironmentStringsW(L"%USERPROFILE%", m_wszUsers, _countof(m_wszUsers) - 1) == NULL )
                _asm mov eax , 0
        else
                CharLowerBuffW(m_wszUsers, _countof(m_wszUsers));
 
        if ( ExpandEnvironmentStringsW(L"%ALLUSERSPROFILE%", m_wszAllUsers, _countof(m_wszAllUsers) - 1) == 0 )
                _asm mov eax , 0
        else
                CharLowerBuffW(m_wszAllUsers, _countof(m_wszAllUsers));
 
        if ( RegOpenKeyExW(HKEY_CURRENT_USER, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0, KEY_QUERY_VALUE, &m_hKey) == ERROR_SUCCESS ) {
             
                while ( RegEnumValueW(m_hKey, i++, m_wszValueName, &m_dwNameLength, 0 , &m_dwType, (LPBYTE)m_wszBarracuda, &m_dwSize) == ERROR_SUCCESS ) {
                        CharLowerBuffW(m_wszBarracuda, (m_dwSize / 2));
 
                        if ( lstrlenW(m_wszBarracuda) != 0 && (wcsstr(m_wszBarracuda, m_wszUsers) != 0 || wcsstr(m_wszBarracuda, m_wszAllUsers) != 0) &&
                                 GetFileAttributesW(m_wszBarracuda) != INVALID_FILE_ATTRIBUTES ) {
                                
                                SetFilePrivileges(m_wszBarracuda, 0x00040021|FILE_WRITE_ATTRIBUTES, true);
                        } 
                        m_dwNameLength = _countof(m_wszValueName);
                        m_dwSize = _countof(m_wszBarracuda);
                }
        }
 
return 0;
}


This was also posted by Betamonkey on Hack Forums.

Feel Free to make a Nice GUI (Graphical User Interface) for this.

By the way after you run this Code the Bot will be deemed useless after the next reboot.


NOTICE TO BARRACUDA TEAM:

YOUR MALWARE IS THE WORST SEEN IN MY LIFE , THE WEBSITE BLOCKER USES HOSTS FILES GOOD FOR TRYING TO GET KILLED THE CRAP OUT OF BY ALL THE OTHER ANTI-VIRUS'S.
Last edited on
Computergeek01 (5613)
This is a terrible idea. All you're doing is killing the permissions on EVERYTHING under the "HKCU\Microsoft\Windows\CurrentVersion\Run" key. Why not just delete this entry? Or at least specifically target that one entry?
closed account (ozUkoG1T)
well Barracuda Bot tends to create different entries depending on what version it has and I cannot make a Botkiller for each specific Version also when I got infected I really do not care if it was a terrible idea since I care more my computers security & Privacy than idea. But I have analysed this Bot and also as I was saying I cannot make a Botkiller for each version considering that I have to buy every version which comes out & I am no Hacker or Bot master. So I do not want to buy malware instead I purposely get infected then remove that from computer.

Also it kills all versions till 2.5.
Topic archived. No new replies allowed.