Question about RAT's
#1
Alright so when creating a RAT there must be some server client communication, but this begs the question, what about your anonymity? Everyone will see the IP address of the server the RAT is communicating with. What is the best approach to regaining your anonymity? I have read somewhere on some other forum about using Virtual Private Servers, but I am curious to see if there are other methods being used for this situation.
Reply
#2
Nested Virtualization

Nested virtualization is the technique of running a hypervisor inside another hypervisor - refers to virtualization that runs inside an already virtualized environment. Many anonymous VPS provider forbid / block nested virtualization. I do not publish a list of who is perfect here - ask around ...



VPS + Nested Virtualization + Whonix(?) + Onion Service

Administration: SSH + Tor
https://searx.prvcy.eu/search?q=ssh%20tor
Reply
#3
(04-14-2021, 08:20 AM)robinhoood Wrote: Nested Virtualization



Nested virtualization is the technique of running a hypervisor inside another hypervisor - refers to virtualization that runs inside an already virtualized environment. Many anonymous VPS provider forbid / block nested virtualization. I do not publish a list of who is perfect here - ask around ...

I never heard of nested virtualization for this use case. How would nested virtualization help in this case?
Unless you are bridging your network connection in a weird way I am not aware of I think it is kind of pointless.
Reply
#4
Yeah that's more or less a shitpost. Virtualization might hide some behaviour from the VPS provider, but that's not what OP is asking about.

You can get creative with the server/client architecture. People have written botnets in the past that used Pastebin to send commands; the bots would check a PB account every five minutes or so for a new paste, and the paste would contain a command or some data that the bot should use to do something.

Of course the obvious drawback is that Pastebin can/will close the account whenever they feel like it and then your net is useless.

But it also demonstrates another concept: beaconing.
If the client is only sending one request every few minutes (or however (in)frequently you want it to send requests,) it's much harder to detect than if the client establishes a persistent/keep-alive connection. Sure, having a bidirectional open connection
will make the client much more responsive to what the server wants to do (minimal delay) but on a windows machine, it'll get spotted by a quick netstat.

One of my buddies made a PoC botnet similar to your typical IRC botnet but using Discord as C2. Same downside of inevitable shutdown of the server by Discord, but it's free hosting and realtime. I'm sure people have done the same with Telegram or Matrix, and maybe P2P solutions could be viable.

Combine a couple ideas together and see what you get. You don't always need to write your typical HTTP server and websocket client like most nets nowadays.
Reply
#5
(04-14-2021, 02:31 PM)poppopret Wrote: People have written botnets in the past ...
Yes they have (currently not), they're all in jail now. Botnets - a guarantee for prison.

(04-14-2021, 02:31 PM)poppopret Wrote: Of course

What is the difference between a cooperation with one dark VPS provider (paid with cryptocurrency) and abusing online services (Discord, Telegram, Matrix, Pastebin etc.)?

"Of course the obvious drawback is that Pastebin can/will close the account whenever they feel like it and then your net is useless ... Same downside of inevitable shutdown of the server by Discord." <--- find the contradiction.

How do you take down a command and control server in onionspace made with Alpine Linux or OpenBSD?
Thats exactly what OP meant. What must be my base so that my ass is safe?

Tor + Virtualization + Nested Virtualization + Onion Services + security-based Linux or OpenBSD, SecBSD

The whole darknet is made with VPS and nested virtualization. Ok some fools use their Raspberry Pi 4 SBC from home (they also go to jail quickly).
Reply
#6
(04-15-2021, 06:16 AM)robinhoood Wrote:
(04-14-2021, 02:31 PM)poppopret Wrote: People have written botnets in the past ...
Yes they have (currently not), they're all in jail now. Botnets - a guarantee for prison.
?XD
'Botnet' doesn't have to refer to only QBot, Zeus and Mirai. I'm using the safest, most general definition of 'software that creates a net(work) of bots. Be charitable and don't try to create linguistic confusion by being hyperspecific.

(04-15-2021, 06:16 AM)robinhoood Wrote:
(04-14-2021, 02:31 PM)poppopret Wrote: Of course

What is the difference between a cooperation with one dark VPS provider (paid with cryptocurrency) and abusing online services (Discord, Telegram, Matrix, Pastebin etc.)?
The difference is that buying a VPS ties your server to a single IP and it costs you a fair bit of cash.
Don't mention cooperation, because we should both know that you can't just blindly trust what some provider tells you.

I mentioned using PB or Discord or whatever as examples; nowhere did I say they were inherently better.
There are tradeoffs you make in each case.

(04-15-2021, 06:16 AM)robinhoood Wrote: "Of course the obvious drawback is that Pastebin can/will close the account whenever they feel like it and then your net is useless ... Same downside of inevitable shutdown of the server by Discord." <--- find the contradiction.

Nope, I don't see any. Both statements say that abusing online services may lead to account closure and subsequent loss of bots (although there are still ways to deal with this).

(04-15-2021, 06:16 AM)robinhoood Wrote: How do you take down a command and control server in onionspace made with Alpine Linux or OpenBSD?
Thats exactly what OP meant.
Ah yeah, you're right, that's why he said:
Code:
I have read somewhere on some other forum about using Virtual Private Servers, but I am curious to see if there are other methods being used for this situation."
Right?
He's definitely not asking what the alternatives to traditional socket client/server connections are, of course he only 'means' whatever you're coming up with and not what he wrote in the post himself...

(04-15-2021, 06:16 AM)robinhoood Wrote: Tor + Virtualization + Nested Virtualization + Onion Services + security-based Linux or OpenBSD, SecBSD

The whole darknet is made with VPS and nested virtualization. Ok some fools use their Raspberry Pi 4 SBC from home (they also go to jail quickly).

But when?

Listen man, if you're gonna argue, at least try and be charitable in your interpretation. I don't want to clarify each individual sentence because you can't put things into context or read the original post properly.
Reply
#7
(04-14-2021, 02:31 PM)poppopret Wrote: Yeah that's more or less a shitpost. Virtualization might hide some behaviour from the VPS provider, but that's not what OP is asking about.

You can get creative with the server/client architecture. People have written botnets in the past that used Pastebin to send commands; the bots would check a PB account every five minutes or so for a new paste, and the paste would contain a command or some data that the bot should use to do something.

Of course the obvious drawback is that Pastebin can/will close the account whenever they feel like it and then your net is useless

But it also demonstrates another concept: beaconing.

If the client is only sending one request every few minutes (or however (in)frequently you want it to send requests,) it's much harder to detect than if the client establishes a persistent/keep-alive connection. Sure, having a bidirectional open connection

will make the client much more responsive to what the server wants to do (minimal delay) but on a windows machine, it'll get spotted by a quick netstat.

One of my buddies made a PoC botnet similar to your typical IRC botnet but using Discord as C2. Same downside of inevitable shutdown of the server by Discord, but it's free hosting and realtime. I'm sure people have done the same with Telegram or Matrix, and maybe P2P solutions could be viable.

Combine a couple ideas together and see what you get. You don't always need to write your typical HTTP server and websocket client like most nets nowadays.
Thanks, this has given me some ideas.


(04-15-2021, 06:16 AM)robinhoood Wrote: The whole darknet is made with VPS and nested virtualization. Ok some fools use their Raspberry Pi 4 SBC from home (they also go to jail quickly).
Can you elaborate more on this? Not that I would use this but I am just curious to what makes this a huge issue, from my understanding hosting a server on TOR hides your actual IP, is this an underlying issue in the Raspberry Pi itself? Or some issue with whatever server you use (apache for instance)
Reply
#8
(04-15-2021, 02:39 PM)poppopret Wrote: But when?

Thank you for all your comments. I really appreciate that. Time problem - cannot react to everything.

(04-15-2021, 04:16 PM)supernova Wrote: Can you elaborate more on this?

You have a goal: Anonymity

A) Anonymity needs company.
B) Anonymity needs many intermediate steps. The more the better - the famous internet theorem "Good Luck, I'm Behind 7 Proxies".

Any kind of self-hosting is your end of anonymity. You are vulnerable in all directions (you, software, hardware). That is a piece of wisdom on the subject. If something goes wrong there is nobody / nothing in between.

The first thing that you have to do is to buy everything used. (Online) flea market. I own one Nitrokey Storage - of course I do not appear in their (Nitrokey GmbH) customer database.
Reply
#9
(04-15-2021, 04:16 PM)supernova Wrote: is this an underlying issue in the Raspberry Pi itself? Or some issue with whatever server you use (apache for instance)

Code:
$ proxychains nmap -sT -Pn -sV -n -p 80 --script http-enum *.onion

$ proxychains nmap -sT -Pn -sV -n -p 80 --script vuln *.onion

https://nmap.org/nsedoc/
https://github.com/lanjelot/patator

There are hundreds of ways to draw conclusions.
You give yourself a perfect "fingerprint".
One observes CVE or makes direct contact with the hardware producer and asks for help (law enforcement, haters, goverment).
Plus tech companies are happy to help.

One day i saw a self-hosting and his "fingerprint". This unknown person used Red Hat. You cant use Red Hat without purchase a subscription to a Red Hat Enterprise (RHSM) product. Now lets find out where you live and which people in this area have a Red Hat business account. BANG!

Never - absolutely never do self-hosting if your goal is anonymity. btw the FBI do it right. They rent servers for all honeypots, they never do self-hosting within their own buildings. CIA is even smarter, they rent servers 10 000 miles away from USA and the external impact is completely unspectacular.
Reply
#10
(04-15-2021, 06:16 AM)robinhoood Wrote: People have written botnets in the past ...

Yes they have (currently not), they're all in jail now. Botnets - a guarantee for prison.


Very non truthful statement, seen it happen a lot before, simply not true.
Second of all using 7 proxies or however many proxies you want is just the most stupidest shit I've ever heard.
If you're just running a small botnet, you're perfectly fine. Unless you're running some shit like emotet or a big botnet no one gives a fuck.
There is only one way to have no one find you (if you're gonna do some crazy shit) > Think hard i ain't gonna reveal it because i don't fuck with making shit mainstream.

Frankly speaking, 20k bots whatever you're fine
Host (Linux) Double/Quadruple vpn --> Whonix (vpn in gateway before tor) --> Rdp --> Proxies/(vps if rat) (if you're paranoid).

But yeah, ain't no hoe finna search for some kid running a small botnet.
Disable ipv6, use public dns servers, don't link public ip to tor

tor is even bad probably, 100% them nsa fuckers got an exploit somewhere in it, lot of bad nodes too, whonix uses trusted nodes (ones that have been around for long are signed with keys of owners, well known).

Long message, in short use your brains

Please don't use telegram or discord, or pastebin as a form of c&c, wind a server up block all ports you don't need, https (if it's supported for the client) so no hoe is gonna sniff traffic.

--> IM TIRED I DONT USUALLY TALK LIKE THIS
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [QUESTION] Make LaZagne undetectable to get saved passwords in Python zettabyte 7 5,459 05-10-2021, 05:50 PM
Last Post: zettabyte
  [QUESTION] What are the different ways malware becomes persistant for Windows? ueax 8 7,499 02-08-2021, 10:32 PM
Last Post: ueax