Source Of Evil – A Botnet Code Collection

In case you’re looking for a variety of IRC client implementations, or always wondered how botnets and other malware looks on the inside, [maestron] has just the right thing for you. After years of searching and gathering the source code of hundreds of real-world botnets, he’s now published them on GitHub.

With C++ being the dominant language in the collection, you will also find sources in C, PHP, BASIC, Pascal, the occasional assembler, and even Java. And if you want to consider the psychological aspect of it, who knows, seeing their malicious creations in their rawest form might even give you a glimpse into the mind of their authors.

These sources are of course for educational purposes only, and it should go without saying that you probably wouldn’t want to experiment with them outside a controlled environment. But in case you do take a closer look at them and are someone who generally likes to get things in order, [maestron] is actually looking for ideas how to properly sort and organize the collection. And if you’re more into old school viruses, and want to see them run in a safe environment, there’s always the malware museum.

9 thoughts on “Source Of Evil – A Botnet Code Collection

  1. “Hey, here’s a thought: let’s gather a huge collection of evil and let anyone who wants to paw through it. What could possibly go wrong?” And Lo! Script-kiddies around the world rejoiced as Jeff Goldblum sadly shook his head!

    (That being said, I want to see that BASIC code.)

  2. It’s all primitive and dated and were not sophisticated for their time even.. UDP flood ddos via IRC c&c, obvious windows registry entries and process names with no hooks let alone rootkit, no advanced anti-detection like UAC or patchguard bypasses besides the boot-flag method for patchguard, not a single one with MITB or even thread input logging etc..

    Most of it you could detect with task manager and kill with task manager or taskkill /f under XP to 10. All of it would require a FUD crypter or unhandled packer to get past even Windows Defender and of course would be detected by even old HIPS or HIDS..

    Anything that featured assembly was either weak MBR payloads or optimized features to save negligible bytes basically and it was all stuff that looks liked it was from someone who read a NT API assembly tutorial while coding it..

    None of the famous banking trojan or rootkit stuff is in there

Leave a Reply to GravisCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.