Submitted by johnmillar on Nov. 28, 2018, 12:52 p.m.

DEUCALION 3.0 | POWERFUL BOTNET | DESTROY ANY WEBSITE | BYPASS METHODS

Welcome to the presentation of Deucalion 3.0, just so that people do not get confused, due to the huge changes made we could consider this version a new bot, hence why the new name is going to be Perseus, the list of all the features will be listed below.

[CONNECTION]
Tcp based connection, made of 3 parts that will interact with each other following the next diagram: (bot) stub server client (userpanel).
Server acts as a middleman and handles the connections plus gives an enhancement on the security on the setup itself, the client receives updates from the situations and sends orders that the server receives to finally reach the bots.
Connection is secured by using custom language only understood by the programs, at the same time all communication is encrypted with a custom algorithm plus AES-256, the keys of the connection are dynamic meaning each client will have a different
key each time it connects.
At the same time, server will prevent that you're clean from analysis by checking many patterns such as IP reputation and bot behavior, it will instantly ban any action that does not match with the situation, this case also applies with client in case your
panel got somehow leaked. User might also add manual bans. In case of overload, Perseus has an inbuilt system that allows the user to build multiple servers that will act as loadbalancer.
To prevent duplication and legitimate botcount, Perseus wont allow more than one connection per IP and will check in different ways if the bot is still connected, starts from stream check and ends with a ping/pong system. All together guarantees that no bots will
stay idle.
If needed, customer might be able to add an extra layer of security by using a proxy, however this might give issues when using geo services.

[BOT]
The loader of the bot has an average size of 12kb, can be reduced with native version to ~5kb.
This is possible thanks to the server, when bot connects for the first time, it will only send to the server the specifications of the machine, right after the server will deliver a STUB that is based on the environment, this allows Perseus to aggregate updates to
methods and give better results in some cases. Note that no files will be dropped, instead the bot will be executed in memory.
At the same time, Perseus will attempt to block any kind of analysis, if any analysis is found on the bot, it will immediately contact the server and ask to get permanently banned, however before reaching thus point, bot will prevent itself from being analyzed
by doing multiple hacks. Finally, the bot would remove itself from the system.
The purpose of the bot is to stay the longest time possible installed on the system and allow the user to use all its features.

[FEATURES]
-> Persistence
In order to prevent the bot being uninstalled from the system, multiple layers of protection are used in the bot, which user can of course modify anytime.

-Unkillable process (W7): Exploits a w7 error to make process unkillable no matter the circumstance, note this method might lead into unstability specially when moving bots or using them frequently.

-Critical process: Bot will attempt to elevate itself and become a critical process that causes BSOD when killed.

-Task Scheduler: Bot will add windows tasks that will run the program every certain time.

-Hide: Bot will set file properties to hidden.

-Watchdog: Multiple layers of protection, user might decide which one to add (works in both x64 and x86 processes).
Process Guardian: Shellcode will be injected into a remote thread and will check the process is still alive and working, either if its suspended or closed it will be re spawned.
File Guardian: Checks for file integrity, if file is found to be removed, bot will be recovered and installed into a new RANDOM path of the machine.
Registry Guardian: Will prevent the bot from being removed from registry.

-Startup persistence: Will look forward startup keys and reads them if them are missing.

-Clone: Bot will open itself twice, second process will stand IDDLE till first one dies.

-UAC Bypass: Attempts to disable UAC prompt for Perseus.

-Startup: Will aggregate bot to next startup.

-> Botkiller
Botkiller is made to clean the system, like persistence, botkiller also counts with multiple layers which will be listed below.
-Memory pattern: Bot will scan all running processes and look up for certain memory regions, if a pattern happens to be found, we will kill the bot.
Note that Perseus comes with >20 common bots (Betabot, nanocore, darkcomet, njrat, medusa ...), however users might add new signatures anytime from its client panel.
At the same time, user might pick what actions will be done on the found bot:
-Scan on VT ... [WIP]
-Unmap
-Suspend
-Scan folders: Bot will scan most common folders and check common behavior of bots (hidden window, startup keys..), if a malware is found bot will attempt to break its startup and process.
-Runpe: Bot will scan for common Runpe's and kill each process that was created using a common Runpe.
-Miners: Bot will scan for common miner queries and suspend its process.
-Schedule: If needed, user might pick how often the botkiller is executed.

-> Ddos
[L7]

Main feature of the bot, methods will always get updated.
HTTP -> Standard layer7 method, good for semi-protected pages.
CLOSE -> Made to open and close connections fast on the server to make it crash, sends minimal headers.
SMALL -> Sends the smallest requests possible to generate the biggest amount of requests per second.
COOKIE -> Collapses webserver by sending a huge amount of cookies.
SLOW -> Will send many requests in a short period of time and sleep for a while, brand new detected method that is not triggered by many firewalls.
POST -> Made to create the most legitimate requests when using this type, user might pick custom postdata and set random parameters.
At the same time, all those methods have a set of features that can be turned on if the user wants.
-Random sleep: attack will be stopped randomly for a short while.
-Sleep on errors: If request times out or server drops any sort of error, bot will sleep for a few moments.
-Sockets: Will send more requests per second, the cons is that requests might be detected easier in some cases.
-Country: User might pick what countries will execute the task.
-Sleep: Delay set between each request each millisecond.
-Time: The total seconds the command should be executed for.
-Threads: Number of simultaneous connections the bot makes and executes the thread.
-Type: User will pick what request type to use.
-Number of bots: User will choose how many bots execute the order.

Also, the bot counts with a BYPASS method that will do the following:
[[ENGINE]]
-Emulate user window (meaning window is not actually NULL).
-Click any button/challenge such as captchas or click-to-continue.
-Emulate ANY java-script challenge such as cloud flare.
-Simulate user browsing by navigating the website.
-Refresh cookies when challenge expires.
-Pre-set browser, will use browser of user choice: IE, Mozilla, Chrome or Opera.
Also, user is able to use the following settings:
-Random sleep: attack will be stopped randomly for a short while.
-Sleep on errors: If request times out or server drops any sort of error, bot will sleep for a few moments.
-Country: User might pick what countries will execute the task.
-Sleep: Delay set between each request each millisecond.
-Time: The total seconds the command should be executed for.
-Threads: Number of simultaneous connections the bot makes and executes the thread.
-Type: User will pick what request type to use.
-Number of bots: User will choose how many bots execute the order
-Clear browser: will clear from the environment few variables that might cause issues in our task, such as cache,cookies and historical searches.
-Surf the website: Bot will scramble website url's and navigate through the website, note that scrambled webpages will also be scrambled so basically all the website might be visited.
-Rate limit bypass: When errors happen, bot will adapt its own threads and sleep till those disappear, at the same time, if those errors vanish, the bot will slowly accelerate till the perfect combination is found.
-Limits: When user is in need to force limit the bot, we've made this option that limits the bot from making more than X requests in Z seconds.

[L4 and L3]
For layer4 and Layer3, we've set a total of two sections. Basic one constains the most common methods: TCP, UDP and ICMP, advanced zone has a pre-set packets that are well used by manufactors nowadays, ideal for bypassing and even emulating legit connections in chats or games.
You might pick the following options in the Basic zone:
-Max packet size.
-Min packet size.
-Threads.
-Sleep.
-Number of bots to execute.
-Country.
-Port(s) (that's right, you might pick a range of ports).
For the advanced zone, you will have the following settings:
-Threads.
-Sleep.
-Number of bots to execute.
-Country.
-Port(s).
-Service (game,chat..)
-Custom packet builder.
In case none of the solutions provided by us work, you will be able to build your own packet by setting:
-Packet body
-Packet encoding
-Packet protocol
You might concatenate them and be able to even recreate a full connection from any service, in case the connection requires encryption, you might want to contact lught.

[MISC COMMANDS]
-Stop all running tasks: Will stop every single flood running on the bots.
-Kill: Will uninstall all bots from the system and deny any future connection.
-Status: Will return the status of the server.
-Stop: Allows user to stop a single flood.
-Stop bot-killer: Stops the scheduled bot-killer.
-Clear cache: Clear bot cache.
-Clear cookies: Clear all cookies of the bot.
-Clear historical searches: Prunes the historical search.
-Update emulation: Will attempt to update the emulation of IE to get better flood results.
-Renew ip: Will reboot bots router and attempt to get a new IP.
-Download/execute: Will download and execute a file given.
You might choose:
-Drop file into disk or execute in memory.
-Prevent remote server from collapsing, will add delay on the execution on the task so web-server doesn't go down.
-Self delete bot: Right after program is executed, bot will uninstall itself.
-Kill on next startup: Program will be scheduled for removal on next startup.


[CLIENT]
Made to control the server remotely and add a new shape of security. Each user will be provided with a single client, however he might get more anytime depending on the reasons.
In case user wanted to resell services but limit the power, best option would be to get a new client that will have limited amount of bots,time and threads.
while when using the same client for everybody might give troubles, acquiring a new client for each customer is a must.
The described client has a user-friendly GUI and doesn't require of any prior knowledge, its easy as launching it and go to command tabs to launch any order.
Also, this client will retrieve the following information:
-Number of bots.
-List of bots.
-Availability of bots (task count).
-New bots, disconnected bots and so on..
-Execution of commands.
-Any important log from the server.


Each license has a price of 500$ (negotiable price), only cryptos will be accepted.
Contact me : landgod@protonmail.ch

no comments