::: Bots in the targeted networks :::

Machines in the target networks that are equipped with bots have automatically log on on a user in the domain. These users have strong passwords (generated from http://strongpasswordgenerator.com/ with length 10 and special characters). An executable file compiled from AutoIT is placed in their startup folder. This exeutable will browse websites, read mail, send mail, copy files to/from a network share and open files placed in "My documents". It does so by producing keystrokes (e.g. alt+tab). The AutoIt code is included below. For details concerning behaviour the reader is referred to this code and to AutoIt's documentation. In general, however, the user bot will randomly surf to websites (35% chance), send an email (10%), read an eamail (15%), read a file in my documents (10%), read or write files to a network folder (10%), do nothing (20%). This will be done every 1-2 minutes.

Emails are sent to other bots. Recipients are randomly chosen from a list. The email context is a subset of a long document. 

The websites they visit are also randomly chosen a list. Some addresses are more frequent than other in this list.



::: External bots:::

The environment also contained 200 Windows XP machines placed outside the targeted networks. These machines only surfed websites. In other words, they only executed "SurfToWebsite(5)" every 1-2 minute.
_____________________________________
AutoIt-code:
_____________________________________


while 1
	$nextDelayInSec = Random(60, 120)
	$delayFactor = 5
	Sleep($nextDelayInSec*1000)
	$nextThingToDo = Random(0, 100)
	If $nextThingToDo < 35 Then
		SurfToWebsite($delayFactor)
	ElseIf $nextThingToDo < 45 Then
		SendEmail($delayFactor)
	ElseIf $nextThingToDo < 60 Then
		ReadEmail($delayFactor)
	ElseIf $nextThingToDo < 70 Then
		ReadMyDocFile($delayFactor)
	ElseIf $nextThingToDo < 80 Then
		ReadWriteToCommonFiles($delayFactor)
	EndIf
WEnd



Func SurfToWebsite($delayFactor)

	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")
	$file = FileOpen("C:\UserAgent\InternetAddresses.txt", 0)
	$rowCount = 0;
	While 1
		FileReadLine($file) 
		If @error = -1 Then ExitLoop
		$rowCount = $rowCount + 1
	WEnd
	FileClose($file)
	$file = FileOpen("C:\UserAgent\InternetAddresses.txt", 0)
	$address = FileReadLine($file, Random(1,$rowCount))
	FileClose($file)




	Opt("WinTitleMatchMode", 2)
	if (WinActivate("Internet") == 0) Then
		Send("#r")
		Sleep($delayFactor*200)
		Send("iexplore.exe")
		Sleep($delayFactor*200)
		Send("{ENTER}")
		Sleep($delayFactor*5000)
	EndIf
	Sleep($delayFactor*4000)
	Send("{ALT}")
	Send("{DOWN}")
	Send("o")
	Sleep($delayFactor*1000)
	Send("{ENTER}")
	Sleep($delayFactor*1000)	
	Send($address)
	Sleep($delayFactor*1000)
	Send("{ENTER}")
	Sleep($delayFactor*4000)
	For $i = 0 to Random(1,5) Step +1
		$numberOfTabs = Random(0,20)
		For $j = 0 to $numberOfTabs Step +1
			Send("{TAB}")
			Sleep($delayFactor*50)
		Next
		Send("{ENTER}")
		Sleep($delayFactor*5000)
	Next
	Sleep($delayFactor*1000)
	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")
EndFunc


Func SendEmail($delayFactor)
	Sleep($delayFactor*500)
	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")
	$file = FileOpen("C:\UserAgent\EmailAddresses.txt", 0)
	$rowCount = 0;
	While 1
		FileReadLine($file) 
		If @error = -1 Then ExitLoop
		$rowCount = $rowCount + 1
	WEnd
	FileClose($file)
	$file = FileOpen("C:\UserAgent\EmailAddresses.txt", 0)
	$toAdress = FileReadLine($file, Random(1,$rowCount))
	FileClose($file)
	Opt("WinTitleMatchMode", 2) 
	if (WinActivate("Outlook") == 0) Then
		Send("#r")
		Sleep($delayFactor*200)
		Send("outlook.exe")
		Sleep($delayFactor*200)
		Send("{ENTER}")
		Sleep($delayFactor*5000)
	EndIf
	Sleep($delayFactor*500)
	Send("^+i")
	Sleep($delayFactor*200)
	Send("^n")
	Sleep($delayFactor*500)
	$userPart = StringLeft ($toAdress, (StringInStr ($toAdress, "!")-1))
	$domainPart = StringRight ($toAdress, (StringLen($toAdress) - StringInStr($toAdress, "!")))
	Send($userPart & "{ASC 64}" &  $domainPart)
	Sleep($delayFactor*500)
	$file = FileOpen("C:\UserAgent\EmailTexts.txt", 0)
	$rowCount = 0;
	While 1
		FileReadLine($file) 
		If @error = -1 Then ExitLoop
		$rowCount = $rowCount + 1
	WEnd
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send(FileReadLine($file, Random(1,$rowCount)))
	Send("{TAB}")
	Sleep($delayFactor*200)
	For $i = 0 to Random(5,40) Step +1
		Send(FileReadLine($file))
	Next
	FileClose($file)
	Sleep($delayFactor*200)
	Send("!s")
	Sleep($delayFactor*200)
	Send("{F9}")
	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")

EndFunc

Func ReadEmail($delayFactor)
	Sleep($delayFactor*500)
	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")
	Opt("WinTitleMatchMode", 2)
	if (WinActivate("Outlook") == 0) Then
		Send("#r")
		Sleep($delayFactor*200)
		Send("outlook.exe")
		Sleep($delayFactor*200)
		Send("{ENTER}")
		Sleep($delayFactor*5000)
	EndIf
	Sleep($delayFactor*500)
	Send("^+i")
	Sleep($delayFactor*200)
	Send("{F9}")
	Sleep($delayFactor*5000)
	Send("{HOME}")
	Sleep($delayFactor*200)
	Send("{ALT}")
	Sleep($delayFactor*200)
	Send("{DOWN}")
	Sleep($delayFactor*200)
	Send("{DOWN}")
	Sleep($delayFactor*200)
	Send("{DOWN}")
	Sleep($delayFactor*200)
	Send("{DOWN}")
	Sleep($delayFactor*200)
	Send("{DOWN}")
	Sleep($delayFactor*200)
	Send("{ENTER}")
	Sleep($delayFactor*500)
	Send("{ENTER}")
	Send("{ENTER}")
	Sleep($delayFactor*800)
	Send("{TAB}")
	Sleep($delayFactor*400)
	Send("{ENTER}")
	Sleep($delayFactor*200)

EndFunc

Func ReadMyDocFile($delayFactor)
	Sleep($delayFactor*500)
	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")
	Sleep($delayFactor*200)
	Send("#r")
	Sleep($delayFactor*200)
	Send(@MyDocumentsDir)
	Sleep($delayFactor*2000)
	Send("{ENTER}")
	Sleep($delayFactor*1000)
	Send("!")
	Sleep($delayFactor*1000)
	Send("v")
	Sleep($delayFactor*1000)
	Send("i")
	Sleep($delayFactor*1000)
	Send("m")
	Send("{UP 20}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{ENTER}")
	Sleep($delayFactor*2000)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ENTER}")
	Sleep($delayFactor*2000)
	Send("!{F4}")
	Sleep($delayFactor*800)
	Send("n")
	Sleep($delayFactor*200)
EndFunc

Func ReadWriteToCommonFiles($delayFactor)
	Sleep($delayFactor*500)
	Send("{ALTDOWN}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ALTUP}")
	Sleep($delayFactor*200)
	Send("#r")
	Sleep($delayFactor*200)
	Send(@MyDocumentsDir)
	Sleep($delayFactor*2000)
	Send("{ENTER}")
	Sleep($delayFactor*1000)
	Send("!")
	Sleep($delayFactor*1000)
	Send("v")
	Sleep($delayFactor*1000)
	Send("i")
	Sleep($delayFactor*1000)
	Send("m")
	Send("{UP 20}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("^c")
	Sleep($delayFactor*2000)
	Send("!{F4}")
	Sleep($delayFactor*2000)
	Send("#r")
	Sleep($delayFactor*200)
	Send("\\Fileserver\commonfiles")
	Sleep($delayFactor*2000)
	Send("{ENTER}")
	Sleep($delayFactor*2000)
	Send("^v")
	Send("!")
	Sleep($delayFactor*1000)
	Send("v")
	Sleep($delayFactor*1000)
	Send("i")
	Sleep($delayFactor*1000)
	Send("m")
	Send("{UP 20}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{UP}")
	Sleep($delayFactor*200)
	Send("{ENTER}")
	Sleep($delayFactor*2000)
	Send("{TAB}")
	Sleep($delayFactor*200)
	Send("{ENTER}")
	Sleep($delayFactor*2000)
	Send("!{F4}")
	Sleep($delayFactor*800)
	Send("n")
	Sleep($delayFactor*200)
EndFunc

--------------------------------------------------------------------------------