As you can see in the sidebar for IRC news I collect for you, big news today. Lately there is a lot of coverage in the general media about identity theft, DDoS nets, etc. But the paper on botnets released by the Honeynet Project gave quite a boost in the number of articles today on this subject.
The paper explains in great detail a reserach the project did on botnets, and specifically those who use IRC to receive their commands from the drone-runner.
“These days, home PCs are a desirable target for attackers. Most of these systems run Microsoft Windows and often are not properly patched or secured behind a firewall, leaving them vulnerable to attack” the papers’ introduction starts. As the number of broadband connections rise, the crackers use these machines to their own advantage. Once infected, an IRC bot is installed on the system that joins a channel where the cracker can control the machine with commands. The Honeynet project have found nets numbering in the tens of thousands.
The paper explains that the average time before the machines were infected was below 10 minutes. “The shortest compromise time was only a few seconds: Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.”
The machines who are finding new vulnerable machines are particularly looking for Windows machines that are not yet patched for known vulnerabilities. For one machine in Germany participating in the research these scans made out 80% of the total traffic.
The researches found that to host these botnets, the crackers often made use of the Unreal IRCd. “Unreal IRCd is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs”, the paper explains.
During the project the researchers regularly were able to get a snooping client in the control channel and see the crackers perform commands. Once they saw a cracker command the bots to update, together with a nick change. What he did not realise however, that he picked a character which was not supported by the IRCd, effectively loosing his 3000 bot network, which would now be DDoS’ing his own commanding server with constant connection attempts. In a second case the researchers saw an owner of a DDoS company using a botnet for DDoS’ing his competitors. He was using his own server to host the bots, and the nick of the bots were the same as the name for the support channel for his company. “These individuals demonstrate how even unskilled people can run and leverage a botnet” the paper concludes.
“Our observations showed that often botnets are run by young males with surprisingly limited programming skills”, the paper continues. “The scene forums are crowded of posts like “How can i compile *” and similar questions.” Only a small portion of the crackers researched were regarded as knowing their skill. These people used only 1 letter nicks, only came online to perform a command and disconnected again, were using modified IRCd’s and were using updates and code that was well written. “Probably these people use the botnets for commercial usage and “sell” the services.”