– IRC News

All about Internet Relay Chat

Another 100.000 Zombies Botnet bust

Yesterday, the creator of a Botnet consisting of more than 100.000 Zombies has been arrested. The 19-year old Dutch and his 16-year old brother are said to be the botmasters of what once was a botnet peaking 150.000 compromised hosts…

Also arrested was a 35-year old Brazilian that wanted to buy the botnet for his malicious activities – at the price of 25.000€ (US$37.290). The bust was a cooperation between the Dutch High Tech Crime unit and other international forces such as the F.B.I.

The botnet spread on Windows Live Messenger without the help of exploits but using a social engineering approach.

Would-be victims received a message from friends on their contactlist with a link and were asked to click on it – once infected they would then message their friends.

If you suspect to be zombified, one way to spot an infected machine is to check it for outgoing connections to the host “” on port 3306.

Antivirus company Kaspersky has put together a webpage with information on how to get rid of the bot – it however is advised to perform a full system scan with AV as well as spyware scanners since Shadow possibly also installed adware on the victims computer.

New Zealand Botnet Master Arrested

An 18-year-old New Zealand suspect has been arrested in a botnet case. He is suspected of controlling a botnet consisting over 1 million infected computers and having caused nearly 13.5 Euro million in damages.

The botnet consists of AKBot worm infected machines. The botnet has been used to attack IRC networks, security companies and the University of Philadelphia.

“He is extremely clever”, said Maarten Kleintjes, head of the computer criminality department.

He is also acused of leading a worldwide network called the A-Team with members from New Zealand, Holland and the USA. New Zealand police worked togheter with the FBI on this arrest, codenamed “AKILL”.

Thirteen more arrest warrants have been issued.

Beat Them at Their Own Game

As a recent post also indicated, botnets are considered one of the main Internet security threats. Researchers from the Georgia Institute of Technology have proposed a new piece of software that can detect botnets, named BotSniffer.

It is hard to detect botnets, as they make use of existing protocols such as IRC in ways that it makes it hard to distinguish them from ‘normal’ users.

The researchers explain: “Our approach is based on the observation that, because of the pre-programmed activities related to C&C (command & control, ed.), bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity.”

In other words, when commanding a botnet, the same command is sent (for example by PRIVMSG) to separate bots, whereas with human users this kind of similar behavior at the exact same time is almost non-existent.

The approach was presented on the Internet Society’s Network and Distributed System Security Symposium last February. Versions of BotSniffer have been tested as plugin to existing intrusion detection systems such as Snort, though it can do its work on its own as well.

The researchers consider the C&C IRC channels the weakest link in a  botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” the researchers said.

“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers end their abstract.

Other software packages exist that can detect botnets, such as BotHunter, BotMiner and BotProbe. Security software vendors such as McAfee, Symantec and Trend Micro also have protection built in against these types of malware.

Majority of Junk Traffic Consists of DDoS Targetted at IRC Servers

Security Service Provider Arbor Networks studied the amount of junk traffic over the total sum of Internet traffic, and found some remarkable figures when it comes to IRC traffic.

Over the past 1,5 year the company analyzed data of 70 ISP’s. The findings show that on average 4% of all traffic is junk, such as spam and DDoS attacks topping 1,5TB of data, per second.

Of this 4%, on average 1300 DDoS attacks daily makes halve of the junk traffic. But on occasions, DDoS can make 5% of the total Internet traffic. Of the monitored DDoS attacks the majority consists of TCP SYN floods and ICMP floods targeted to IRC servers.

The same survey showed email traffic making 1,5% of total traffic. Of this, 66% is spam.

The report with findings is not yet publicized but the company says it will be available soon.

IRC Network Admin: More Then You Bargained For

Many people wish to have their own IRC network. Once a basic network is setup they advertise the network to gain users, in the hope many will find and start using it. But what if they abuse your good intentions and start using your infrastructure to host bots engaged in illegal activities? Then things can start to become a real life nightmare. In this article we follow Dewd, from network admin to a suspect criminal with a 10 year prison sentence hanging above his head.

Dewd started his network in 2005, and as many fresh network admins do, started advertising the network in as many places he could find such as SearchIRC and mIRC’s servers.ini file.

With the advertising came users, including users he had not wished for. “Two pirates from Undernet have come and started to load their bots with fake nickname and fake channelname (#warez-rose) in secret mode (+s) trying to make it look like peer-to-peer bots but these bots wasn’t for peer-to-peer I think.”

Dewd installed IRC Defender to remove the bots from his network which worked well. But naturally, the bots would not be stopped from trying to connect to the network. Despite trying to keep his network free from such influences Dewd was arrested late February, along with 16 other suspects by S�ret� du Qu�bec, Canadian’s provincial police. The arrests included the two users loading the bots of which one is still in custody, according to Dewd. All 17 people are seen as suspect members of “a vast computer piracy network” as a police report explained.

“Over 100 countries on all of the continents are affected. Current damage to computer infrastructure is estimated at more than $45 million”, the police report explains. The malicious users infected computers with malware in order to steal private data, DDoS, phising and use them for spamming.

“During the 17 searches conducted today, eight suspects were apprehended with an arrest warrant and will appear in court. The police questioned the other nine suspects, who have been released by way of summons.” Maximum sentence for these crimes is 10 years in prison.

Dewd is not one of the eight, but he is not yet cleared as police is still investigating his computers. “The charge against me it’s the uses illegally of a computer.”

“We recommend that anyone who suspects that his computer has been hacked consult a computer specialist” the police report ends. This of course, is an advice IRC-Junkie fully recommends!

Dewd ends, “I’m under investigation since 2006, all what I do is downloading/chat a bit/watching funny video on the web… I’m not that kind of person who DDoS websites. Peer-to-peer isn’t illegal in Canada. I download movies for me and my girl friend, also my kids. I’m not doing money with it, I download because I doesn’t have enough of money for buy them.”

An interview with Dewd for local media can be found here (French). The English language police report can be found here