IRC-Junkie.org – IRC News

All about Internet Relay Chat

Hackers Declare War to Scientology

A group of hackers, who go by the name of “Anonymous” and use IRC as their base, declared war against Scientology. The group has released texts online which Scientology members normally have to pay for. Also DDoS attacks on the 18th of January rendered the church’s website unusable.

The attacks followed after Scientology tried to censor a mockup movie picturing Tom Cruise, one of the most known members of the church. In the movie the actor laughs hysterically and makes claims Scientology members are the only people able to save life’s after car accidents.

Scientology has since protected its website against DDoS attacks. Anonymous plans real world protest actions and have set February 10 for a wave of protest at Scientology locations worldwide.

“The so-called Church of Scientology actively misused copyright and trademark law in pursuit of its own agenda,” an Anonymous member said in a press release last week. “They attempted not only to subvert free speech, but to recklessly pervert justice to silence those who spoke out against them.”

Since then the group released a new video featuring a computerized voice saying: “Anonymous has therefore decided that your organization should be destroyed. For the good of your followers, for the good of mankind and everywhere. You will find no recourse in attack, because for each of us that falls, ten more will take his/her place.”

At the time of writing this article, almost 2 million people watched the video.

Anonymous also released a home phone number and social security number of a couple who they believed where pro-scientology hackers. The couple received an anonymous apology over phone when the error was recognized.

Although being another organization against the Scientology church, Operation Clambake does not agree with the methods used by the Anonymous group. Webmaster Andreas Heldal-Lund explains: “People should be able to have easy access to both sides and make up their own opinions. Freedom of speech means we need to allow all to speak – including those we strongly disagree with. [...] Attacking Scientology like that will just make them play the religious persecution card … They will use it to defend their own counter actions when they try to shatter criticism and crush critics without mercy”

Dronerunner Akamai Attack Charged

John Bombard, a resident of Seminole, Florida, has been charged for his alleged attack on service provider Akamai two years ago. Several big companies were affected in the attack, such as Microsoft, Yahoo!, Google and Symantec, the owner of SecurityFocus.

Bombard allegedly commanded the modified Gaobot botnet from an IRC server hosted his own domain f0r.org.

If found guilty, Bombard faces 2 years for each charge, and a fine of up to $400,000 USD.

Nessun Goes to Jail

In May 2004 IRC-Junkie reported about the ongoing problems for the IRCHighway network caused by DDoS. In June of this year Jason Michael Downey, known as Nessun and owner of the network Rizon, was arrested for these problems.

This PDF outlines the sentence Nessun heard on the 23rd of this month. We can read: “Jason Michael Downey, the operator of “bot network” of virus infected computers that he used to attack other computer systems, was sentenced to a year in federal prison today on his conviction for unlawful computer intrusion that caused over $20,000 in damages to other computer networks, United States Attorney Stephen J. Murphy announced today.”

After the jail sentence Nessun will have a 3 year supervised period during which he will need to ask permission before he can use a computer. He will also have to pay $21,110 in damages to the (IRC) networks the DDoS was aimed at. Finally he will have to do 150 hours of community service and pay a $100 special assessment.

During speaking out the sentence judge Edmunds explained that computer crime has a serious impact on society and that a severe punishment was in order.

United States Attorney Stephen J. Murphy said, “The so-called “bot-masters” on the Internet should realize that attacking and damaging other computer networks through a bot-net can land you in prison.  We have the capacity to investigate and prosecute these high tech crimes and we will continue to do so.  I commend the FBI for the excellent investigative work they did in this case.”

McAfee: Botnets Threatens National Security

Remarkable news released by researchers from McAfee this week. Baylor and Brown, researchers at McAfee warn that the national security of multiple countries are threatened by the existence of botnets.

“A botnet of one million bots, with a conservative 128 Kbps broadband upload speed per infected bot, can wield a powerful 128 gigabits of traffic,” the whitepaper reported. “This is enough to take most of the Fortune 500 companies (and several countries) offline using DDoS attacks. If several large botnets are allowed to join together, they could threaten the national infrastructure of most countries.”

In the whitepaper, McAfee suggests that intrusion prevention systems (IPS) are the best way to prevent PC’s becoming part of a botnet.

Allysa Myers from McAfee’s Avert Labs believes a radical change in security strategy is necessary, such as only allowing known traffic to prevent all malicious traffic that can include attacks to overtake PC’s.

“Things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause,” Myers said.

Drones, a Continuous Problem for Small Networks

In February 2006 IRC-Junkie featured an article titled “Help! My Network is in Servers.ini!”. In short, the article names one of the problems small networks engage when they become listed in mIRC’s servers.ini.

One of the major drawbacks is that not only humans use this file, downloading an up-to-date servers.ini is also one of the first things a newly installed drone is doing. And thus, attracting drones is one of the side effects that could cause a lot of problems that eat up valuable resources, which are often not really in abundance on small networks anyway.

The Beirut IRC Network for example started to gline about a 1000 IPs a day when they got first listed in servers.ini.

Tjerk Vonck, webmaster of mirc.com, denied knowledge of any drone issues concerning servers.ini: “No. And really, I doubt there is such a problem”, he replied to IRC-Junkie.

Today IRC-Junkie received an email from SanitariuM who scripted a mIRC script that can gline drones on connection.  “Those numbers for those bear drones, as I can verify with sources, have grown to over 2 MILLION unique IP’s per year. Divide this out and it’s almost 5,500 drones with unique IP’s per day on each network. Each bot sends out at *least* 10 spams, so that’s 55,500 spams per day”, he writes.

Despite that drone nets increasingly make use of other protocols like HTTP and P2P type of networks they continue to plague IRC networks.

SanitariuM also brings a bit of good news however. “There are several ways you can detect and gline these things with 100% accuracy on connection. I’ve written a universal mIRC addon that’ll work on *any* network to pattern detect and gline these. Instructions for setup are very simple… change a syntax or two, oper it up, and away it goes.”

To not give away the pattern and make the maliscious users running the drones aware of how they are being caught, SanitariuM only gives out the mIRC script after validation of the user requesting a copy, and only after initial contact has been made in one of two channels. These can be found on Undernet (#SSnD) and DALnet (#Snoop).

IRC-Junkie advices common sense with loading scripts into any IRC client. If you are going to load a script not written by yourself, and you don’t posses the knowledge of checking it out yourself, let someone else do it. Especially if it is going to run on an opered client on a production network.

edit (13:00): 55,000 spamposts instead of 15,000, changed on request of SanitariuM (which I just quoted without checking the math ;) )