– IRC News

All about Internet Relay Chat

Beat Them at Their Own Game

As a recent post also indicated, botnets are considered one of the main Internet security threats. Researchers from the Georgia Institute of Technology have proposed a new piece of software that can detect botnets, named BotSniffer.

It is hard to detect botnets, as they make use of existing protocols such as IRC in ways that it makes it hard to distinguish them from ‘normal’ users.

The researchers explain: “Our approach is based on the observation that, because of the pre-programmed activities related to C&C (command & control, ed.), bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity.”

In other words, when commanding a botnet, the same command is sent (for example by PRIVMSG) to separate bots, whereas with human users this kind of similar behavior at the exact same time is almost non-existent.

The approach was presented on the Internet Society’s Network and Distributed System Security Symposium last February. Versions of BotSniffer have been tested as plugin to existing intrusion detection systems such as Snort, though it can do its work on its own as well.

The researchers consider the C&C IRC channels the weakest link in a  botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” the researchers said.

“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers end their abstract.

Other software packages exist that can detect botnets, such as BotHunter, BotMiner and BotProbe. Security software vendors such as McAfee, Symantec and Trend Micro also have protection built in against these types of malware.

Majority of Junk Traffic Consists of DDoS Targetted at IRC Servers

Security Service Provider Arbor Networks studied the amount of junk traffic over the total sum of Internet traffic, and found some remarkable figures when it comes to IRC traffic.

Over the past 1,5 year the company analyzed data of 70 ISP’s. The findings show that on average 4% of all traffic is junk, such as spam and DDoS attacks topping 1,5TB of data, per second.

Of this 4%, on average 1300 DDoS attacks daily makes halve of the junk traffic. But on occasions, DDoS can make 5% of the total Internet traffic. Of the monitored DDoS attacks the majority consists of TCP SYN floods and ICMP floods targeted to IRC servers.

The same survey showed email traffic making 1,5% of total traffic. Of this, 66% is spam.

The report with findings is not yet publicized but the company says it will be available soon.

IRC Network Admin: More Then You Bargained For

Many people wish to have their own IRC network. Once a basic network is setup they advertise the network to gain users, in the hope many will find and start using it. But what if they abuse your good intentions and start using your infrastructure to host bots engaged in illegal activities? Then things can start to become a real life nightmare. In this article we follow Dewd, from network admin to a suspect criminal with a 10 year prison sentence hanging above his head.

Dewd started his network in 2005, and as many fresh network admins do, started advertising the network in as many places he could find such as SearchIRC and mIRC’s servers.ini file.

With the advertising came users, including users he had not wished for. “Two pirates from Undernet have come and started to load their bots with fake nickname and fake channelname (#warez-rose) in secret mode (+s) trying to make it look like peer-to-peer bots but these bots wasn’t for peer-to-peer I think.”

Dewd installed IRC Defender to remove the bots from his network which worked well. But naturally, the bots would not be stopped from trying to connect to the network. Despite trying to keep his network free from such influences Dewd was arrested late February, along with 16 other suspects by S�ret� du Qu�bec, Canadian’s provincial police. The arrests included the two users loading the bots of which one is still in custody, according to Dewd. All 17 people are seen as suspect members of “a vast computer piracy network” as a police report explained.

“Over 100 countries on all of the continents are affected. Current damage to computer infrastructure is estimated at more than $45 million”, the police report explains. The malicious users infected computers with malware in order to steal private data, DDoS, phising and use them for spamming.

“During the 17 searches conducted today, eight suspects were apprehended with an arrest warrant and will appear in court. The police questioned the other nine suspects, who have been released by way of summons.” Maximum sentence for these crimes is 10 years in prison.

Dewd is not one of the eight, but he is not yet cleared as police is still investigating his computers. “The charge against me it’s the uses illegally of a computer.”

“We recommend that anyone who suspects that his computer has been hacked consult a computer specialist” the police report ends. This of course, is an advice IRC-Junkie fully recommends!

Dewd ends, “I’m under investigation since 2006, all what I do is downloading/chat a bit/watching funny video on the web… I’m not that kind of person who DDoS websites. Peer-to-peer isn’t illegal in Canada. I download movies for me and my girl friend, also my kids. I’m not doing money with it, I download because I doesn’t have enough of money for buy them.”

An interview with Dewd for local media can be found here (French). The English language police report can be found here

Sentence Spam Convicted Maintains

The Virginia Supreme Court affirmed the sentence against the first convicted spammer in the USA, saying anti-spam laws do not violate freedom of speech.

Jeremy Jaynes of Raleigh, N.C was one of the world top spammers in 2003. The case he was convicted in was built on a single action where he produced 53,000 emails in 3 days in July 2003. He was sentenced to 9 years in jail.

Jaynes said in his defense that his spamming actions do not fall under anti-spam legislation because of freedom of speech guaranteed under the First Amendment.

“Unfortunately, the state that gave birth to the First Amendment has, with this ruling, diminished that freedom for all of us,” the lawyer of Jaynes, Thomas M. Wolf said. “As three justices pointed out in dissent, the majority’s decision will have far reaching consequences. The statute criminalizes sending bulk anonymous e-mail, even for the purpose of petitioning the government or promoting religion.”

State Attorney General Bob McDonnell: “This is a historic victory in the fight against online crime. Spam not only clogs e-mail inboxes and destroys productivity; it also defrauds citizens and threatens the online revolution that is so critical to Virginia’s economic prosperity.”

Hackers Declare War to Scientology

A group of hackers, who go by the name of “Anonymous” and use IRC as their base, declared war against Scientology. The group has released texts online which Scientology members normally have to pay for. Also DDoS attacks on the 18th of January rendered the church’s website unusable.

The attacks followed after Scientology tried to censor a mockup movie picturing Tom Cruise, one of the most known members of the church. In the movie the actor laughs hysterically and makes claims Scientology members are the only people able to save life’s after car accidents.

Scientology has since protected its website against DDoS attacks. Anonymous plans real world protest actions and have set February 10 for a wave of protest at Scientology locations worldwide.

“The so-called Church of Scientology actively misused copyright and trademark law in pursuit of its own agenda,” an Anonymous member said in a press release last week. “They attempted not only to subvert free speech, but to recklessly pervert justice to silence those who spoke out against them.”

Since then the group released a new video featuring a computerized voice saying: “Anonymous has therefore decided that your organization should be destroyed. For the good of your followers, for the good of mankind and everywhere. You will find no recourse in attack, because for each of us that falls, ten more will take his/her place.”

At the time of writing this article, almost 2 million people watched the video.

Anonymous also released a home phone number and social security number of a couple who they believed where pro-scientology hackers. The couple received an anonymous apology over phone when the error was recognized.

Although being another organization against the Scientology church, Operation Clambake does not agree with the methods used by the Anonymous group. Webmaster Andreas Heldal-Lund explains: “People should be able to have easy access to both sides and make up their own opinions. Freedom of speech means we need to allow all to speak – including those we strongly disagree with. [...] Attacking Scientology like that will just make them play the religious persecution card … They will use it to defend their own counter actions when they try to shatter criticism and crush critics without mercy”