– IRC News

All about Internet Relay Chat

New Zealand Botnet Master Arrested

An 18-year-old New Zealand suspect has been arrested in a botnet case. He is suspected of controlling a botnet consisting over 1 million infected computers and having caused nearly 13.5 Euro million in damages.

The botnet consists of AKBot worm infected machines. The botnet has been used to attack IRC networks, security companies and the University of Philadelphia.

“He is extremely clever”, said Maarten Kleintjes, head of the computer criminality department.

He is also acused of leading a worldwide network called the A-Team with members from New Zealand, Holland and the USA. New Zealand police worked togheter with the FBI on this arrest, codenamed “AKILL”.

Thirteen more arrest warrants have been issued.

Beat Them at Their Own Game

As a recent post also indicated, botnets are considered one of the main Internet security threats. Researchers from the Georgia Institute of Technology have proposed a new piece of software that can detect botnets, named BotSniffer.

It is hard to detect botnets, as they make use of existing protocols such as IRC in ways that it makes it hard to distinguish them from ‘normal’ users.

The researchers explain: “Our approach is based on the observation that, because of the pre-programmed activities related to C&C (command & control, ed.), bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity.”

In other words, when commanding a botnet, the same command is sent (for example by PRIVMSG) to separate bots, whereas with human users this kind of similar behavior at the exact same time is almost non-existent.

The approach was presented on the Internet Society’s Network and Distributed System Security Symposium last February. Versions of BotSniffer have been tested as plugin to existing intrusion detection systems such as Snort, though it can do its work on its own as well.

The researchers consider the C&C IRC channels the weakest link in a  botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” the researchers said.

“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers end their abstract.

Other software packages exist that can detect botnets, such as BotHunter, BotMiner and BotProbe. Security software vendors such as McAfee, Symantec and Trend Micro also have protection built in against these types of malware.

Majority of Junk Traffic Consists of DDoS Targetted at IRC Servers

Security Service Provider Arbor Networks studied the amount of junk traffic over the total sum of Internet traffic, and found some remarkable figures when it comes to IRC traffic.

Over the past 1,5 year the company analyzed data of 70 ISP’s. The findings show that on average 4% of all traffic is junk, such as spam and DDoS attacks topping 1,5TB of data, per second.

Of this 4%, on average 1300 DDoS attacks daily makes halve of the junk traffic. But on occasions, DDoS can make 5% of the total Internet traffic. Of the monitored DDoS attacks the majority consists of TCP SYN floods and ICMP floods targeted to IRC servers.

The same survey showed email traffic making 1,5% of total traffic. Of this, 66% is spam.

The report with findings is not yet publicized but the company says it will be available soon.

Hackers Declare War to Scientology

A group of hackers, who go by the name of “Anonymous” and use IRC as their base, declared war against Scientology. The group has released texts online which Scientology members normally have to pay for. Also DDoS attacks on the 18th of January rendered the church’s website unusable.

The attacks followed after Scientology tried to censor a mockup movie picturing Tom Cruise, one of the most known members of the church. In the movie the actor laughs hysterically and makes claims Scientology members are the only people able to save life’s after car accidents.

Scientology has since protected its website against DDoS attacks. Anonymous plans real world protest actions and have set February 10 for a wave of protest at Scientology locations worldwide.

“The so-called Church of Scientology actively misused copyright and trademark law in pursuit of its own agenda,” an Anonymous member said in a press release last week. “They attempted not only to subvert free speech, but to recklessly pervert justice to silence those who spoke out against them.”

Since then the group released a new video featuring a computerized voice saying: “Anonymous has therefore decided that your organization should be destroyed. For the good of your followers, for the good of mankind and everywhere. You will find no recourse in attack, because for each of us that falls, ten more will take his/her place.”

At the time of writing this article, almost 2 million people watched the video.

Anonymous also released a home phone number and social security number of a couple who they believed where pro-scientology hackers. The couple received an anonymous apology over phone when the error was recognized.

Although being another organization against the Scientology church, Operation Clambake does not agree with the methods used by the Anonymous group. Webmaster Andreas Heldal-Lund explains: “People should be able to have easy access to both sides and make up their own opinions. Freedom of speech means we need to allow all to speak – including those we strongly disagree with. [...] Attacking Scientology like that will just make them play the religious persecution card … They will use it to defend their own counter actions when they try to shatter criticism and crush critics without mercy”

Dronerunner Akamai Attack Charged

John Bombard, a resident of Seminole, Florida, has been charged for his alleged attack on service provider Akamai two years ago. Several big companies were affected in the attack, such as Microsoft, Yahoo!, Google and Symantec, the owner of SecurityFocus.

Bombard allegedly commanded the modified Gaobot botnet from an IRC server hosted his own domain

If found guilty, Bombard faces 2 years for each charge, and a fine of up to $400,000 USD.