– IRC News

All about Internet Relay Chat

Nessun Goes to Jail

In May 2004 IRC-Junkie reported about the ongoing problems for the IRCHighway network caused by DDoS. In June of this year Jason Michael Downey, known as Nessun and owner of the network Rizon, was arrested for these problems.

This PDF outlines the sentence Nessun heard on the 23rd of this month. We can read: “Jason Michael Downey, the operator of “bot network” of virus infected computers that he used to attack other computer systems, was sentenced to a year in federal prison today on his conviction for unlawful computer intrusion that caused over $20,000 in damages to other computer networks, United States Attorney Stephen J. Murphy announced today.”

After the jail sentence Nessun will have a 3 year supervised period during which he will need to ask permission before he can use a computer. He will also have to pay $21,110 in damages to the (IRC) networks the DDoS was aimed at. Finally he will have to do 150 hours of community service and pay a $100 special assessment.

During speaking out the sentence judge Edmunds explained that computer crime has a serious impact on society and that a severe punishment was in order.

United States Attorney Stephen J. Murphy said, “The so-called “bot-masters” on the Internet should realize that attacking and damaging other computer networks through a bot-net can land you in prison.  We have the capacity to investigate and prosecute these high tech crimes and we will continue to do so.  I commend the FBI for the excellent investigative work they did in this case.”

McAfee: Botnets Threatens National Security

Remarkable news released by researchers from McAfee this week. Baylor and Brown, researchers at McAfee warn that the national security of multiple countries are threatened by the existence of botnets.

“A botnet of one million bots, with a conservative 128 Kbps broadband upload speed per infected bot, can wield a powerful 128 gigabits of traffic,” the whitepaper reported. “This is enough to take most of the Fortune 500 companies (and several countries) offline using DDoS attacks. If several large botnets are allowed to join together, they could threaten the national infrastructure of most countries.”

In the whitepaper, McAfee suggests that intrusion prevention systems (IPS) are the best way to prevent PC’s becoming part of a botnet.

Allysa Myers from McAfee’s Avert Labs believes a radical change in security strategy is necessary, such as only allowing known traffic to prevent all malicious traffic that can include attacks to overtake PC’s.

“Things are looking fairly grim as the rise in the number of variants of IRC bots has grown by leaps and bounds over the last couple of years. Strictly using string-based detection against the unending tide certainly appears to be a lost cause,” Myers said.

Nessun: "Because I Could"

Nessun, owner of the Rizon IRC network, has been named before on this website as source of DDoS attacks. IRC-Junkie was unaware that one of the three suspects reported about in the “FBI Arrests Three Botherders” article written 10 days ago, namely Jason Michael Downey, is in fact the same Nessun.

Downey, 24, has pleaded guilty for operating a botnet and computer fraud. Asking his reasons behind performing DDoS attacks U.S. District Judge Nancy G. Edmunds heard his reply: “I was doing it because I could, more than anything,” Downey replied. “It was a dumb thing to do.”

With a plea agreement he can face up to 24 months in prison and pay a $40,000 fine. A total of $21,000 may have to be paid to cover costs resulted from his attacks.

Downey will hear his sentence on October 10th.

FBI Arrests Three Botherders

With the arrest of three suspect botherders the FBI discovered botnets that consist of about a million infected machines worldwide. Amongst the charges for the three are spamming and infecting IT systems at hospitals.

The operation took place under the name “Operation Bot Roast”, which is an on-going operation to hunt down botnets and their owners.

Among the three men arrested is Robert Soloway from Seattle, a long time spam king. Another man, Downey, controlled his botnet consisting of Agobot infected machines from an IRC server and performed DDoS attacks.

The FBI will try and warn the 1 million owners of infected machines and point them to safe computing practices.

IRC Still Most Used Platform for Botnets

Although botnet masters increasingly use platforms other then IRC to command their zombie networks, it remains the biggest platform in use to date.

These botnets are being used by malicious users to perform DDoS attacks, collect personal data such as banking info and creditcard details and for example to use as a base to send spam. The machines used in the botnets are usually compromised home PC’s.

About 75% of the software used in botnets consists of Sdbot and Gaobot. “This dominance is not so much due to any special features of Gaobot or Sdbot, but simply because their code is much more widely available on the Internet. This means that any criminals that want to make a bot can simply base it on the source code of these threats, making any modifications they choose. Essentially, this saves them a lot of work,” said Luis Corrons, technical director at PandaLabs.

IRC networks have been very active in hunting and shutting down botnets. Also security software such as firewalls increasingly warn users for IRC traffic, adding to the chance that the compromised machine is being cleaned. To prevent detection, the botnets increasingly are making use of HTTP, normal website traffic which is far less being looked suspiciously at. Also peer-to-peer type of networks are now in use.

“Control through IRC is useful for controlling isolated computers. However, this system is not so useful when it comes to botnets. By using HTTP, bot herders can control many more computers at the same time, and can even see when one of them is online or if the commands have been executed correctly,” Corrons continued.