IRC-Junkie.org – IRC News

All about Internet Relay Chat

William "nenolod" Pitcock quits DroneBL

William “nenolod” Pitcock, founder and long-time operator of the DroneBL DNSBL, announced via a posting on their mailinglist that he’ll discontinue his work on the service “due to time and emotional constraints” “effective immediately”.

DroneBL DNS Blacklist Logo

DroneBL DNS Blacklist Logo

The DNS Blacklist is one of the few that is especially meant to be used for IRC Networks.

He writes that coming to the decision to quit having an active role was not an easy process but he deems the project mature enough that the community “can steer it’s future development focus” and notes that he’ll continue to provide hosting for the blacklist until the community has made appropriate “alternative hosting arrangements”.

nenolod hands over the operations part of the service to Alexander “OUTsider” Maassen which he says that many already know. nenolod notes that he shouldn’t be contacted about issues considering DroneBL anymore as he’d be unable to help from now on.

Closing the announcement, nenolod writes that it is now time for him to “begin work on other endeavours”.

IRC-Junkie wishes nenolod all the best, whatever those future endeavours might be ;)

Oh and yes indeed, thanks for all the fish!

  Copyright secured by Digiprove

wsIRC Webchat is now at version 1.0

wsIRC, a new webchat client, is now at version 1.0 – their first release version.

wsIRC Channelview

wsIRC Channelview

As you can see from the screenshot, the most important functions are already there: right-click menus for miscellaneous functions such as /WHOIS or /PRIVMSG’ing users, a Channel-Central to handle the most basic modes and bans. Registering your nick or channel through a simple popup is implemented and the usual buttons for smileys, font-color and style are available too.

Even without registering, your settings are remembered (if you wish to do so) and available when you go online the next time. If you register with wsIRC you can even create simple client-side scripts which you then can use anytime you log on IRC with their client.

Another nice toy that has been implemented is what happens when someone posts a link to a YouTube video: you’ll then see a small preview picture of it in the channel or PM window – neat!

Embedding the client into your own website is allowed and encouraged – there’s a simple tool that lets you create an IFrame or direct link with the options you chose which you then may embed into your site – great for providing your visitors a simple option to engage in your community.

wsIRC Embedding Code Generator w/ Preview

wsIRC Embedding Code Generator w/ Preview

To keep abusers at bay, the service puts your real IP into the GECOS/realname field and also checks the DroneBL DNSBL.

The webchat also offers a mobile version which works on iPhones and Windows Mobile devices as well as others when “a good JavaScript support is offered”.

All in all i really have to say it’s a nice client, even more so when you consider it is just at version 1.0 – i’m curious what more they can come up with :)

psyb0t – A stealthy router-based botnet discovered [Updated]

The folks at DroneBL discovered and analyzed a router-based botnet that is suspected to have DDoS’ed them for about 2 weeks.

The bot software, named “psyb0t”, is the “first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems”.

Exploiting routers is in some cases more “useful” than infecting PC’s – because “most people will keep the router on 24/7″ as opposed to their computers which “most people shut down [...] in the evening before they go to bed, or when they leave the office” nenolod writes.
In his paper (which was written back in 2006 and at that time he’s been “called looney for”) he also mentions another reason why targeting SOHO routers is a good idea:

Attacking the router will enable you to monitor network activity with a much higher level of stealth. As most people think the router is a dumb device which simply does NAT translation, it will not be considered a device with a high security risk. Most intrusion analysts at this time will not even consider the router as the place where the malware is hiding.

nenolod, amongst others, disassembled and analyzed the botnet binary, coming to the conclusion that the current incarnation we’re seeing now “was mostly a test botnet”. “Terry Baume discovered the first generation, which only targeted a handful of specific models. The current generation, would be the second generation, which targets a much wider range of devices”.

Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers.

His efforts to shutdown the Command&Control channel the bot uses have been successful and the DNS, which has been hosted with afraid.org, has been nullrouted. In a conversation held on IRC he also mentions that the “current version is version 18, but he [the author - ed.] has changed the way he obfuscates the executable” which formerly was packed using the UPX packer.

The now defunct C&C  was suspected to control “100,000 hosts at the moment, but the ircd does not give us any information”. The bot in its current incarnation does “hijack DNS for rapidshare” and “phishes login info” which leads nenolod to believe it is more of a proof-of-concept right now and is going to grow more sophisticated in the future. Asked about the origin of the worm he says that several traces point to Australia being the country of origin and given some reports of increased telnet activity there he could be right.

The bot is able to scan for vulnerable PHPMyAdmin and MySQL installations, contains an update function and the usual flooding functionality. It also disables access to the routers control interfaces using iptables rules, denying access to the ports 22, 23 and 80. Also, he notes that the bot is “not linux-specific, a couple of the routers we have seen in the botnet are running VxWorks.

Detecting the bot isn’t easy since you’d need to capture and analyze the traffic it sends and receives to find out if you are infected – which is impossible if the infected device does not have dedicated USB/Ethernet ports to configure them and it then “would require monitoring at the CMTS or DSLAM” level.

In his posting on the DroneBL blog nenolod writes that they “are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know.”

Update and patch your routers so they don’t swallow a blue pill :)

Update:

The botnet apparently has been shutdown by it’s owner:

* Now talking on #mipsel
* Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over:
 for those interested i reached 80K. That was fun :) , time to get back to the real life... (To the DroneBL guys:
 I never DDOSed/Phished anybody or peeked on anybody's private data for that matter)
* Topic for #mipsel set by DRS at Sun Mar 22 17:02:15 2009

nenolod writes in their blog:

While this information may or may not be true, we have received HTTP-based floods from IPs participating in this botnet.

We are still interested in this DRS person. If you have any information, please provide it to DroneBL. We will not disclose our sources.

Further reading:

http://www.dronebl.org/blog/8