– IRC News

All about Internet Relay Chat

Some UnrealIRCd downloads trojaned [Update 3]

Syzop of the UnrealIRCd project just posted an announcement on their mailinglist and forums that some versions of their IRCd have been compromised and had a backdoor added which went unnoticed for quite a while.

The first signs of the compromise have been traced back to November 2009 and Syzop writes that “Any Unreal3.2.8.1.tar.gz downloaded BEFORE November 10 2009 should be safe, but you should really double-check”.

Only the source downloads (.tar.gz) are affected from this hack. Windows users, copies checked out from their CVS as well as users of older versions are safe and don’t need to check – everyone else should ensure they’re running a clean version of UnrealIRCd since the backdoor allows an attacker to issue and execute commands as the user the IRCd is running as, which essentially means your shell could easily compromised despite all other security measures.

Checking if your IRCd is one of those trojanized copies can easily be done either checking with md5sum or grep’ing the source for the backdoored code:

Run ‘md5sum Unreal3.2.8.1.tar.gz’ on it and compare the resulting sum to the checksums below:

Backdoored version (BAD) is: 752e46f2d873c1679fa99de3f52a274d
Official version (GOOD) is: 7b741e94e867c0a7370553fd01506c66

or use the command ‘grep DEBUG3_DOLOG_SYSTEM include/struct.h’ from your Unreal3.2 directory – if this outputs 2 lines you’re running the trojanized version and need to get yourself a fresh and clean copy of the IRCd and recompile it since the compromised section is in the IRCds core and “it is not possible to ‘clean’ UnrealIRCd without a restart or through a module”.

Syzop writes that they have take precautions so such a compromise can never happen again and if it does that it’ll be noticed more quickly. They’re also planning to reimplement PGP/GPG signing of the releases which “in practice (very) few people use” but “still [will] be useful for those people who do”.

Closing his announcement he writes that he’d like to “apologize about this security breach. We simply did not notice, but should have. We did not check the files on all mirrors regularly, but should have. We did not sign releases through PGP/GPG, but should have done so. Hope you’ll all continue to support UnrealIRCd”.

The full announcement can be read here and the advisory can be found here.

[Update]: Servers running the trojanized versions of UnrealIRCd should be updated as soon as possible since HD Moore, the creator of the Metasploit exploitation framework, already released a module for it – but even without that the security hole is really simple to exploit.

Also, here is a .sh script that might help you in the upgrade process – at least one user on the UnrealIRCd forums claimed it worked for him (although no kind of guarantee is given neither by the author nor by me).

[Update 2]: Syzop just posted a follow-up in which he writes that their releases are “from now on signed with GnuPG (PGP) again”.

[Update 3]: In an email to the UnrealIRCd mailinglist, Syzop elaborates on the GPG/PGP signing and says that there will be instructions on how to verify the key when you download the future releases. He also goes into some detail which precautions the team has taken that such an incident “will never ever happen again”. He rightfully criticizes certain news-outlets that claimed it was the fault of the Open Source model and even Linux (*cough*ZDNet*cough*) – some websites even confused the IRCd with EPIC softwares first-person shooter Unreal Tournament.

  Copyright secured by Digiprove

UnrealIRCd team releases patch against Firefox XPS Attack

In a posting on the UnrealIRCd project website, coder Syzop announced a module that can help mitigate and completely stop the so-called “Firefox XPS Attack” (NSFW link).

The attack, which exploits the fact that malicious JavaScript can send arbitrary data to a wide range of ports, gained publicity when it was used against the freenode network over a period of a few weeks.

Even though the Mozilla project has a blocklist of ports that are specifically not allowed to be communicated to, the port commonly used by IRC networks (6667) was not on those lists.

The attack – which ironically doesn’t affect Safari, Internet Explorer or Firefox with the NoScript extension – only works if the targeted IRC server does not use anti-spoofing measures before proceeding to the login phase.

UnrealIRCd generally is immune to the threat when it was compiled with the NOSPOOF feature which is enabled by default for the Windows builds but an option that defaults to “no” on Linux (“Do you want to enable the server anti-spoof protection?” – the first question on ./Config).

With the module you can now instantly K/G/Z:Line such connections and therefore prevent them from filling up connection slots which might cause a DoS situation before they eventually time out. For maximum efficiency it is recommended you use both the module and the NOSPOOF option, however one works fine without the other.

To test whether your IRCd is vulnerable or the implemented measures against the attack are effective you can find the code that has been used against freenode here.

Thanks for the tip go to katsklaw!

Australian ISPs unite to disconnect botnet zombies

Yesterday a group consisting of major Australian ISPs – amongst them are Optus, Telstra, Vodafone, AAPT, Virgin, Hutchison 3G as well as Facebook, Google and Microsoft – announced that they prepare “a voluntary industry code to come into force this year” which could mean that “Computers infected with viruses could be “expelled” from the internet”.

The Internet Industry Association, which is made up of over 200 ISP and IT-related companies, is preparing that code in response to an ultimatum of the federal government.

Even though similar efforts have been reported in the past, Australia advanced to be #3 regarding botnet activity worldwide – only beaten by the U.S. and China. Interestingly, Australia wasn’t even to be found in the Top10 of McAfee’s Global Threat report 2 years ago

The sheer abundance of potential victims also explains why it is relatively cheap – 25$ per install – to get malware such as fake anti-virus solutions installed on Australian computers.

The internet industry’s voluntary code of conduct is being pushed by the federal Department of Broadband, Communications and the Digital Economy which wants to make the ISPs contact offending customers first before stepping up to more drastic measures like reducing the customers speed or changing their password so they have to contact the helpdesk.

As a last resort, the customers connection will be terminated if they fail to clean up the infection in a given timeframe.

If this gets done right it could very well mean a new era for all of us, meaning less spam, DDoS and other common nuisances found on todays internet.

What do you think about that? Should other countrys follow suit?

IRC-controlled botnet SDBot is still going strong

Despite being already over 5 years old, SDBot and its variants are still going strong and haven’t followed the decline that other similar threats have taken.

Using IRC as a control channel for botnets is one of the older, possibly even the oldest method around – the newer bots most of the time use either P2P or HTTP for their control, allowing them to be stealthier and harder to trace back than their IRC-using counterparts.

But against all trends and all the hype over takedowns of big botnets of the recent years SDBot is still around and is now mostly being used to install pay-per-install software like fake Antvir and other malware. “A botnet owner gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays the SDBOT gang, which already owns an IRC botnet and controls thousands of infected machines, to easily push the FAKEAV files to systems.” TrendMicro writes in their blogpost.

This is pretty big business, targeted installations of Fake AV products can earn the botnetters up to $150 – per user.

Why SDBot is still around is easily explained: It managed to be stealthy as it didn’t interrupt with the infected computers activities as much as its relatives.

TrendMicro notes “the only remaining question is, “Why use an ‘old’ technology such as an IRC botnet when lots of newer technologies can already be seen in the wild?” The answer is quite simple—because this kind of botnet is currently off the radar unlike several others (DOWNAD, ZEUS, WALEDAC, KOOBFACE, ILOMO, and PUSHDO), which are consistently being monitored by researchers. Using a simple but effective type of botnet makes cybercriminals feel like they are in “heaven.” They can opt to use not only one but several ways to spread malware.”

During their research they tried to track back to the origin of the botnet and stumbled upon the domains, and that are related to this malware. “These findings suggest that these threats could originate from the Albanian, Macedonian or Montenegro regions” they conclude in their paper.

TETOVO, 91200

To avoid becoming part of the botnet, TrendMicro advises to “not click links sent via IM applications, especially if you do not know who sent them, update your security applications regularly to decrease the chances of becoming infected” and not to “open unsolicited email or spam”.

Stay safe! ;)

Vulnerability in Eggdrop / Windrop 1.6.19

A vulnerability in the Eggdrop and Windrop bot has been found which prompts a new release.

The vulnerabilitiy is present in both latest versions of the bot software 1.6.19 which has been released back in April 2008.

A posting on the Full Disclosure mailinglist goes into more detail, describing how one can at least crash vulnerable bots:

One possible exploit anyone can send to the IRC server to crash eggdrop:

PRIVMSG eggdrop :\1\1

The only resolution at this time is upgrading old bots with the provided fix.