www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Monthly Archives: March 2005

IRCSpy Releases AutoXDCC

IRCSpy, a website build around a searchengine that indexes downloads being offered on IRC, released AutoXDCC today.

“This new program has been in the works for the last few months by the staff here at IRCSpy. AutoXDCC makes downloading via XDCC using IRCSpy as easy as one click. There is no need to copy and paste troublesome commands into your IRC Client”, author Xanthus announced on the IRCSpy website.

Once you have completed a search on the website, and want to download one of the results, clicking a special icon will add the download in the AutoXDCC program.

“AutoXDCC allows for multiple downloads on various networks at the same time. The program associates to a special .xdcc file extension which will be made available for download on our search engine.”

More information and the download link can be found here.

Honeynet Project Releases Paper on Botnets

As you can see in the sidebar for IRC news I collect for you, big news today. Lately there is a lot of coverage in the general media about identity theft, DDoS nets, etc. But the paper on botnets released by the Honeynet Project gave quite a boost in the number of articles today on this subject.

The paper explains in great detail a reserach the project did on botnets, and specifically those who use IRC to receive their commands from the drone-runner.

“These days, home PCs are a desirable target for attackers. Most of these systems run Microsoft Windows and often are not properly patched or secured behind a firewall, leaving them vulnerable to attack” the papers’ introduction starts. As the number of broadband connections rise, the crackers use these machines to their own advantage. Once infected, an IRC bot is installed on the system that joins a channel where the cracker can control the machine with commands. The Honeynet project have found nets numbering in the tens of thousands.

The paper explains that the average time before the machines were infected was below 10 minutes. “The shortest compromise time was only a few seconds: Once we plugged the network cable in, an SDBot compromised the machine via an exploit against TCP port 135 and installed itself on the machine.”

The machines who are finding new vulnerable machines are particularly looking for Windows machines that are not yet patched for known vulnerabilities. For one machine in Germany participating in the research these scans made out 80% of the total traffic.

The researches found that to host these botnets, the crackers often made use of the Unreal IRCd. “Unreal IRCd is cross-platform and can thus be used to easily link machines running Windows and Linux. The IRC server software is stripped down and modified to fit the botnet owners needs”, the paper explains.

During the project the researchers regularly were able to get a snooping client in the control channel and see the crackers perform commands. Once they saw a cracker command the bots to update, together with a nick change. What he did not realise however, that he picked a character which was not supported by the IRCd, effectively loosing his 3000 bot network, which would now be DDoS’ing his own commanding server with constant connection attempts. In a second case the researchers saw an owner of a DDoS company using a botnet for DDoS’ing his competitors. He was using his own server to host the bots, and the nick of the bots were the same as the name for the support channel for his company. “These individuals demonstrate how even unskilled people can run and leverage a botnet” the paper concludes.

“Our observations showed that often botnets are run by young males with surprisingly limited programming skills”, the paper continues. “The scene forums are crowded of posts like “How can i compile *” and similar questions.” Only a small portion of the crackers researched were regarded as knowing their skill. These people used only 1 letter nicks, only came online to perform a command and disconnected again, were using modified IRCd’s and were using updates and code that was well written. “Probably these people use the botnets for commercial usage and “sell” the services.”

DALnet AKILL's FDCservers Colocation Center

Recently, DALnet decided to AKILL all customers from FDCservers, a co-location company quite a few shell providers have their server located at.

Ahnberg, admin at DALnet, explained to IRC-Junkie in a reaction; “I’ve heard that the abuse from them over the years has been extremely large, and that the staff working with this and the chaos their users and subcompanies (shellproviders renting rackspace, I guess) cause to our network. It is a very bothersome and time-straining thing to have to handle for our colleagues.”

Psyxakias, admin of the SharkTECH shellcompany explains; “We helped by managing DALnet abuses (in the last 2 months) in order to provide even better connectivity to all FDC/Shark clients by connecting to DALnet IX network. Although we managed all abuse reports (even the ones without logs), DALnet proceeded to the AKILL (which now say it was planned in the last 6 months) and now declines to talk to anyone further than FDCservers.”

DALnet stopped this cooperation because of the way logs were treated by the shell companies. DALnet’s Jim explains on a FDCservers’ forum; “It is an accepted rule of abuse handling that upstream providers (in this case SharkTech) DO NOT pass on, verbatim, abuse reports to thier clients. This is accepted practice across the internet and serves to protect both those making the complaint and the upstream provider.”

At this point no contact has been made between DALnet and FDCservers in order to resolve this issue, with the thread on FDCservers’ site quite lively on the subject.

edit: Psyxakias contacted me and pointed me out to an error I made in the article, SharkTECH is not a shellcompany: “We provide dedicated servers (not even virtual servers) & managed hosting”, Psyxakias explained. Excuses for the inconvenience.

Freenode Policy Changes Forces Channels to Move/Rename

New policies concerning channel ownership is causing some stir amongst channel managers on this network which is primary in use as a base of realtime communication for open source projects. In short, the name in use of the channel must be “contingent on your group’s ownership of that name, legally or informally” as the policy explains. If you have no rights over the channel name, you must begin the channel name with an extra #, for example ##foo instead of #foo.

The channel manager of #photography explains on his blog: “Yesterday, it was made known to me that channels had to be re-registered. I went to fill out the form (of which the URI was pasted to me in a /msg), and put all the pertinent info into the necessary fields (which seemed like most every field; there was no red star or bolding or anything else which would show priority).”

Within a half hour Lilo (admin on Freenode) messaged #photography’s manager that #photography had to be moved to #foo (where foo is a domain under the TLD .com, .net or .org which the manager owns) or has to be moved to ##photography.

Lilo explains on the blog: “The problems occur when an external project comes to the network for the first time, and discovers that it has no control over the channels bearing its name. We want projects to be able to own their channels. We also want it to be easy to distinguish between official channels of some project or group, or unofficial channels which are run by somebody else.”

The policies which were introduced a few months ago are now slowly being put into effect. Like the official channels #gentoo and #fedora, and ##slackware which is not an official channel. The channel #photography has since then been moved to #photogeeks.

Lilo ends, “I’m sorry for the irritation factor involved; we did try to post the link to the policy document in a prominent place on the website, but sometimes it just doesn’t occur to people that freenode is anything but the usual sort of IRC network. Apologies for the difficulties.”

Google's Desktop Search Tool Includes mIRC Plugin

Google released its Desktop Search Utility which was previously only available as a beta as full version now.

Running from the desktop it can perform searches over the Net, but also includes searches over the users’ own system. It will perform a quiet index of the users’ system and display matches above those found on the Net.

Possibilities include searching through your own email and viewed pages from Netscape, Mozilla, Thunderbird and Firefox. Google hired Ben Goodger for this task, who is a developer of FireFox. Other possibilities include searching through meta data in avi’s, image formats, etc.

The program also includes the possibility to extend the functionality with the use of plugins. One of such is Larry’s mIRC Indexer. From the page’s description: ” Use Google Desktop Search to search through your mIRC two-person private messages (PMs). mIRC is one of the most popular IRC applications on Windows.” The plugin’s source is also available.

One of the concerns users have expressed against the tool is that Google could effectively use the tool to spy on the systems of users, or display contextual ads. Google has so far denied planning such ‘functionality’.