www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Monthly Archives: February 2006

Help! My Network is in Servers.ini!

Assuming this was a commonly known fact, it was never reported before on IRC-Junkie. But as I had contact over the past few weeks with several smaller IRC networks, it became clear not many small networks with servers.ini aspiration also realize the potential negative effects of being listed in the world largest IRC server list.

It is not just humans that make use of this extensive list of IRC networks. You might remember the Fizzer worm which was causing havoc over IRC networks in 2003. That worm created such problems that a special task force was created, named IRC Unity, to tackle the problem. On their website we can read: “irc/unity was formed in May 2003 as a direct result of what was known as the “fizzer crisis”. In early May, the Fizzer worm was becoming a problem for IRC Networks around the world. This was due to the fact that it had a built-in list of IRC servers to connect to, gathered from the mIRC servers.ini file.”

In the last servers.ini update the Beirut IRC Network first got listed. Within a few days I got this email from Nat, who is handling the PR for the network: “Since we got added on servers.ini we are invaded by turkish porn spambots. We are daily glining about 1000 IPs. Our boys, with aid of an Undernet scripter, finally started to control the situation, made a script and it started glining them before they reach the channels.”

Among abuse-exploit team members the use of servers.ini by drones and spambots is a know problem. An Undernet abuse-exploits team member who wishes to remain anonymous gives an example. “GTBot (an mIRC client with added backdoors and *.ini files) uses the servers.ini file from mIRC. An GTBot spreads by advertising (amongst others) an URL to other users. (Example: hey look at me in the nude @ http://ip-number-here/me-nude.jpg, which is in reality an EXE file. It (ab)uses the servers.ini file to go to all networks it contain.”

IRC-Junkie asked Tjerk Vonck, who is the webmaster of mIRC.com if he is aware of the problem. “No. And really, I doubt there is such a problem”, he replied.

“Making the servers.ini file for non-humans hard to download does not solve this situation”, the Undernet abuse-exploits team member explains. “The abuser could manually download the ini, and put it on his own website.” Also Tjerk agrees: “Especially not since the ini hardly changes over time, so any old copy would do perfectly fine, for normal users, and the drones you’re looking for.”

It seems that for now, IRC networks with servers.ini aspiration better realize that being listed can potentially have unwanted side effects.

Norton Internet Security DoS Vulnerability

“I’m not quite sure what the problem is with this, but I’m told its a problem with norton personal firewall”, this URL starts which have been going around IRC as a running fire.

Users who make use of the Norton Internet Security package will be disconnected from their IRC server when they receive any message, be it channel, private, notice when they contain the words startkeylogger or stopkeylogger.

These two commands are part of the list of commands for Spybot for which Norton released new code which introduced this bug.

Some users are going around populated channels now pasting the two commands. Some networks, like EFnet are acting against such users with kills, as we can see from the publicly available list of last executed kills and their reasons.

DDoS Cripples Hospital

More news concerning DDoS’ers I’m afraid. Christopher Maxwell, of Vacaville California USA, 20 year-old, has been charged that he launched an DDoS attack in which he crippled a hospital. In the hospital the attack caused for the doctor’s pagers not functioning anymore as well as shutting down computers of intensive care units.

Maxwell will see his first court appearance on the 23th of this month.

The botnet is thought to have consisted of 13,000 to 50,000 infected machines which were controlled over IRC.

Although the attack heavily crippled the hospital (Northwest Hospital and Medical Center in north Seattle) nurses quickly switched to using charts and were able to prevent any human harm.

Maxwell and two unidentified juvenile companions used a botnet to display unwanted advertisements on infected computers, which earned them an estimated $100,000.

For his crime, Maxwell can face up to 10 years in jail, $250,000 fine and returning damages. Northwest Hospital published that its costs to repair the network were $150,000.

And Another Bites the Dust

Santiago Garrido, 26 years-old, decided he would resort to DDoS after he was being banned from the Hispano IRC network. The DDoS generated caused such problems for Spanish ISP’s Wanadoo, ONO, Lleida Net and other ISP’s that 3 million users were left without connection. This equals to one third of all Spanish Internet users.

Yesterday Garrido (nicked “Ronnie” or “Mike25″) heard the sentence for his act; 2 years in jail, and a 1.4 million fine (roughly $1.6 million USD).