www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Monthly Archives: April 2008

Child Pornography Channelop Receives 8 Years in Prison

A 40-year-old channel operator of a child pornography IRC channel received 8 years prison.

An investigation led by Interpol resulted in the arrest of 25 channel members worldwide spread over 10 countries. The channel operator, Brian Martin from Oregon USA, has now been sentenced to 8 years in prison. On his computer more then 5,000 images of child pornography have been found.

The channel served as a trading place where members exchanged newly found child pornography files, including video files.

Martin requested to remain free pending an appeal of his conviction, but  U.S. District Judge Ancer L. Haggerty denied that request.

XChat 2.8.7a for Windows Released

Version 2.8.7 released the 20th of last month has been superseded with 2.8.7a Zed announced on the XChat homepage.

This new version is mainly a bugfix release, as the changelog shows.

The XChat Windows release is shareware. Freeware versions are still being released from the otherwise still available opensource code. One such release is from Silverex but is an older release, 2.8.4.

Beat Them at Their Own Game

As a recent post also indicated, botnets are considered one of the main Internet security threats. Researchers from the Georgia Institute of Technology have proposed a new piece of software that can detect botnets, named BotSniffer.

It is hard to detect botnets, as they make use of existing protocols such as IRC in ways that it makes it hard to distinguish them from ‘normal’ users.

The researchers explain: “Our approach is based on the observation that, because of the pre-programmed activities related to C&C (command & control, ed.), bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity.”

In other words, when commanding a botnet, the same command is sent (for example by PRIVMSG) to separate bots, whereas with human users this kind of similar behavior at the exact same time is almost non-existent.

The approach was presented on the Internet Society’s Network and Distributed System Security Symposium last February. Versions of BotSniffer have been tested as plugin to existing intrusion detection systems such as Snort, though it can do its work on its own as well.

The researchers consider the C&C IRC channels the weakest link in a  botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” the researchers said.

“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers end their abstract.

Other software packages exist that can detect botnets, such as BotHunter, BotMiner and BotProbe. Security software vendors such as McAfee, Symantec and Trend Micro also have protection built in against these types of malware.

IRCu Family IRCd DoS Exploit

Last month a new bug have been found in IRCu family IRCd’s which can be exploited leading to a crashing server.

In this post on Milw0rm the bug and exploit is explained. IRCu (<= 2.10.12.12) and many derivatives are affected.

IRC-Junkie asked Slug, who found the bug and described it on Milw0rm, how he found the bug. “Core dump from one of our servers,” Slug starts. “send_user_mode in s_user.c does not check that the argument after a +r mode is present, if it is not than the NULL sentinel may be missed, causing the function to iterate over the boundary of the array.”

One way to exploit the bug would be using the command with string /mode nickname i i i i i i i i i i i i i i i r r r r s. Doing so would core the server.

Only cure is to upgrade to the latest version of the IRCd with fix for this exploit.

Majority of Junk Traffic Consists of DDoS Targetted at IRC Servers

Security Service Provider Arbor Networks studied the amount of junk traffic over the total sum of Internet traffic, and found some remarkable figures when it comes to IRC traffic.

Over the past 1,5 year the company analyzed data of 70 ISP’s. The findings show that on average 4% of all traffic is junk, such as spam and DDoS attacks topping 1,5TB of data, per second.

Of this 4%, on average 1300 DDoS attacks daily makes halve of the junk traffic. But on occasions, DDoS can make 5% of the total Internet traffic. Of the monitored DDoS attacks the majority consists of TCP SYN floods and ICMP floods targeted to IRC servers.

The same survey showed email traffic making 1,5% of total traffic. Of this, 66% is spam.

The report with findings is not yet publicized but the company says it will be available soon.