www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Monthly Archives: March 2009

psyb0t – A stealthy router-based botnet discovered [Updated]

The folks at DroneBL discovered and analyzed a router-based botnet that is suspected to have DDoS’ed them for about 2 weeks.

The bot software, named “psyb0t”, is the “first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems”.

Exploiting routers is in some cases more “useful” than infecting PC’s – because “most people will keep the router on 24/7″ as opposed to their computers which “most people shut down [...] in the evening before they go to bed, or when they leave the office” nenolod writes.
In his paper (which was written back in 2006 and at that time he’s been “called looney for”) he also mentions another reason why targeting SOHO routers is a good idea:

Attacking the router will enable you to monitor network activity with a much higher level of stealth. As most people think the router is a dumb device which simply does NAT translation, it will not be considered a device with a high security risk. Most intrusion analysts at this time will not even consider the router as the place where the malware is hiding.

nenolod, amongst others, disassembled and analyzed the botnet binary, coming to the conclusion that the current incarnation we’re seeing now “was mostly a test botnet”. “Terry Baume discovered the first generation, which only targeted a handful of specific models. The current generation, would be the second generation, which targets a much wider range of devices”.

Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers.

His efforts to shutdown the Command&Control channel the bot uses have been successful and the DNS, which has been hosted with afraid.org, has been nullrouted. In a conversation held on IRC he also mentions that the “current version is version 18, but he [the author - ed.] has changed the way he obfuscates the executable” which formerly was packed using the UPX packer.

The now defunct C&C  was suspected to control “100,000 hosts at the moment, but the ircd does not give us any information”. The bot in its current incarnation does “hijack DNS for rapidshare” and “phishes login info” which leads nenolod to believe it is more of a proof-of-concept right now and is going to grow more sophisticated in the future. Asked about the origin of the worm he says that several traces point to Australia being the country of origin and given some reports of increased telnet activity there he could be right.

The bot is able to scan for vulnerable PHPMyAdmin and MySQL installations, contains an update function and the usual flooding functionality. It also disables access to the routers control interfaces using iptables rules, denying access to the ports 22, 23 and 80. Also, he notes that the bot is “not linux-specific, a couple of the routers we have seen in the botnet are running VxWorks“.

Detecting the bot isn’t easy since you’d need to capture and analyze the traffic it sends and receives to find out if you are infected – which is impossible if the infected device does not have dedicated USB/Ethernet ports to configure them and it then “would require monitoring at the CMTS or DSLAM” level.

In his posting on the DroneBL blog nenolod writes that they “are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know.”

Update and patch your routers so they don’t swallow a blue pill :)

Update:

The botnet apparently has been shutdown by it’s owner:

* Now talking on #mipsel
* Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over:
 for those interested i reached 80K. That was fun :) , time to get back to the real life... (To the DroneBL guys:
 I never DDOSed/Phished anybody or peeked on anybody's private data for that matter)
* Topic for #mipsel set by DRS at Sun Mar 22 17:02:15 2009

nenolod writes in their blog:

While this information may or may not be true, we have received HTTP-based floods from IPs participating in this botnet.

We are still interested in this DRS person. If you have any information, please provide it to DroneBL. We will not disclose our sources.

Further reading:

http://www.dronebl.org/blog/8

DALnet releases Bahamut IRCd 1.8.6

After more than 2 years of silence the DALnet Coding Team released a new version of Bahamut, an IRCd mainly used on DAL.net.

First being released as version 1.8.5 there was a bugfix-release shortly thereafter as a bug has been found in channelmode +c which sometimes not only prevented control-characters as bold and underlined being sent but also stripped legitimate messages that contained certain arabic and hebrew characters.

We took the time to ask Epiphani – the Coding Teams Team-Leader – a few question about his IRCd and the history of it:

- The last release, 1.8.4, was over 2 years ago – why did it take so long for 1.8.5 (and now 1.8.6) to be released?

It’s mostly been two reasons:

1. We didn’t really have a lot of minor things we wanted to work on.

Bahamut has been stable and effective for several years, and while there is enhancements that we’d like to implement, those enhancements are more major changes than they are small updates.

We did have a few fixes come through the pipe, such as security fixes and minor other fixes (such as updated x64 support), and we decided to roll them into a patch release.

2. Life gets in the way of open source development sometimes.

At present, the team is mostly idle as life has started eating most of their time. I’ve had a few changes in my life recently that have allowed me to put more time into Bahamut once again, so I’m hoping we can revive some development.

We’ve also changed some of our processes (including a move from subversion to git) so we’re hoping to get more involvement from the community in the future.

- The list of changes introduced with this release does look small compared to the ones introduced with 1.8.4 – what, in your opinion, are the most important ones?

Mostly the security updates.

For example, we removed zlib from the distribution and made it an external dependency, due to security updates from the zlib people – we didn’t want to have to release every time zlib has an issue.

There were also a few fixes for “IP leaks” where hub IPs could be shown to normal users in certain edge cases.

- Are there any changes that are noticeable on the user side of things?

Nope, not in this release.

- When did the development on Bahamut start and why?

I believe the project kicked off sometime in late 1998, with the first public release in 1999. I can’t really remember, that was a good while ago.  :)

The Bahamut project came about due to some of the performance concerns around the former DALnet ircd, Dreamforge.

Back in 1999 DALnet was growing very fast, and the hardware we were running on wasn’t terribly fast.

We needed to be able to support over 6000 clients on a 250Mhz machine, and Dreamforge simply didn’t perform to those levels. Once we rolled out Bahamut, we started seeing much better performance.

I believe somewhere in 2001 we hit our record with around 45,000 clients on a single 900Mhz AMD Duron machine with 512 megs of ram.

- Is there anything you’d like to mention?

We’re always looking for contributors to Bahamut.

We have a wishlist of features, including ipv6 and other such things, that anyone is welcome to code up and provide patches for to the dalnet-src [at] dal.net mailing list.

We are mostly interested in people with the initiative to bounce ideas around on the mailing lists and go off and code!

The complete list of changes between 1.8.4 and 1.8.6 is below:

- Fixes for x64 – this is a combination of Kobi’s work and my own.
- Fixed m_part() and m_quit() to ignore part/quit reasons from squelched users.
- Fixed compiler errors with gcc4.
- Changed a debug message that could leak servers’ IPs to ADMIN_LEV. Thanks key!
- Fix configure tests for zlib removal.
- This patch is intended to mark SVSHOLDs as SBAN_SVSHOLD to stop them from being removed by a kill -HUP
- Fix several small issues where IPs would be displayed when they shouldnt be, from Kobi (kobi [at] dal.net)
- Do not display uplink of ulined servers, from Kobi (kobi [at] dal.net)
- Fix slight errors in m_who argument parsing, from kobi (kobi [at] dal.net)
- Do not display warnings about juped servers attempting to commit, from Kobi (kobi [at] dal.net).
- Fixed m_invite to honor umode +R and silence restrictions.
- Two small rwho fixes to option parsing, from Kobi (kobi [at] dal.net)
- Add hooks for several events
- Remove zlib from the distribution – rely on the library provided by the system.
- Fix msg_has_ctrls() so it doesn’t block non-control characters.

Bahamut IRCd can be downloaded from here.

Thanks go to Epiphani for the short interview and the wants-to-stay-anonymous tipster for the tip! :)

InspIRCd releases 1.2.0rc2 "PepperSteik"

Little over 4 weeks after their last release of rc1 in the 1.2 branch, the InspIRCd project announces a new release candidate of their IRCd.

The release, called “PepperSteik”, is a recommended update since it – among a few new features – also fixes a security issue were other linked IRCds wouldn’t have their password checked on connect. There also have been a few bugs fixed which further adds to the IRCds stability.

Developer w00t calls the following items the “most notable new features” in this release:

  • Add fantasy:allowbots (to allow +B users to use fantasy commands)
  • Allow forced nick changes to override mode +N, nicklock, etc
  • Allow non-opers to use /MKPASSWD
  • Add /SAKICK command (provided by m_sakick)
  • Operoverride OTHERMODE is no longer required in addition MODEOP to op/deop/etc. people

Another developer nicknamed danieldg has joined the development team since the last release – w00t thanks him “for his sterling contributions over the past week” and hopes that he “feels welcome and will stay around for a very long time”.

The full changelog can be found here and the direct link to the download is here. There currently is no Windows binary build available due to them “not having the usual build infrastructure in place” but it will be provided “as soon as is possible”.