www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Category Archives: Botnets/DDoS

GeekShed suffers from DDoS

GeekShed, the “free to use and family-friendly Internet Relay Chat network”, is currently suffering from a large scale DDoS attack that cripples their infrastructure consisting of 15 servers.

Even though those servers are in datacentres that offer DDoS-protection and are hosted with a number of large backbones they cannot seem to withstand the sheer volume of ICMP and UDP traffic directed at them.

Some of the servers have been null-routed by the hosting providers, others have been null-routed by GeekShed staff to “prevent damage to other machines and customers” according to network owner Phil.

The cause, as usual, seems to be a disgruntled user that has been banned from Chris Pirillo’s channel #chris who then engaged in spamming the channel with floodbots and after the channel staff has put a stop to the spamming, resorted to throwing large volumes of traffic at the servers using a botnet.

Since its split from the Wyldryde network, this is the second time somebody felt the necessity to bombard the network with junk traffic after being banned from #chris, however that miscreant was put to jail-time after the incident.

Netsplit.de Graph showing outtages on GeekShed

Netsplit.de Graph showing outtages on GeekShed

GeekShed staff are currently trying to sort out the situation and are working on restoring service for their users but since there is only so much one can do on the receiving end of a DDoS attack, service will be “intermittent” as Phil has posted on GeekSheds official website.

Note: At the time of publishing it seems the network is back in normal operation.

  Copyright secured by Digiprove

Australian ISPs unite to disconnect botnet zombies

Yesterday a group consisting of major Australian ISPs – amongst them are Optus, Telstra, Vodafone, AAPT, Virgin, Hutchison 3G as well as Facebook, Google and Microsoft – announced that they prepare “a voluntary industry code to come into force this year” which could mean that “Computers infected with viruses could be “expelled” from the internet”.

The Internet Industry Association, which is made up of over 200 ISP and IT-related companies, is preparing that code in response to an ultimatum of the federal government.

Even though similar efforts have been reported in the past, Australia advanced to be #3 regarding botnet activity worldwide – only beaten by the U.S. and China. Interestingly, Australia wasn’t even to be found in the Top10 of McAfee’s Global Threat report 2 years ago

The sheer abundance of potential victims also explains why it is relatively cheap – 25$ per install – to get malware such as fake anti-virus solutions installed on Australian computers.

The internet industry’s voluntary code of conduct is being pushed by the federal Department of Broadband, Communications and the Digital Economy which wants to make the ISPs contact offending customers first before stepping up to more drastic measures like reducing the customers speed or changing their password so they have to contact the helpdesk.

As a last resort, the customers connection will be terminated if they fail to clean up the infection in a given timeframe.

If this gets done right it could very well mean a new era for all of us, meaning less spam, DDoS and other common nuisances found on todays internet.

What do you think about that? Should other countrys follow suit?

Freenode under DDoS

What many have suspected has now been confirmed – the root cause of the many netsplits on the freenode IRC network during the last days have been caused by ongoing DDoS attacks on their sponsors.

Freenode staffer JonathanD writes in their blogpost that they are experiencing a “heavy DDoS against several locations at which some of our servers are hosted. The attack is ongoing and cause a lot of disruption, both to users of the network and unfortunately to projects/companies/individuals whos infrastructure is hosted at the same locations as us” but also writes that they are “working hard to try curb the attacks as best they can.”

He also writes that they will keep their staffblog updated on the issues and recommends that “users of the network will also be able to receive (infrequent) status updates via global notice and slightly more frequent updates via wallops for those who have chosen to go +w (/umode +w or /mode yournick +w) will enable wallops in your irc client should you wish to see these.”

In closing he apologizes for “the inconvenience this no doubt causes for you and your project(s) and we would like to thank you all (in particular, our very generous and dedicated sponsors) for the patience and support while the issues are still ongoing.”

IRC-controlled botnet SDBot is still going strong

Despite being already over 5 years old, SDBot and its variants are still going strong and haven’t followed the decline that other similar threats have taken.

Using IRC as a control channel for botnets is one of the older, possibly even the oldest method around – the newer bots most of the time use either P2P or HTTP for their control, allowing them to be stealthier and harder to trace back than their IRC-using counterparts.

But against all trends and all the hype over takedowns of big botnets of the recent years SDBot is still around and is now mostly being used to install pay-per-install software like fake Antvir and other malware. “A botnet owner gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays the SDBOT gang, which already owns an IRC botnet and controls thousands of infected machines, to easily push the FAKEAV files to systems.” TrendMicro writes in their blogpost.

This is pretty big business, targeted installations of Fake AV products can earn the botnetters up to $150 – per user.

Why SDBot is still around is easily explained: It managed to be stealthy as it didn’t interrupt with the infected computers activities as much as its relatives.

TrendMicro notes “the only remaining question is, “Why use an ‘old’ technology such as an IRC botnet when lots of newer technologies can already be seen in the wild?” The answer is quite simple—because this kind of botnet is currently off the radar unlike several others (DOWNAD, ZEUS, WALEDAC, KOOBFACE, ILOMO, and PUSHDO), which are consistently being monitored by researchers. Using a simple but effective type of botnet makes cybercriminals feel like they are in “heaven.” They can opt to use not only one but several ways to spread malware.”

During their research they tried to track back to the origin of the botnet and stumbled upon the domains burimilol.net, burimilol.com and burimche.net that are related to this malware. “These findings suggest that these threats could originate from the Albanian, Macedonian or Montenegro regions” they conclude in their paper.

[BURIMILOL.NET]
BURIM ALIJI
NERASHTI 1203
TETOVO, 91200
MACEDONIA
ALBANIA

To avoid becoming part of the botnet, TrendMicro advises to “not click links sent via IM applications, especially if you do not know who sent them, update your security applications regularly to decrease the chances of becoming infected” and not to “open unsolicited email or spam”.

Stay safe! ;)

psyb0t – A stealthy router-based botnet discovered [Updated]

The folks at DroneBL discovered and analyzed a router-based botnet that is suspected to have DDoS’ed them for about 2 weeks.

The bot software, named “psyb0t”, is the “first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems”.

Exploiting routers is in some cases more “useful” than infecting PC’s – because “most people will keep the router on 24/7″ as opposed to their computers which “most people shut down [...] in the evening before they go to bed, or when they leave the office” nenolod writes.
In his paper (which was written back in 2006 and at that time he’s been “called looney for”) he also mentions another reason why targeting SOHO routers is a good idea:

Attacking the router will enable you to monitor network activity with a much higher level of stealth. As most people think the router is a dumb device which simply does NAT translation, it will not be considered a device with a high security risk. Most intrusion analysts at this time will not even consider the router as the place where the malware is hiding.

nenolod, amongst others, disassembled and analyzed the botnet binary, coming to the conclusion that the current incarnation we’re seeing now “was mostly a test botnet”. “Terry Baume discovered the first generation, which only targeted a handful of specific models. The current generation, would be the second generation, which targets a much wider range of devices”.

Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers.

His efforts to shutdown the Command&Control channel the bot uses have been successful and the DNS, which has been hosted with afraid.org, has been nullrouted. In a conversation held on IRC he also mentions that the “current version is version 18, but he [the author - ed.] has changed the way he obfuscates the executable” which formerly was packed using the UPX packer.

The now defunct C&C  was suspected to control “100,000 hosts at the moment, but the ircd does not give us any information”. The bot in its current incarnation does “hijack DNS for rapidshare” and “phishes login info” which leads nenolod to believe it is more of a proof-of-concept right now and is going to grow more sophisticated in the future. Asked about the origin of the worm he says that several traces point to Australia being the country of origin and given some reports of increased telnet activity there he could be right.

The bot is able to scan for vulnerable PHPMyAdmin and MySQL installations, contains an update function and the usual flooding functionality. It also disables access to the routers control interfaces using iptables rules, denying access to the ports 22, 23 and 80. Also, he notes that the bot is “not linux-specific, a couple of the routers we have seen in the botnet are running VxWorks“.

Detecting the bot isn’t easy since you’d need to capture and analyze the traffic it sends and receives to find out if you are infected – which is impossible if the infected device does not have dedicated USB/Ethernet ports to configure them and it then “would require monitoring at the CMTS or DSLAM” level.

In his posting on the DroneBL blog nenolod writes that they “are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know.”

Update and patch your routers so they don’t swallow a blue pill :)

Update:

The botnet apparently has been shutdown by it’s owner:

* Now talking on #mipsel
* Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over:
 for those interested i reached 80K. That was fun :) , time to get back to the real life... (To the DroneBL guys:
 I never DDOSed/Phished anybody or peeked on anybody's private data for that matter)
* Topic for #mipsel set by DRS at Sun Mar 22 17:02:15 2009

nenolod writes in their blog:

While this information may or may not be true, we have received HTTP-based floods from IPs participating in this botnet.

We are still interested in this DRS person. If you have any information, please provide it to DroneBL. We will not disclose our sources.

Further reading:

http://www.dronebl.org/blog/8