www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Category Archives: Hack

Australian ISPs unite to disconnect botnet zombies

Yesterday a group consisting of major Australian ISPs – amongst them are Optus, Telstra, Vodafone, AAPT, Virgin, Hutchison 3G as well as Facebook, Google and Microsoft – announced that they prepare “a voluntary industry code to come into force this year” which could mean that “Computers infected with viruses could be “expelled” from the internet”.

The Internet Industry Association, which is made up of over 200 ISP and IT-related companies, is preparing that code in response to an ultimatum of the federal government.

Even though similar efforts have been reported in the past, Australia advanced to be #3 regarding botnet activity worldwide – only beaten by the U.S. and China. Interestingly, Australia wasn’t even to be found in the Top10 of McAfee’s Global Threat report 2 years ago

The sheer abundance of potential victims also explains why it is relatively cheap – 25$ per install – to get malware such as fake anti-virus solutions installed on Australian computers.

The internet industry’s voluntary code of conduct is being pushed by the federal Department of Broadband, Communications and the Digital Economy which wants to make the ISPs contact offending customers first before stepping up to more drastic measures like reducing the customers speed or changing their password so they have to contact the helpdesk.

As a last resort, the customers connection will be terminated if they fail to clean up the infection in a given timeframe.

If this gets done right it could very well mean a new era for all of us, meaning less spam, DDoS and other common nuisances found on todays internet.

What do you think about that? Should other countrys follow suit?

IRC-controlled botnet SDBot is still going strong

Despite being already over 5 years old, SDBot and its variants are still going strong and haven’t followed the decline that other similar threats have taken.

Using IRC as a control channel for botnets is one of the older, possibly even the oldest method around – the newer bots most of the time use either P2P or HTTP for their control, allowing them to be stealthier and harder to trace back than their IRC-using counterparts.

But against all trends and all the hype over takedowns of big botnets of the recent years SDBot is still around and is now mostly being used to install pay-per-install software like fake Antvir and other malware. “A botnet owner gets paid to install malware on infected PCs. For instance, a FAKEAV creator pays the SDBOT gang, which already owns an IRC botnet and controls thousands of infected machines, to easily push the FAKEAV files to systems.” TrendMicro writes in their blogpost.

This is pretty big business, targeted installations of Fake AV products can earn the botnetters up to $150 – per user.

Why SDBot is still around is easily explained: It managed to be stealthy as it didn’t interrupt with the infected computers activities as much as its relatives.

TrendMicro notes “the only remaining question is, “Why use an ‘old’ technology such as an IRC botnet when lots of newer technologies can already be seen in the wild?” The answer is quite simple—because this kind of botnet is currently off the radar unlike several others (DOWNAD, ZEUS, WALEDAC, KOOBFACE, ILOMO, and PUSHDO), which are consistently being monitored by researchers. Using a simple but effective type of botnet makes cybercriminals feel like they are in “heaven.” They can opt to use not only one but several ways to spread malware.”

During their research they tried to track back to the origin of the botnet and stumbled upon the domains burimilol.net, burimilol.com and burimche.net that are related to this malware. “These findings suggest that these threats could originate from the Albanian, Macedonian or Montenegro regions” they conclude in their paper.

[BURIMILOL.NET]
BURIM ALIJI
NERASHTI 1203
TETOVO, 91200
MACEDONIA
ALBANIA

To avoid becoming part of the botnet, TrendMicro advises to “not click links sent via IM applications, especially if you do not know who sent them, update your security applications regularly to decrease the chances of becoming infected” and not to “open unsolicited email or spam”.

Stay safe! ;)

Vulnerability in Eggdrop / Windrop 1.6.19

A vulnerability in the Eggdrop and Windrop bot has been found which prompts a new release.

The vulnerabilitiy is present in both latest versions of the bot software 1.6.19 which has been released back in April 2008.

A posting on the Full Disclosure mailinglist goes into more detail, describing how one can at least crash vulnerable bots:

One possible exploit anyone can send to the IRC server to crash eggdrop:

PRIVMSG eggdrop :\1\1

The only resolution at this time is upgrading old bots with the provided fix.

Nettalk fixes crash bug and releases 6.6.4

Nettalk, an opensource IRC client available for Windows, was updated to version 6.6.4.

The main reason behind this update was a bug that has been found in version 6.5.6 of the client: a crash that can be triggered from remote using CTCP messages.

Whenever the first character of a message is an ASCII 1 the client crashes. According to Ntalk author Mirici the bug can not be exploited to cause more harm than the client crashing but he has released a fixed version of it.

Other reasons why users of Nettalk might want to upgrade is the “improved DCC function that is much faster compared to other clients” and the “improved and fixed handling of Chinese character handling using both UTF-8 and ASCII”.

Thanks go to Elmaron for the tip and Mirici for quickly fixing the bug!

UnrealIRCd updates their IRCd to 3.2.8.1

The UnrealIRCd project released a bugfix release of version 3.2.8 and the current release is now 3.2.8.1.

The bugfix became necessary as a crash has been found in the option allow::options::noident.

In a short interview developer nate explains how the crash is being triggered and how to avoid it:

There was an issue in allow::options::noident, where if it was enabled in an allow block that a user could potentially crash a server due to a buffer overflow. As far as we’ve been able to see, there’s no risk of remote code execution as much as it just causing a segfault.  The main ways of resolving it are updating to 3.2.8.1 or simply making sure no allow blocks specifically have noident (which most by default won’t thankfully).

It is vulnerable in past versions as well before 3.2.8 as well.

Being asked how far back exactly nate says the exploit exists “at least back towards 3.2.3 (before that we wouldn’t support anyways due to exploits way back then)”.

Thanks for the tip goes to Reed Loden and to nate for taking the time to answer my questions!