www.IRC-Junkie.org – IRC News

All about Internet Relay Chat

Category Archives: Hack

psyb0t – A stealthy router-based botnet discovered [Updated]

The folks at DroneBL discovered and analyzed a router-based botnet that is suspected to have DDoS’ed them for about 2 weeks.

The bot software, named “psyb0t”, is the “first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems”.

Exploiting routers is in some cases more “useful” than infecting PC’s – because “most people will keep the router on 24/7″ as opposed to their computers which “most people shut down [...] in the evening before they go to bed, or when they leave the office” nenolod writes.
In his paper (which was written back in 2006 and at that time he’s been “called looney for”) he also mentions another reason why targeting SOHO routers is a good idea:

Attacking the router will enable you to monitor network activity with a much higher level of stealth. As most people think the router is a dumb device which simply does NAT translation, it will not be considered a device with a high security risk. Most intrusion analysts at this time will not even consider the router as the place where the malware is hiding.

nenolod, amongst others, disassembled and analyzed the botnet binary, coming to the conclusion that the current incarnation we’re seeing now “was mostly a test botnet”. “Terry Baume discovered the first generation, which only targeted a handful of specific models. The current generation, would be the second generation, which targets a much wider range of devices”.

Version 17 of the malware contains “shellcode for 30 different linksys models, and 10 netgear models, as well as several kinds of cable and dsl modems (15 different shellcodes)” as well as a list of “6000 usernames and 13000 passwords” which is used for bruteforcing Telnet and SSH logins that are open to the LAN and sometimes even on the WAN side of those routers.

His efforts to shutdown the Command&Control channel the bot uses have been successful and the DNS, which has been hosted with afraid.org, has been nullrouted. In a conversation held on IRC he also mentions that the “current version is version 18, but he [the author - ed.] has changed the way he obfuscates the executable” which formerly was packed using the UPX packer.

The now defunct C&C  was suspected to control “100,000 hosts at the moment, but the ircd does not give us any information”. The bot in its current incarnation does “hijack DNS for rapidshare” and “phishes login info” which leads nenolod to believe it is more of a proof-of-concept right now and is going to grow more sophisticated in the future. Asked about the origin of the worm he says that several traces point to Australia being the country of origin and given some reports of increased telnet activity there he could be right.

The bot is able to scan for vulnerable PHPMyAdmin and MySQL installations, contains an update function and the usual flooding functionality. It also disables access to the routers control interfaces using iptables rules, denying access to the ports 22, 23 and 80. Also, he notes that the bot is “not linux-specific, a couple of the routers we have seen in the botnet are running VxWorks“.

Detecting the bot isn’t easy since you’d need to capture and analyze the traffic it sends and receives to find out if you are infected – which is impossible if the infected device does not have dedicated USB/Ethernet ports to configure them and it then “would require monitoring at the CMTS or DSLAM” level.

In his posting on the DroneBL blog nenolod writes that they “are looking into finding out more information about this botnet, and its controller. If you have any information, we would like to know.”

Update and patch your routers so they don’t swallow a blue pill :)

Update:

The botnet apparently has been shutdown by it’s owner:

* Now talking on #mipsel
* Topic for #mipsel is: .silent on .killall .exit ._exit_ .Research is over:
 for those interested i reached 80K. That was fun :) , time to get back to the real life... (To the DroneBL guys:
 I never DDOSed/Phished anybody or peeked on anybody's private data for that matter)
* Topic for #mipsel set by DRS at Sun Mar 22 17:02:15 2009

nenolod writes in their blog:

While this information may or may not be true, we have received HTTP-based floods from IPs participating in this botnet.

We are still interested in this DRS person. If you have any information, please provide it to DroneBL. We will not disclose our sources.

Further reading:

http://www.dronebl.org/blog/8

phpDenora fixes XSS vulnerability

After getting notified about a Cross-site scripting vulnerability in phpDenora irc-junkie quickly tried to get in touch with the project.

The vulnerability – which generally can be used to steal cookies – exists at least in phpDenoras then latest stable release, version 1.2.2 and “possibly all other versions” says developer Hal9000.

Due to lacking sanitization it was possible to exploit the vulnerability using specially crafted channelnames that would be visible on several pages of phpDenora – according to phpDenoras Hal9000 on the “channel listing, the channel stats page, the user stats page and the top channel list on the homepage – if the channel is in the top X channels”.

To test if your installation of phpDenora is vulnerable you simply can /join # and then visit one of the mentioned pages – if you’re getting a popup, you should upgrade.

But, since channels names usually are pretty limited in length and usable charset, serious threats like stolen cookies are unlikely to occur. Nonetheless this recent upgrade is a recommended one.

The download for phpDenora 1.2.3 can be found here.

Thanks go to Shawn for reporting the vulnerability, to w00t for making the initial intermediary contact to Hal9000 and of course to Hal9000 for being so quick to fix the vulnerability.

HydraIRC releases version 0.3.165 and opens access to its sourcecode

On monday HydraIRC, calling itself “the professional client”, posted an announcement of a new version that has been released back in December on its website.

The announcement mentions a good reason for the update – security issues that also have plagued other clients as well, again in the form of malicious irc:// URLs which can lead to a crash of the client. The changelog calls the vulnerability a “remote DoS exploit” that is present in the “parsing code for long irc:// urls” but only when “hydrairc’s url handler is enabled.”

The posting states that to make the client crash you’d have to visit a website that contains the malicious irc:// link – so that’s one more reason to not just open any link you see being posted on IRC.

The real news, however, are below:

Hydra, the author of HydraIRC, says that “contrary to popular belief HydraIRC is NOT dead” and that he “and many other users still use it on a daily basis”. He also decided to open up the SVN repositories to the general public so “willing developers can get the source code without having to register with me first”.

Talking about the availability of the sourcecode he states that he’d “love to see what you come up with” and that “if you need inspiration check out TODO.TXT or come and talk to me in #HydraIRC on Efnet or Freenode”.


 Closing the announcement he writes that the “HydraIRC source code is NOT GPL/BSD/OSI Approved and you MAY NOT use it for any purpose other than for helping to contribute to HydraIRC. Please read LICENSE.TXT for more information.”

The client can be downloaded from here.

KVIrc 3.4.2 URI handler in combination with IE exploitable [Updated]

Not even a month ago, it was KVIrc 3.4.0 in it’s Windows release which has been vulnerable to what has been at least a DoS/crash.

As of yesterday, there have been new exploits posted on the usual sites around the internet – but this time it is not the fault of KVIrc’s URI handler, because the bug is only exploitable if the malicious link is opened with Microsoft’s Internet Explorer and is possible because of its unique way to handle double quotes (“) in links.

This time it is not possible to just let the client of a victim crash but to execute a command of the attackers choice – opening a whole can of worms as one can execute each and any command with the privileges of the attacked user.

In an interview conducted on IRC with members of the KVIrc team they said that “the ‘vulnerability’ is present in any programs URI handling engine until they decide to work around IE’s oddities”, which, according to this posting on their mailinglist, involves using DDE to pass links back and forth between applications.

Since only a few members of the KVIrc team do have the possibility to compile the client for the Windows operating system it might take a little while until a fix pops up, but they assured IRC-Junkie that this issue is being worked on.

Update 11/22/2008, ~8 hours later: There is an updated package released for testing which contains “all the latest fixes for the bugs found in 3.4.2.”. Link to the download is in this mailinglist posting.

Quassel IRC CTCP Command Injection Vulnerability

Another day, another IRC client vulnerability…

Researchers have found a remotely exploitable vulnerability in the Quassel IRC client.

Quoted from the projects homepage:

Well, looks like 0.3.0.2 was not the last 0.3.0 release after all. coekie found an issue with CTCP handling in Quassel Core that allows attackers to send arbitrary IRC messages on your behalf. This issue is present in all versions prior to 0.3.0.3 and Git older than October 26th (rev. d7a0381).

Details on the vulnerability are provided on the webpage of the exploits author:

A CTCP ping where the value contains a CTCP quoted newline (’20′ + ‘n’) will let the Quassel core reply with a message containing an unquoted newline (‘\n’). The IRC server interprets this as a command separator.

Having a newline seperator injected in your IRC session means that anybody that sends a carefully crafted, malicious CTCP ping to your vulnerable client will be able to add an arbitrary command to it that will be executed with your privileges by the client – just as if you had typed it yourself.

The vulnerability is patched in version 0.3.0.3 which is available for download here.

As noted on the homepage, some distributions already have the new version available in their package repositories, other should update manually.

Gentoo and *buntu already ship the new version, with more distributions hopefully following ASAP. If you still use a 0.2-rc1 core, please consider updating to 0.3.x as soon as possible. Note that we provide unstable, but fixed packages for Debian now, thanks to dileX.