To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
What I find curious about this is the supposed fact about them using dns
redirection to do this. I think that might be misinformation, but the other
stuff would be kind of difficult to differentiate between real IRC traffic
and botnet traffic depending on how commands are issued/syntax.
It is 6:00am here and I am really tired, so that may not have made sense.
On 7/20/07, Gadi Evron <[EMAIL PROTECTED]> wrote:
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
---------- Forwarded message ----------
Date: Fri, 20 Jul 2007 06:11:25 -0400
From: jayjwa <[EMAIL PROTECTED]>
Reply-To: General DShield Discussion List <[EMAIL PROTECTED]>
To: Dshield Mail List <[EMAIL PROTECTED]>
Subject: [Dshield] ISP redirecting IRC traffic to attempt bot removal
When blocking goes to far, part #2 (working title: First they came for
email,
now it's IRC)
Background info:
1)
http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016
2) The typical command for rbot/urxbot removal of the bot from the bot
user's perspective is to issue a command such as /msg bot .remove,
sometimes
also "!" is the command prefix, but technically it can be anything. They
seem
to forgotten most bots require .login before accepting commands, but there
may
be some that do not.
3) The code for the server appears altered as well, as it announces
multiple, different topics. Normally IRC servers do not do this for the
same
channel.
Fri Jul 20 05:57:00 EDT 2007:
*** Performing DNS lookup for [70.168.70.4] (server 4)
*** DNS lookup for server 4 [70.168.70.4] returned (1) addresses
*** Connecting to server refnum 4 (70.168.70.4), using address 1 (
70.168.70.
+4:6667)
*** Looking up your hostname...
*** Checking Ident
*** No Ident response
(They lie, I do most certainly run Identd)
*** Welcome to the Internet Relay Network jayjwa
*** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2
*** Your host is localhost[localhost/6667], running version 2.8/hybrid-6.2
*** This server was created Thu Dec 6 2001 at 11:52:49 EST
*** localhost.localdomain 2.8/hybrid-6.2 oOiwszcrkfydnxb biklmnopstve
*** There are 2 users and 0 invisible on 1 servers
*** I have 2 clients and 0 servers
*** Current local users: 2 Max: 2
*** Current global users: 2 Max: 2
*** Highest connection count: 2 (2 clients) (2 since server was
(re)started)
*** - localhost.localdomain Message of the Day -
*** - Where's the kaboom? There was supposed to be an earth shattering
kaboom.
+
*** End of /MOTD command.
*** jayjwa ([EMAIL PROTECTED]) has joined channel #martian_
*** Mode change "+nt" on channel #martian_ by localhost.localdomain
*** Users on #martian_: @Marvin_ jayjwa
*** Topic for #martian_: .bot.remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: .remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: .uninstall
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: !bot.remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: !remove
*** The topic was set by Marvin_ 3 sec ago
*** Topic for #martian_: !uninstall
*** The topic was set by Marvin_ 3 sec ago
<Marvin_> .bot.remove
<Marvin_> .remove
<Marvin_> .uninstall
<Marvin_> !bot.remove
<Marvin_> !remove
<Marvin_> !uninstall
*** Mode for channel #martian_ is "+tn"
*** Channel #martian_ was created at Fri Jul 20 05:46:57 2007
User [EMAIL PROTECTED] was not on the names list for
channel
+[#martian_] on server [4] -- adding them
05:51AM [1] jayjwa #martian_ (+nt) (Mail: 56) EPIC5 -- Type /help for
help
EPic>
To sum this up for those not familiar with IRC, if I was a client of this
ISP,
and I tried to access the public IRC network irc.ablenet.org, my ISP's
nameserver would return knowningly false information to send me to this
fake
server, which, once there, auto-logs me into a channel and attempts to
interact with software I may or may not have running on my machine in an
attempt to remove it from my machine.
--
[RBL:Just A Bad Idea] Do not use DNS-RBL; Demand your ISP stop.
Tell RoadRunner/Adelphia, Netzero,etc: don't trash your mail.
http://www.ifn.net/classic/rblstory.htm
http://theory.whirlycott.com/~phil/antispam/rbl-bad/rbl-bad.html
_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law
enforcement upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
--
James Pleger
p: 623.298.7966
e: [EMAIL PROTECTED]
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
