[Dshield] ISP redirecting IRC traffic to attempt bot removal

Stasiniewicz, Adam stasinia at msoe.edu
Fri Jul 20 21:39:48 GMT 2007 

Similar laws exist in the US.  I find it hard to believe that a US based ISP is doing this.  Like in the UK, US ISPs are opening themselves up to huge liability lawsuits; in addition to criminal prosecution.  I am not a lawyer, but I would not be surprised if the IRC network operators themselves could also sue the ISPs for doing this.

As with most things, the first step here is to open a support case with the ISPs in question (i.e. call the 800 number on the website).  After that there are a lot of different options available to get in contact with ISPs staff without resorting to posting on "full-disclosure" mailing lists (more information available upon request).  In fact, it has been my experience that trying to gain publicity for your issue and thereby strong-arming an ISP to fix a problem tends to not work very well.  As what often will happen is PR will see the news bit and call Legal; then the lawyers will spend the next three weeks "planning" how-to avoid getting sued, completely bypassing the fact that a problem exists.

In closing let me say this.  I have no doubt that the ISPs are well meaning.  And I am happy to know that at least on some level ISPs are trying to fix the bot net problem.  But the solution they came up with is not well planned or implemented.  This is something that needs to be shut down and brought back to the drawing board.

My $0.02,
Adam Stasiniewicz

-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] On Behalf Of Jim Murray
Sent: Friday, July 20, 2007 10:49 AM
To: General DShield Discussion List
Subject: Re: [Dshield] ISP redirecting IRC traffic to attempt bot removal

jayjwa wrote:

> Background info:
>    1) http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016
> 
>    2) The typical command for rbot/urxbot removal of the bot from the bot 
> user's perspective is to issue a command such as /msg bot .remove, sometimes 
> also "!" is the command prefix, but technically it can be anything. They seem 
> to forgotten most bots require .login before accepting commands, but there may 
> be some that do not.
> 
>    3) The code for the server appears altered as well, as it announces 
> multiple, different topics. Normally IRC servers do not do this for the same 
> channel.
<snip>
> To sum this up for those not familiar with IRC, if I was a client of this ISP, 
> and I tried to access the public IRC network irc.ablenet.org, my ISP's 
> nameserver would return knowningly false information to send me to this fake 
> server, which, once there, auto-logs me into a channel and attempts to 
> interact with software I may or may not have running on my machine in an 
> attempt to remove it from my machine.

As a long-term IRC user and Operator on a major network I find this
greatly worrying.

Blocking botnets is a worthwhile goal. That's something no sane IRC
admin would dispute since they cause untold disruption and inconvenience
both to those networks unfortunate enough to be targets and those abused
as hosts. Most genuine networks go to great lengths to find & remove
botnet command & control channels from their networks. Many make use of
RBL's, on-connect scanners and other detection methods to target the
bots themselves and try to keep them off the network.

To the best of my knowledge no IRC network has any kind of automated
removal program for infected clients. Not one. Why? It's not because the
networks don't know how - we all do, and many of us know how to do it
far better than most ISP's since we've been dealing with this problem
far longer than they have. It's not lack of resources - a bot to do this
uses scarcely any resources and isn't hard to develop.

No, we don't do it because it's a VERY BAD IDEA. If there's anyone from
any of those ISP's doing this on the list, talk to your legal department
now. You could well be (and in many places probably are) breaking the
law by doing this - the Computer Misuse Act in the UK makes this type of
activity a criminal offence :

3.�(1) A person is guilty of an offence if�
       (a) he does any act which causes an unauthorised modification of
the contents of any computer; and
       (b) at the time when he does the act he has the requisite intent
and the requisite knowledge.

    (2) For the purposes of subsection (1)(b) above the requisite intent
is an intent to cause a modification of the contents of any computer and
by so doing�
       (a) to impair the operation of any computer;
       (b) to prevent or hinder access to any program or data held in
any computer; or
       (c) to impair the operation of any such program or the
reliability of any such data.

    (3) The intent need not be directed at�
       (a) any particular computer;
       (b) any particular program or data or a program or data of any
particular kind; or
       (c) any particular modification or a modification of any
particular kind.

There it is in black & white - "to prevent or hinder access to any
program or data held in any computer" - that is what these commands are
intended to achieve. It's immaterial whether the user knowingly ran the
bot or not, the user did not give permission for the attempted removal
which makes it (in the UK at least) illegal.

But that's not the worst of it, not by a long way. It would be the work
of seconds to alter the code of almost any IRC-based bot such that
issuing any of the commands shown here (or indeed any other set of
commands sent vis IRC) caused permanent, irreparable data loss to the PC
in question. For example - !remove can every bit as easily run sdelete
-s -q c:\ - goodbye data, goodbye OS, hello lawsuit!

And that's just scratching the surface - blind sending of automated
commands to a remote machine without express user permission is utterly
and completely crazy. It's a lawsuit waiting to happen. Even with user
permission it's stupid in the extreme, the consequences are far too
unpredictable.

My advice - consult a lawyer. While it's no doubt well intentioned it's
patently stupid and probably illegal.

Jim.
(note: the above is a personal viewpoint & opinion and does not
necessarily reflect the opinion of DALnet.)

-- 
            Jim Murray
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Exploits Team, DALnet IRC Network
jim-mm at dal.net | Key ID : 0x1AF5FDC4
_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC.  56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)

More information about the list mailing list