[Dshield] IRC BOT opportunity

martin forest martin at forest.gen.nz
Wed Oct 12 20:45:24 GMT 2005


You may already have blown it, writing to this list.
Rule nr 1:
Talk to your local FBI office, if in the US. They will either take care of  
you or make sure you get in contact with the correct agency. (And you get  
a gold star on your file for being a good boy... ;) And the rest of the  
world, contact your local equivalent to FBI or simply the police. However,  
if US is involved in one way or the other, bots, attacker etc I tend to  
involve US agencies as they often can pull resources anywhere in the world.

Let them take over and “pretend to be you”. That way, you will not break  
any laws. As I understand it, if you live in the US, make sure you get a  
contract/paper that clearly give you immunity if YOU are going to help out  
in the investigation...

Rule nr 2:
NEVER write code that can be used as a worm, bot, virus, unless you are  
prepared to do some time!!! If it gets out, regardless of accident,  
intent, theft, you still wrote it. Many countries will try to get their  
hand on you if they have suffered, including organizations you don't want  
to piss off.

Rule nr 3:
If you decide to assist the authorities to catch the bad buys, don't tell  
anyone.

Anyway, enjoy the hunt. Trust me, it can be a buzz being in a chaise. Done  
it, love it. Even though I'm down under, there are some very clued up  
foreign  agents operating in this region... :)

/Martin Forest

On Thu, 13 Oct 2005 08:48:42 +1300, Halsall, Mike <mike at middlebury.edu>  
wrote:

>
> Question of the day:
>
> Recently I've been playing with an IRC BOT virus (a Randex variant) that
> has come onto my college's campus.  These viruses have become
> increasingly sophisticated in their capabilities and have the ability
> to, of course, receive a download command from their Op and go grab a
> file and run it silently - hence introducing (yet) another ingress path
> for more malware/viruses.
>
> Being curious, and taking the appropriate precautions (anonymous proxies
> through Tor), I hopped onto the IRC server these Bots were joining and
> made myself look like one of them.  This server, in Hungary, controls
> ~17000 Bots.
>
> Over the past few days I've struck up conversations with the Ops (3 of
> them), finally talking to their leader.  None of them are all too
> technical, they don't code and are just into this to make money (through
> spam (maybe some extortion?)).  In my conversation last night, I let the
> leader know that I am a capable programmer (c/c++ skills) and know
> networks.  He asked me to write them a new client, saying that he was
> sick of this IRC based net and having to move every so often due to
> being shut down (which does no good, because he still retains his Bots).
> He says he has a friend with a really large Botnet that uses a
> distributed P2P model.
>
> I see an opportunity here.  Not a big one.  Not changing the world.  But
> a fun project, nonetheless.  Write a new client for them that isn't IRC
> based.  Get them to push this new client to their Bots.  Having written
> the code, I can then break apart Botnet from the inside - not giving
> them a chance to just hop to another host and even let the victims know
> their machines are infected.  Also, it gives opportunity to find out who
> these people are (they're in the States).
>
> I'd let certain organizations know what I would be doing (CERT, for
> instance) and pass them the source when it was ready to roll.  However,
> before doing anything, I'd love to hear what you think.  Let the ethical
> debate begin!
>
> Mike
>
>
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:  
> http://www.dshield.org/mailman/listinfo/list



-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/


More information about the list mailing list