[Dshield] IRC BOT opportunity

Tom dshield at oitc.com
Wed Oct 12 21:05:54 GMT 2005


I agree with everyone else: report what you gleaned to the FBI along 
with your ideas and either let them run with it or have them direct 
you to continue under their authority. And document, document, 
document.  When I found out some info on a kiddy porn spam ( kiddy 
porn just upsets me ) I reported the details to the FBI and it ended 
in the arrest of a kiddy porn ring in the US so reporting to 
authorities does work.

Tom

At 3:18 PM -0500 10/12/05, David B. Bukowski wrote:
>My suggestion is contact the authorities and FBI, inform them of what you
>know so far and how u can help in ur idea.  Make them aware of your ideas
>before diving in.  Its a great thought that your doing but it isn't worth
>losing ur job, and your life as you get accused of hacking and sent to
>prison.  Contact your local FBI cybercrimes office.  Its better to be safe
>than sorry.
>-dave
>
>On Wed, 12 Oct 2005, Halsall, Mike wrote:
>
>
>Question of the day:
>
>Recently I've been playing with an IRC BOT virus (a Randex variant) that
>has come onto my college's campus.  These viruses have become
>increasingly sophisticated in their capabilities and have the ability
>to, of course, receive a download command from their Op and go grab a
>file and run it silently - hence introducing (yet) another ingress path
>for more malware/viruses.
>
>Being curious, and taking the appropriate precautions (anonymous proxies
>through Tor), I hopped onto the IRC server these Bots were joining and
>made myself look like one of them.  This server, in Hungary, controls
>~17000 Bots.
>
>Over the past few days I've struck up conversations with the Ops (3 of
>them), finally talking to their leader.  None of them are all too
>technical, they don't code and are just into this to make money (through
>spam (maybe some extortion?)).  In my conversation last night, I let the
>leader know that I am a capable programmer (c/c++ skills) and know
>networks.  He asked me to write them a new client, saying that he was
>sick of this IRC based net and having to move every so often due to
>being shut down (which does no good, because he still retains his Bots).
>He says he has a friend with a really large Botnet that uses a
>distributed P2P model.
>
>I see an opportunity here.  Not a big one.  Not changing the world.  But
>a fun project, nonetheless.  Write a new client for them that isn't IRC
>based.  Get them to push this new client to their Bots.  Having written
>the code, I can then break apart Botnet from the inside - not giving
>them a chance to just hop to another host and even let the victims know
>their machines are infected.  Also, it gives opportunity to find out who
>these people are (they're in the States).
>
>I'd let certain organizations know what I would be doing (CERT, for
>instance) and pass them the source when it was ready to roll.  However,
>before doing anything, I'd love to hear what you think.  Let the ethical
>debate begin!
>
>Mike
>
>
>_________________________________________
>Using .Net? Need to know more about .Net Security?
>http://isc.sans.org/banner_count.php?dest=dotnet
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list
>
>
>
>-------------------------------------------------------------------------------
>David B. Bukowski	|email (work):		bukowski at cdnet.cod.edu
>Network Analyst III	|email (personal):	davebb at cshschess.org
>College of Dupage	|webpage:	http://www.cshschess.org/davebb/
>Glen Ellyn, Illinois	|pager:			(708) 241-7655
>http://www.cod.edu/	|work phone:		(630) 942-2591
>-------------------------------------------------------------------------------
>
>_________________________________________
>Using .Net? Need to know more about .Net Security?
>http://isc.sans.org/banner_count.php?dest=dotnet
>
>_______________________________________________
>send all posts to list at lists.dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list