[Dshield] IRC BOT opportunity

Don Jackson dwjackson at bcbsal.org
Wed Oct 12 21:01:25 GMT 2005


You should contact your local FBI field office immeditately.

Look in the local phone book.  You can report anonymously, but you may be able to do more good if you identify yourself.  It's your call.  You might have more anonymity if you use the web through another account or a proxy to report it:

http://www.ic3.gov/
https://tips.fbi.gov/

Your proposed actions could have (almost certainly will have) unintended consquences.  Your proposal sounds well-intentioned, but you cannot be sure your plan of sabotage will work (or work only the way you intend).  Two wrongs don't make a right.  Remember, Welchia was designed to wipe out another threat.  Also, if you supply any source code or executables for clients that these ops can give to their bosses, you might just make it that much easier for them to commit crimes against people like you and me and our loved ones.  If you really want to take it down, the FBI has the experience you need.

>>> mike at middlebury.edu 10/12/2005 2:48 PM >>>

Question of the day:

Recently I've been playing with an IRC BOT virus (a Randex variant) that
has come onto my college's campus.  These viruses have become
increasingly sophisticated in their capabilities and have the ability
to, of course, receive a download command from their Op and go grab a
file and run it silently - hence introducing (yet) another ingress path
for more malware/viruses.

Being curious, and taking the appropriate precautions (anonymous proxies
through Tor), I hopped onto the IRC server these Bots were joining and
made myself look like one of them.  This server, in Hungary, controls
~17000 Bots.

Over the past few days I've struck up conversations with the Ops (3 of
them), finally talking to their leader.  None of them are all too
technical, they don't code and are just into this to make money (through
spam (maybe some extortion?)).  In my conversation last night, I let the
leader know that I am a capable programmer (c/c++ skills) and know
networks.  He asked me to write them a new client, saying that he was
sick of this IRC based net and having to move every so often due to
being shut down (which does no good, because he still retains his Bots).
He says he has a friend with a really large Botnet that uses a
distributed P2P model.

I see an opportunity here.  Not a big one.  Not changing the world.  But
a fun project, nonetheless.  Write a new client for them that isn't IRC
based.  Get them to push this new client to their Bots.  Having written
the code, I can then break apart Botnet from the inside - not giving
them a chance to just hop to another host and even let the victims know
their machines are infected.  Also, it gives opportunity to find out who
these people are (they're in the States).

I'd let certain organizations know what I would be doing (CERT, for
instance) and pass them the source when it was ready to roll.  However,
before doing anything, I'd love to hear what you think.  Let the ethical
debate begin!

Mike


_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet 

_______________________________________________
send all posts to list at lists.dshield.org 
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list 



*** *** *** *** *** *** *** *** *** ***
  CONFIDENTIALITY NOTICE  
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited.  If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***



More information about the list mailing list