[Dshield] ISP redirecting IRC traffic to attempt bot removal

Jim Murray jim-mm at dal.net
Fri Jul 20 15:48:52 GMT 2007


jayjwa wrote:

> Background info:
>    1) http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/55016
> 
>    2) The typical command for rbot/urxbot removal of the bot from the bot 
> user's perspective is to issue a command such as /msg bot .remove, sometimes 
> also "!" is the command prefix, but technically it can be anything. They seem 
> to forgotten most bots require .login before accepting commands, but there may 
> be some that do not.
> 
>    3) The code for the server appears altered as well, as it announces 
> multiple, different topics. Normally IRC servers do not do this for the same 
> channel.
<snip>
> To sum this up for those not familiar with IRC, if I was a client of this ISP, 
> and I tried to access the public IRC network irc.ablenet.org, my ISP's 
> nameserver would return knowningly false information to send me to this fake 
> server, which, once there, auto-logs me into a channel and attempts to 
> interact with software I may or may not have running on my machine in an 
> attempt to remove it from my machine.

As a long-term IRC user and Operator on a major network I find this
greatly worrying.

Blocking botnets is a worthwhile goal. That's something no sane IRC
admin would dispute since they cause untold disruption and inconvenience
both to those networks unfortunate enough to be targets and those abused
as hosts. Most genuine networks go to great lengths to find & remove
botnet command & control channels from their networks. Many make use of
RBL's, on-connect scanners and other detection methods to target the
bots themselves and try to keep them off the network.

To the best of my knowledge no IRC network has any kind of automated
removal program for infected clients. Not one. Why? It's not because the
networks don't know how - we all do, and many of us know how to do it
far better than most ISP's since we've been dealing with this problem
far longer than they have. It's not lack of resources - a bot to do this
uses scarcely any resources and isn't hard to develop.

No, we don't do it because it's a VERY BAD IDEA. If there's anyone from
any of those ISP's doing this on the list, talk to your legal department
now. You could well be (and in many places probably are) breaking the
law by doing this - the Computer Misuse Act in the UK makes this type of
activity a criminal offence :

3.—(1) A person is guilty of an offence if—
       (a) he does any act which causes an unauthorised modification of
the contents of any computer; and
       (b) at the time when he does the act he has the requisite intent
and the requisite knowledge.

    (2) For the purposes of subsection (1)(b) above the requisite intent
is an intent to cause a modification of the contents of any computer and
by so doing—
       (a) to impair the operation of any computer;
       (b) to prevent or hinder access to any program or data held in
any computer; or
       (c) to impair the operation of any such program or the
reliability of any such data.

    (3) The intent need not be directed at—
       (a) any particular computer;
       (b) any particular program or data or a program or data of any
particular kind; or
       (c) any particular modification or a modification of any
particular kind.

There it is in black & white - "to prevent or hinder access to any
program or data held in any computer" - that is what these commands are
intended to achieve. It's immaterial whether the user knowingly ran the
bot or not, the user did not give permission for the attempted removal
which makes it (in the UK at least) illegal.

But that's not the worst of it, not by a long way. It would be the work
of seconds to alter the code of almost any IRC-based bot such that
issuing any of the commands shown here (or indeed any other set of
commands sent vis IRC) caused permanent, irreparable data loss to the PC
in question. For example - !remove can every bit as easily run sdelete
-s -q c:\ - goodbye data, goodbye OS, hello lawsuit!

And that's just scratching the surface - blind sending of automated
commands to a remote machine without express user permission is utterly
and completely crazy. It's a lawsuit waiting to happen. Even with user
permission it's stupid in the extreme, the consequences are far too
unpredictable.

My advice - consult a lawyer. While it's no doubt well intentioned it's
patently stupid and probably illegal.

Jim.
(note: the above is a personal viewpoint & opinion and does not
necessarily reflect the opinion of DALnet.)

-- 
            Jim Murray
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Exploits Team, DALnet IRC Network
jim-mm at dal.net | Key ID : 0x1AF5FDC4


More information about the list mailing list