R-fx Networks

Bot Networks: Jacking the Jackers

by on Jul.06, 2010, under My Blog

One of the more interesting parts of my malware hunting routine is when I notice new command & control hubs for bot networks in the source of ircbot malware content. I am not the type to just look and not play, I always dive into these networks and poke around. When it gets really fun is when the attackers get lazy thinking they are untouchable and leave open their irc networks with a series of simple administrator nick names that can be used to control the bots on the network.

So, what I sometimes do is sign into these irc networks, monitor & log them for a little while for abuse reporting purposes to the network hosting them, then I literally, jack the network from under the attacker and make every single bot exit with by telling all the bots to e.g: “killall -9 perl” which terminates the bot program. Some of the rage from these little kiddies is obscenely retarded but at the same time incredibly fun to watch prepubescent teens get mad over shit they should rightly be tossed into jail for.

Now, on occasion, this does backfire on me, I have had my home internet DDoS to death more than a few times to the point where I had to unplug my cable modem for hours to let the DHCP IP release and renew as a new one. It still is worth it and incredibly fun to ruin these kiddies week or month, with all the hard work they put into these bot networks amassing hundreds upon hundreds of zombies. Just as fun is when the kiddies think they’ve got you all figured out and locked the bot network down, you get a reply from a network administrator over at the company you sent an abuse email too telling you they are looking into the matter then minutes later, the network goes tits up cause the server hosting it was shut down 🙂

Yup that was my story time for the day, I will try post some of the funnier bits from network take down shortly, I will also be putting up some c&c stats into the soon-to-be-released threat statistics section, thats it for now, kthxbye!


2 Comments for this entry

  • Brad

    I love it! I run an IRCd company.. were constantly trying to keep on top of these kiddies.. We’ve gotten to the point that I have alerts smsed to me if our bandwidth spikes to more than double a past few hours average… I usually can expect some sort of service issues and can hop on and block traffic if something happens.

    I’ve also had to experience a C&C network being hosted on my server… guy thought he was all that locking the server down.. when we turned off the actual ircd process he never came back to turn it on.. but we knew he was the root cause..

    I really wish there was a way to scan files they upload and then modify..

  • Pascal

    I’d like to have your knowledge as, for it takes me long long time, to find I’ve been attack, and more long to understand how/why and long time to recreate a fresh/clean server.

    Last one was a S99lvm in /etc/rc3.d/ which one launched a pscd process which connect to ns10.dnetnoc.net:ircd

    Bad bad one. Not find yet how they had root access. What I know, is S99lvm having a CWD of /root, using libresolv.so, having its file descriptors set to a pseudo-terminal (instead of /dev/null) and being run by root.

Leave a Reply

Looking for something?

Use the form below to search the site:

Site Links

A few links to navigate our site quicker...