Last Updated: 2006-01-15 03:54:57 UTC
by Johannes Ullrich (Version: 1)
Visiting an IRC server used to control bots, the following message made perfect sense in that respect:
*** Topic for #-sd-bot: $xscan asn139
200 5 0 217.x.x.x -r -s
*** #-sd-bot burt0n 1137203776
*** #-sd-bot 1136645024
The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:
*** Channel Users Topic
*** #help 1 IF YOU ARE HERE ITS
BECAUSE I MIGHT HAVE
INFECTED ONE OF YOUR MACHINES, DONT WORRY
NOTHING IS GONNA BE HARMED
WITH THE DRONES, FOR FURTHER INFORMATION
ON REMOVALS PLS VISIT -
WWW . NORTONANTIVIRUSES . COM -
OR LEAVE A MSG KTHX.
We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.
This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.
This was posted to the 'funsec' list a while ago:
"So he changed his topic:
-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT -
WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.
....however, I guess he didn't like the exposure...after a few hours:
-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC
-:- BitchX: Servers exhausted. Restarting.
Cool if things work out "right" sometimes.
We also got this message via our contact form signed 'burt0n':
Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.