Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Bot herds exploring vertical markets InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Bot herds exploring vertical markets

Published: 2006-01-14
Last Updated: 2006-01-15 03:54:57 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Malware has become a business like any other over the last few year. Individual bot herds will grow, innovate, merge and well, sometimes even fold.

Visiting an IRC server used to control bots, the following message made perfect sense in that respect:

*** Topic for #-sd-bot: $xscan asn139 
200 5 0 217.x.x.x -r -s
*** #-sd-bot burt0n 1137203776
*** #-sd-bot 1136645024

The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:


/list
*** Channel Users Topic
*** #help 1 IF YOU ARE HERE ITS
BECAUSE I MIGHT HAVE
INFECTED ONE OF YOUR MACHINES, DONT WORRY
NOTHING IS GONNA BE HARMED
WITH THE DRONES, FOR FURTHER INFORMATION
ON REMOVALS PLS VISIT -
WWW . NORTONANTIVIRUSES . COM -
OR LEAVE A MSG KTHX.

We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.

This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.

Update:

This was posted to the 'funsec' list a while ago:

"So he changed his topic:

-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT -

WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.


....however, I guess he didn't like the exposure...after a few hours:

-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC
(#linuxsex@undernet))

-:- Connection closed from xx.43.235.xxx: Success
-:- BitchX: Servers exhausted. Restarting.
Score: ISC 1 - Burt0n 0
 :) 

Cool if things work out "right" sometimes.
We also got this message via our contact form signed 'burt0n':

"my connection aint secured, im str8 to you guys theres is no buisness market using my bots, I did not even noticed nortonantiviruses.com isnt the symantec site. SORRY. BYE."

Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.


Keywords:
0 comment(s)
Diary Archives