|
|
| Author |
Message |
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
 Posted: Aug 09, 2009 2:04am Post subject: Latest wave of spam |
 |
|
Lately, I have noticed a spambot making its way around a few of the networks I frequent (one of which is indexed here, but I shall not name it) offering mIRC with free registration and a "handy script". Upon examining (and virus scanning) the rar file on offer, the bot seems to have helped the cause for fighting abuse of IRC... in the root of the rar file is a handy little file named "IRCproxys.txt" which contains a veritable list of IPs (and ports) it can use to connect to your network with - how convenient 
For now, it uses the same download link, but after conferring with a trusted IRC colleague of mine, it appears it uses a new link when it starts noticing that its current one is getting blocked/banned.
As for the script itself, upon a brisk examination it appears to be a flood-type script using raw socketry as well as an mIRC script-driven psyBNC clone. I'll post more as I find out more - watch this space
For you admins and irc operators out there hoping to prevent this bot from spamming itself further (it mentions the link in it's first message upon joining, and then again when it parts), here's the link for you to filter: | Code: | | http://hyperfileshare.com/d/42e6aa92 |
|
|
| Back to top |
|
 |
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 09, 2009 2:58am Post subject: Re: Latest wave of spam |
|
|
| PingBad wrote: | | in the root of the rar file is a handy little file named "IRCproxys.txt" which contains a veritable list of IPs (and ports) it can use to connect to your network with - how convenient |
That's nothing, theres a complete list of networks it's hitting contained in the package too. |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 09, 2009 3:16am Post subject: Re: Latest wave of spam |
|
|
| Jobe wrote: | | PingBad wrote: | | in the root of the rar file is a handy little file named "IRCproxys.txt" which contains a veritable list of IPs (and ports) it can use to connect to your network with - how convenient |
That's nothing, theres a complete list of networks it's hitting contained in the package too. |
I know, I'm digging through its source right now (you can bet your blue college blazer I wish I had a printer right about now lol). Here's what I've discovered thus far:- Has a psyBNC clone
- Includes an exe file (x.exe) that allows it to hide processes - thus hiding the mirc.exe instance
- Has a keylogger
- DoS script (sending mass ICMP packets by the looks of it)
- Port scanner (select ports only)
More to come, I'm sure - I'm still trying to pick it apart and find out where it's populating the %m.s.gg variable (this holds it's spam text) and %site (the download link). Will post more when I know more |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 09, 2009 3:41am Post subject: |
|
|
| Ok, when the spambot connects to a network, the first thing it does is try to register with NickServ (if you're using AuthServ or the like, it doesn't account for this) with the password "w33dz00" and an email address fitting the regex pattern ([a-z]{7})@live.ca - this is hard coded into the bot's source so spamfiltering the password and that email address would certainly curb it no matter what advertising text or URL it uses to propogate |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 09, 2009 4:23am Post subject: |
|
|
This bot also has two nicks on notify/watch:- indep_
- Independent (with note: Author)
When it receives notification about either being online, the bot will notice the nick with the following: | Code: | | $host $ip $fulldate {number of lines in it's proxy file} {number of lines in sock4.txt} {number of lines in sock5.txt} App{boolean value if mIRC is active or not} Idle{calculation of idletime / 60} Os{operating system} Up{uptime} {boolean value if the port 31337 is available} |
For example... | Quote: | | -released- Ap-Servidor 10.1.1.16 Sun Aug 09 07:12:24 2009 1110 210 336 App$false Idle1774.05 Os2003 Up3days 42mins 12secs $false |
|
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
| Posted: Aug 09, 2009 5:52am Post subject: |
|
|
| it is just the same independent spam as discussed on irc-security... |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 09, 2009 10:11am Post subject: here is the killing code for your spamfilter |
|
|
i see you got new ones /spamfilter add cpnNPqdat gline - Spammer Register mIRC FREE and Get a nice little script
try this too /spamfilter add cpnNPqdat gline - Spammer /!\ Register mIRC FREE and Get a nice little script
and this /spamfilter add cpnNPqdat gline - Spammer http://hyperfileshare.com
and this one /spamfilter add cpnNPqdat gline - - h[^a-z]{0,}y[^a-z]{0,}p[^a-z]{0,}e[^a-z]{0,}r[^a-z]{0,}f[^a-z]{0,}i[^a-z]{0,}l[^a-z]{0,}e[^a-z]{0,}s[^a-z]{0,}s[^a-z]{0,}h[^a-z]{0,}a[^a-z]{0,}r[^a-z]{0,}e[^a-z]{0,}.+c[^a-z]{0,}o[^a-z]{0,}m
(i am normaly up to date on this but i was on holiday and still will be for the next two weeks) |
|
| Back to top |
|
|
Trixar_za
Eleet
Joined: 10 Dec 2006
Posts: 613
Location: South Africa
|
| Posted: Aug 09, 2009 5:08pm Post subject: |
|
|
| nenolod wrote: | | it is just the same independent spam as discussed on irc-security... |
That's what I thought when I saw how it registers. Is this a rehash of his attacks or just a modifications by somebody else? Is it me or is this dude getting better at this? He definitely has help. |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 09, 2009 8:14pm Post subject: |
|
|
| Trixar_za wrote: | | nenolod wrote: | | it is just the same independent spam as discussed on irc-security... |
That's what I thought when I saw how it registers. Is this a rehash of his attacks or just a modifications by somebody else? Is it me or is this dude getting better at this? He definitely has help. |
Speaking as a coder myself, somebody (or a group of somebodies) really put the hours in for this scriptset - if only they focused their energy into someting a bit more constructive |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 09, 2009 9:42pm Post subject: |
|
|
Since PB isn't replying to my IRC PMs..
Anyone know why this wouldn't work?
./spamfilter add p gline 3d Independent_Worm register w33dz00 ([a-z]{7})@live.ca |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 09, 2009 10:13pm Post subject: |
|
|
| Willaim wrote: | Since PB isn't replying to my IRC PMs..
Anyone know why this wouldn't work?
./spamfilter add p gline 3d Independent_Worm register w33dz00 ([a-z]{7})@live.ca |
Apologies, PB was working |
|
| Back to top |
|
|
Jobe
Eleet
Joined: 30 Jul 2006
Posts: 526
Location: Lurking in the shadows of some random channel!
|
| Posted: Aug 10, 2009 1:41am Post subject: |
|
|
I will note there is also "$encode()"'ed details where the bot connects to a C&C server+channel, or at least there was in older versions. Havnt got a copy of this version to check anymore.
| Willaim wrote: | Since PB isn't replying to my IRC PMs..
Anyone know why this wouldn't work?
./spamfilter add p gline 3d Independent_Worm register w33dz00 ([a-z]{7})@live.ca |
If the bot uses aliases such as /nickserv or /ns, then those in UnrealIRCd at least, are exempt from spamfiltering by default. See the "spamfilter" option of alias blocks: http://www.unrealircd.com/files/docs/unreal32docs.html#aliasblock |
|
| Back to top |
|
|
PingBad
Post Whore
Joined: 05 Feb 2005
Posts: 3001
Location: New Zealand
|
| Posted: Aug 10, 2009 4:28am Post subject: |
|
|
| Jobe wrote: | | I will note there is also "$encode()"'ed details where the bot connects to a C&C server+channel, or at least there was in older versions. Havnt got a copy of this version to check anymore. |
Last I checked, the link above is still live, and the latest version can be downloaded from thereIt's using the NickServ alias. Having looked at the documentation for UnrealIRCd, there is alias [name]::spamfilter <yes/no> which appears to allow the server admin to explicitly force the parameters of the alias to be ran through spamfilter before being passed on |
|
| Back to top |
|
|
Willaim
Idler
Joined: 27 Jun 2003
Posts: 323
Location: IRC
|
| Posted: Aug 10, 2009 9:59am Post subject: |
|
|
| Aha, you didn't tell me it was using an alias... now I added "spamfilter yes;" to the various alias blocks.. we'll see if that works. |
|
| Back to top |
|
|
maddog906
Lurker
Joined: 08 Mar 2005
Posts: 164
|
| Posted: Aug 10, 2009 12:21pm Post subject: if you using anope |
|
|
you can edit the alias config
/* Anope Aliases */
alias nickserv { type services; };
alias ns { target nickserv; type services; };
alias chanserv { type services; };
alias cs { target chanserv; type services; };
alias memoserv { type services; spamfilter yes; };
alias ms { target memoserv; type services; spamfilter yes; };
alias operserv { type services; };
alias os { target operserv; type services; };
alias helpserv { type services; };
alias botserv { type services; };
alias bs { target botserv; type services; };
alias hostserv { type services; };
alias hs { target hostserv; type services; };
include "aliases/aliases.conf"; |
|
| Back to top |
|
|
|
Register
Log in
