Re: Why attacker install irc after hacking?

["Frynge Customer Support" <frynge () frynge com>]

They use irc in order to do many things

1: run bots off your server bandwidth to deliver information.  The 
information they deliver usually centers around ways and places to get more 
pirated software/video/music, sending information on how to get this through 
them, running of their groups and systems, and their infrastructure.

2: run bots off your server bandwidth to deliver files. This is mostly 
pirated software, video and music but hackers do this as well to trade 
information which they consider software.  These are the newest techniques 
on hacking servers, ftp accounts, credit info, paypal or other scams, and 
they store files that bots use on the irc to deliver them, and all sorts of 
software.

3: run flood bots in order to flood others off the irc in the wars they get 
in to
http://www.darknet.org.uk/content/docs/irc-takeover.html

Yes this one is called a IRC split.  When they have wars, they want to kick 
others off their conferences or servers or in some cases, rogue elements 
want to take over channells for their own purposes.  So they try to split 
the irc, killing a large group of people off their server and controlling 
the channel.  They also use the drones "people that download pirated 
software with trojans in them, to open up ports, OR use windblows exploits 
in order to create drones.  When they have a large amount of drones, they go 
to war.  They use the drones in order to flood others out and take over 
certain aspects of irc.  Alot of them are stealing your bandwidth and 
jeaopardizing your business in order to have "fun" :)

4: advertising robots using your bandwidth in order to promote their 
services on IRC and to run automated systems in order to perform very 
specific functions.

This one is interesting.  By giving away pirated software, some will make it 
hard to get in to the best places.  When you do get there, you may have to 
do things, like signing up for accounts from another sponsor and then they 
make money off of this, either through sales or clicks or something.  So its 
a small business they use while stealing your bandwidth, server space or 
resources.

Its also a tool in order to automate all their systems, so they dont have to 
be around, but the group continually grows.

5:  A very small few will install the irc client and have been for awhile 
for their groups.  They install these irc clients because some time in the 
future, they are going to use your bandwidth in order to DDOS (basically 
flood) a large company in the future.   These are usually unorganized groups 
of people or single individuals that have no real common ground or purpose. 
This trend seems to be changing as all the groups merge and their are some 
rogue entities coming up with very interesting ideas in order to cause some 
sort of chaos or destruction of property.

6: A portion of these poeple are spammers.  They have been in the pirated 
industry and they are using it to maliciously advertise.  They will install 
irc and create their own channels.  The irc is to run the bots.  The bots 
specifically find other weak security on other systems in order to create a 
chained bot.  This chained bot willl find other weak mail systems in order 
to conduct spam attacks.

They will gather 1,000 or 10,000 mail servers and then spam for a few months 
until all their hacked servers go down.   This chain cannot be broken.  As 
one server gets exposed, its dropped off the chain and the link rejoins and 
continues on the other hacked servers.

So this is a two part function.... 1: is to continually search for open mail 
servers (using an irc bot) and also to find other systems to compromise (if 
they get root, they can install the software in order to do more hacking 
through irc and spamming)  and 2: is to deliver their payload which is the 
spam.

Spammers would have a hard time without irc.  They would have to learn how 
to set up their own server.  Why not just use the IRC and a BOT and then 
just hack and spam away.  Its much easier then learning linux.


The evolution of irc and hacking.

I see in the future an interesting trend.  The software is getting more 
secure, but because their are so many new users and new holes, also there 
are always old holes still left open and new ones continually coming up.

The hackers and piraters/spammers seem to be grouping in to larger and 
larger groups that perform very specific functions, depending on thier 
goals.   This information is left behind for the nefarious people to use and 
exploit, to really cause some damage.

There is no doubt that the day is soon coming where cyber terrorism is 
prevelant.  In the future, we will see these independant pockets of 
terrorism joining up through the net in to one large entity that has a 
similar goal. (just like the hackers and piraters are doing)  These goals 
will be attacks on our economic systems and physical attacks in order to 
cause fear.  Days will come when these merged entities will cause death via 
the internet and it may be sooner then you think.

Our capacity to understand our own software is limited compared to all the 
people exploiting it.  When these people get grouped and get a cause, there 
will be a higher capacity for real damage.  On top of that, older systems 
are still not being shored up (they are but very slowly).  This will allow 
some incredible things to happen that *will* cause death.  There will be 
chains of action, that are all automated.  And once started, it will be very 
difficult to stop them.   I can go in to detail if anyone is interested.

The future is going to be an interesting but dangerous place.

Kelly Sigethy
Frynge.com


----- Original Message ----- 
From: "Mario Platt" <mplatt () gmail com>
To: "James Harless" <jharless () kidwellcompanies com>
Cc: "Monty Ree" <chulmin2 () hotmail com>; <security-basics () securityfocus com>
Sent: Thursday, April 20, 2006 4:43 PM
Subject: Re: Why attacker install irc after hacking?


> That is typical script kiddie stuff. They probably got an exploit
> anywhere, and go on to irc tell their friends they're so good......
> but it could also be botnet's
>
> On 4/20/06, James Harless <jharless () kidwellcompanies com> wrote:
> > I believe that a large percentage of botnets are controlled through 
> > commands
> > given over IRC.
> >
> >
> > --
> > James Harless
> > Network Security Engineer
> >
> > Kidwell Companies
> > kCOM  kE  kTECH
> >
> >
> >
> > On 4/19/06 11:55 PM, "Monty Ree" <chulmin2 () hotmail com> wrote:
> >
> > > Hello, all.
> > >
> > > I have operated linux server for a long time.
> > > and I have found that some irc(psybnc etc) related program was 
> > > installed
> > > after scan or hacking.
> > >
> > > I can't understand
> > > Why attackers installed and executed irc program?
> > > Why attackers use irc after hacking?
> > > Just chatting is not...I guess..
> > >
> > >
> > > Thanks in advance.
> > >
> > > _________________________________________________________________
> > > 전세계인이 함께하는 웹 메일 서비스인 MSN Hotmail을 만나 보세요.
> > > http://loginnet.passport.com/login.srf?id=2&svc=mail&cbid=24325&msppjph=1&lc=1
> > > 042
> > >
> > >
> > >
> > > -------------------------------------------------------------------------
> > > This List Sponsored by: Webroot
> > >
> > > Don't leave your confidential company and customer records 
> > > un-protected.
> > > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > > eradicate spyware from their networks.
> > > FREE 30-Day Trial of Spy Sweeper Enterprise
> > >
> > > http://www.webroot.com/forms/enterprise_lead.php
> > > --------------------------------------------------------------------------
> > >
> >
> >
> > -------------------------------------------------------------------------
> > This List Sponsored by: Webroot
> >
> > Don't leave your confidential company and customer records un-protected.
> > Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
> > obligation. See why so many companies trust Spy Sweeper Enterprise to
> > eradicate spyware from their networks.
> > FREE 30-Day Trial of Spy Sweeper Enterprise
> >
> > http://www.webroot.com/forms/enterprise_lead.php
> > --------------------------------------------------------------------------


-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------