Re: Internet Wide DOS Attack using IRC

[cluster () VIDEOTRON CA (Samuel Cossette)]

I have done my own investigation about it;

First it's not Back Orifice, it's another fuck*** trojan, spread by a DCC
bot on EFnet (#warez950-dcc). When it's installed this is request 3 files on
Geocities! (configuration) After, the trojan start an irc session on EFNet.
The first channel was #^C^CHaVoC^B^B with a key, when they discover the
presence of intruder they have changed the channel (#^_^_HaVoC^B^B) And
since 1-2 weeks the channel is empty and when i start my laptop (infected) I
see, on the monitoring screen of my server, some connection on Geocities
this is retrieve a file and this is return a 404 url not found.

When a clone (Havoc call an infected computer a "Drone") is connected on irc
anybody can control this with Private msg command (.join #chan, .part, .do
[raw command]). 2-3 week ago the infected chan get about 500-700 drones
(stable). My personnal estimation of infected computer it's 15000+.

With 500 "clones" they can easily split an irc server with the command
MOTD:irc.server.net (.do raw command).

To see if you are infected do CTRL-ALT-DEL in windows and if you have a
process called OCE it's the Havoc's trojan :] remove it in your system
directory usualy c:\windows\system

Samuel Cossette

-----Original Message-----
From: dbarba <dbarba () GEOCITIES COM>
To: BUGTRAQ () NETSPACE ORG <BUGTRAQ () NETSPACE ORG>
Date: 2 octobre, 1998 18:09
Subject: Internet Wide DOS Attack using IRC


>   Please forward this on to the appropriate people if necessary.
>
>   GeoCities is currently experiencing a DOS attack that appears to be
>   spread by a trojan horse in a mIRC script.
>
>   GeoCities is receiving thousands of HTTP requests from thousands of
>   unique computers daily for a file that no longer exists on our
> servers.
>   The specific count for one minute on Friday, September 25 at 10:17 am
>
>    was 3,522 hits,
>
>   1,492 of them were from unique IP's.  For the time period of 3 am to
> 10:17am
>    on 9/25  we had 3,562 unique IPs request this one file.  It does not
> appear to be
>   specifically requested by the user of that computer.  This request
> uses
>   no browser and is usually requesting the file every 30 seconds while
> the
>   user is connected to the Internet.  The requests are coming from
> around
>   the world and have been slowly building up since at least August 18,
>   1998 (the farthest back our access logs go).
>
>   The attack is requesting a file from our site:
>
>     http://www.geocities.com/Area51/Stargate/5845/nfo.zip
>
>   The complete content of the 5845 directory was:  nfo.zip, nfo.jpg,
>    servers.zip, servers.jpg, users.zip and users.jpg.  When I looked at
> the
>    binary files by doing a cat, the users jpg & zip files were the
> same, but the
>    other files were all unique.
>
>   It does not use a browser or store cookies.  At the moment, the file
> being
>   requested is of zero size.  When there is a file of size , originally
> it was 8k
>   and I later inserted a short note to contact me regarding the attack
> into the
>   nfo.zip file,  at which time the attack becomes much worse on the
> Windows
>    machines that are requesting the file.
>
>   Also, an odd note, there are a couple machines that are requesting
> the file named
>   nfo.jpg.  Those are reqeusted every minute instead of every 30
> seconds.
>
>   I have contacted a user that complained about GeoCities attacking
> him.
>   In reality, his computer was asking for the nfo.zip file from us
> every
>   30 seconds, and that was flooding his connection to the internet.  I
>   have worked with him closely since he found the problem.  He only
> uses
>   IRC.  In fact, the first time he visited our website is after the
> attack
>   started, when he was looking for a contact name and number.  He does
> not
>   surf the internet.  He has subsequently reinstalled his OS and that
> has
>   completely stopped the attack.
>
>   We did find an entry in his registry with the following setting:
>
>   /microsoft/windowsexplorer/doc/find/spec/mru
>   a) " "
>   b) 5845
>   c) nfo
>   d) bo
>   e) nfo.zip
>   f) winrar
>   g) msvbvm60.dll
>   h) loadwc
>   i) stargate
>   j) area51
>   mrulist) eadcbjihgf
>
>    When the user deleted the registry entry, the attack from his
> machine
>   went from 1 GET every 30 seconds to 1 GET every second.  After about
> 10
>   minutes, it started slowing up and finally settled into about 1 GET
>   every 17-20 seconds.
>
>    I also asked our ISP to help track some of this and this was their
> result.  "All the IP's
>    I've scanned so far from the log have several UDP ports open in the
> 31337 range
>    (what Back Orifice uses)."
>
>   So, we really need to find the source instead of asking everyone to
>   reinstall their OS.  It might also be necessary to inform the various
>
>   virus-detection software vendors to try to eradicate this from all of
>
>   the machines that currently have it installed.
>
>   Thank you for your help,
>
>   Debbie Barba
>   SysAdmin
>   dbarba () geocities com