Re: IRC DDoS bots

["Johannes Ullrich" <jullrich () euclidian com>]

O
> It's another mIRC based DDoS trojan that scans for NT-Password and IIS
> unicode exploits.
> So the next questions is...  How do we go about apprehending the culprits?
> Can we somehow get wxmail.net revoked?

IRC bots are a common plague. We do play 'whack the bot' once in a while
if we find out about it. So far, I have yet to see a case successfully 
prosecuted. 

The best bet is to call however hosts the IRC server and have them yank
the server. Be ready to find some resistance and confusion as you talk
to your first 'tech support' person about IRC bots. Try to get through
to a security contact. 

It looks like the particular server you where monitoring is no longer
responding. So maybe they took already care of it.

Regarding prosecuting: Talk to your local FBI office and see if you can
get them interested. However, usually they don't bother unless you have
significant damages (the 'official' threshold of $5,000 is usually no
enough). 

If whoever is hosting this server is not cooperating, you may want to
try going for a civil suit. Its probably more promising but you need
the stomach/money for it.

If you need any further help, contact me off-list.

 

-- 
--------------------------------------------------------------------
jullrich () euclidian com             Collaborative Intrusion Detection
                                         join http://www.dshield.org

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>