Squashing Botnets!

Well, today I helped diffuse a botnet by destroying it's control method. Some of you may not know, but I happen to be a services operator on CAIRC, and I was noticing some strange connect lines, with users from all over with the nick: XP|USA|000|2394 that were all idling in a channel called #V3NOM. So I decided to join and see what was going on, and lo and behold, there were about 10 of them idling along, not responding to any message or private messages. I looked at their IPs and they were connecting from all over (Belgium, USA, Estonia, etc…) so I assumed that they were part of a botnet. I started by taking over the channel and setting the mode to +mutn (so they couldn't talk and see anyone else in the channel), just to neutralize any control mechanism, and I set a JAKILL (regex AKILL) which easily took them all out

This is my second botnet that I detected and stopped, though this one was larger than the other one. So hopefully I'm doing my part to help slow the growth of the "zombie armies". 

 EDIT: After talking with the other IRCops, it was decided to let them join, but join the channel with a bot like nick, hopefully gathering the passwords so we can remove/disarm the bots.

                Peace and chow,

                 Ranok 

Leave a Reply

Your email address will not be published. Required fields are marked *