ml_man
9 Jun 2003, 09:18am
Summary
ISS X-Force has been tracking several large file-sharing networks that are being used to trade terabytes of pirated software and movies. These networks consist of hundreds of compromised machines that are remotely controlled by software and movie pirates to distribute files. These pirates are actively attempting to compromise high-bandwidth servers at universities and web-hosting providers in order to expand the reach and distribution capabilities of their existing file-sharing networks.
Details
Impact:
Computers infected with the rogue file-sharing software may be unknowingly participating in a massive underground file-sharing network. These large "bot" networks are extremely popular and may be responsible for enormous bandwidth utilization.
This bot software may also install Trojan horse software that allows a remote attacker to gain access to the system. The remote attacker does not need further access to the infected target in order to utilize its resources.
Description:
IRC, or Internet Relay Chat, is perhaps the oldest worldwide Internet chat network in existence. The original IRC was brought online in 1988.
Historically, IRC has been favored by the computer underground over other chat networks. Hackers continue to use IRC to congregate, discuss tactics and techniques, and trade hacking tools. Recently, IRC has been used to control large numbers of IRC-aware distributed denial of service (DDoS) zombie programs and "warez" distribution bots. These tools are typically modified backdoor or Trojan horse programs that are designed to connect to IRC where they can be controlled from IRC channels.
IRC bots have become much more sophisticated in recent years as their authors find new applications for their use. The first IRC bots were simple scripts designed to maintain IRC channel rules and to distribute information to IRC users. They have evolved into remote controlled backdoor programs, DDoS zombies, and warez distribution programs.
There is increasing overlap between the hacking and warez communities as software pirates are now borrowing techniques and tools from the hacking community. Backdoors are installed on computers in order to connect them to IRC-based file-sharing networks. These attackers attempt to compromise low risk/high reward systems, such as servers in .edu domains, home broadband users, web hosting companies, and Internet Service Providers. All of these targets are similar because they are not heavily protected and have a large amount of available bandwidth.
Pirates needed to increase their storage and bandwidth capabilities due to the size of modern software packages and the popularity of downloading pirated movie files. These files are several hundred megabytes in size, so it is cost-prohibitive for warez pirates to use their own servers to distribute this material.
The largest file-sharing IRC bot networks have 300-400 bots, all logged into the same IRC network and listening on the same IRC channel. The larger channels can have several hundred to thousands of individuals downloading files from these bots. Some bot networks are restricted so that normal IRC users cannot download files. However, most of these networks are public, allowing normal IRC users to download pirated files without restrictions. IRC bots like "iroffer" are especially user friendly and provide instructions to novice pirates on how to download files.
Iroffer is a standalone executable written specifically for files sharing over IRC. This bot is a fileserver/file-sharing server. It allows users to forward requests to the server through IRC channel commands and initiate downloads via DCC (Direct Client Connection). Iroffer is updated frequently to enhance network performance and to optimize download times.
Iroffer's features include the ability to limit the amount of bandwidth used in general and by time and date, remote administration via DCC chat, virtual host support, high performance CPU/memory, and network code, logging features, and DCC resume support. Iroffer is available for a variety of UNIX platforms as well as Windows binary format. Currently, Iroffer is very popular in IRC channels that deal with pirated movies, video game console software, computer software, mp3 music, and pornography.
Typical Iroffer bot advertisement:
<generic_bot> ** 1 pack ** 0 of 5 slots open, Queue: 15/20, Record: 1670.9KB/s
<generic_bot> ** Bandwidth Usage ** Current: 138.6KB/s, Record: 2298.5KB/s
<generic_bot> ** To request a file type: "/msg generic_bot xdcc send #x" **
<generic_bot > #1 811x [927M] DVDmoviefile.iso.TS-FTF
<generic_bot > ** Brought to you by #IRC_CHAN, Why BuY When We Supply !!**
<generic_bot > Total Offered: 1926.8 MB Total Transferred: 96.34 GB
Iroffer IRC bots periodically broadcast to an IRC channel that files are available, instructions on how to download them, and statistics to help software pirates determine how fast the bot's network connection is.
Pirates install rogue FTP servers on bot servers to facilitate uploading and downloading as well as for transferring pirated files to other bot networks. Some of this back-end files distribution functions are automated while others are executed manually by the bot owners. These rogue FTP servers are frequently hard to detect and are typically run on high ports. Common FTP servers used for this purpose are "raidenftpd" and "bulletproof FTP server" (formerly Gene6) available for Windows, and "glftpd" available for UNIX. These FTP servers are used more often because they are easier to control remotely, have advanced administration capabilities, and allow for some automation of their functionality through third party plug-in scripts.
__________________
ISS X-Force has been tracking several large file-sharing networks that are being used to trade terabytes of pirated software and movies. These networks consist of hundreds of compromised machines that are remotely controlled by software and movie pirates to distribute files. These pirates are actively attempting to compromise high-bandwidth servers at universities and web-hosting providers in order to expand the reach and distribution capabilities of their existing file-sharing networks.
Details
Impact:
Computers infected with the rogue file-sharing software may be unknowingly participating in a massive underground file-sharing network. These large "bot" networks are extremely popular and may be responsible for enormous bandwidth utilization.
This bot software may also install Trojan horse software that allows a remote attacker to gain access to the system. The remote attacker does not need further access to the infected target in order to utilize its resources.
Description:
IRC, or Internet Relay Chat, is perhaps the oldest worldwide Internet chat network in existence. The original IRC was brought online in 1988.
Historically, IRC has been favored by the computer underground over other chat networks. Hackers continue to use IRC to congregate, discuss tactics and techniques, and trade hacking tools. Recently, IRC has been used to control large numbers of IRC-aware distributed denial of service (DDoS) zombie programs and "warez" distribution bots. These tools are typically modified backdoor or Trojan horse programs that are designed to connect to IRC where they can be controlled from IRC channels.
IRC bots have become much more sophisticated in recent years as their authors find new applications for their use. The first IRC bots were simple scripts designed to maintain IRC channel rules and to distribute information to IRC users. They have evolved into remote controlled backdoor programs, DDoS zombies, and warez distribution programs.
There is increasing overlap between the hacking and warez communities as software pirates are now borrowing techniques and tools from the hacking community. Backdoors are installed on computers in order to connect them to IRC-based file-sharing networks. These attackers attempt to compromise low risk/high reward systems, such as servers in .edu domains, home broadband users, web hosting companies, and Internet Service Providers. All of these targets are similar because they are not heavily protected and have a large amount of available bandwidth.
Pirates needed to increase their storage and bandwidth capabilities due to the size of modern software packages and the popularity of downloading pirated movie files. These files are several hundred megabytes in size, so it is cost-prohibitive for warez pirates to use their own servers to distribute this material.
The largest file-sharing IRC bot networks have 300-400 bots, all logged into the same IRC network and listening on the same IRC channel. The larger channels can have several hundred to thousands of individuals downloading files from these bots. Some bot networks are restricted so that normal IRC users cannot download files. However, most of these networks are public, allowing normal IRC users to download pirated files without restrictions. IRC bots like "iroffer" are especially user friendly and provide instructions to novice pirates on how to download files.
Iroffer is a standalone executable written specifically for files sharing over IRC. This bot is a fileserver/file-sharing server. It allows users to forward requests to the server through IRC channel commands and initiate downloads via DCC (Direct Client Connection). Iroffer is updated frequently to enhance network performance and to optimize download times.
Iroffer's features include the ability to limit the amount of bandwidth used in general and by time and date, remote administration via DCC chat, virtual host support, high performance CPU/memory, and network code, logging features, and DCC resume support. Iroffer is available for a variety of UNIX platforms as well as Windows binary format. Currently, Iroffer is very popular in IRC channels that deal with pirated movies, video game console software, computer software, mp3 music, and pornography.
Typical Iroffer bot advertisement:
<generic_bot> ** 1 pack ** 0 of 5 slots open, Queue: 15/20, Record: 1670.9KB/s
<generic_bot> ** Bandwidth Usage ** Current: 138.6KB/s, Record: 2298.5KB/s
<generic_bot> ** To request a file type: "/msg generic_bot xdcc send #x" **
<generic_bot > #1 811x [927M] DVDmoviefile.iso.TS-FTF
<generic_bot > ** Brought to you by #IRC_CHAN, Why BuY When We Supply !!**
<generic_bot > Total Offered: 1926.8 MB Total Transferred: 96.34 GB
Iroffer IRC bots periodically broadcast to an IRC channel that files are available, instructions on how to download them, and statistics to help software pirates determine how fast the bot's network connection is.
Pirates install rogue FTP servers on bot servers to facilitate uploading and downloading as well as for transferring pirated files to other bot networks. Some of this back-end files distribution functions are automated while others are executed manually by the bot owners. These rogue FTP servers are frequently hard to detect and are typically run on high ports. Common FTP servers used for this purpose are "raidenftpd" and "bulletproof FTP server" (formerly Gene6) available for Windows, and "glftpd" available for UNIX. These FTP servers are used more often because they are easier to control remotely, have advanced administration capabilities, and allow for some automation of their functionality through third party plug-in scripts.
__________________