new spam bots

upinsmoke · Posted: Mar 09, 2004 2:47am Post subject: new spam bots

i noticed these bots joining my server yesterday. they seem to join up to 9 rooms at a time and just idle, until they recieve a private message at which point they spam a file called myvideo.exe. they all seem to use female nicks and have a version reply of mIRC v6.03 Khaled Mardam-Bey . has anyone else seen these bots yet?

example

> [rennie] VERSION
[rennie VERSION reply]: mIRC v6.03 Khaled Mardam-Bey
-
rennie is ~lynn@3D9D4BE0.B414A77C.3237206B.IP * vivia elwira
rennie is connecting from *@219.95.120.245
rennie on @#Worldchat @#Chatzone @#TeenFactory #cybercafe #sexo #allnitecafe #cybersex #beginner #sex
rennie using express.paradise-chat.com express.paradise-chat.com
rennie has been idle 3mins 6secs, signed on Tue Mar 09 01:45:52
rennie End of /WHOIS list.
-------------------------------------------------------------------------------------------
private message convo
-------------------------------------------------------------------------------------------
<smoke> hi
<rennie> hoya
<smoke> whats up
<rennie> Smile

<rennie> i am bz now plz see my erotic video at http://www.koolpages.com/erotic/myvideo.exe

more examples can be seen here or here

Exceter · none Joined: 15 May 2003 Posts: 19

The same bot hits the HelpSupport network.

It's not easy to catch this one: the IP is different every time (and not in the same range), and the client answers with a correct version reply.

Workaround, which will be OK for me:

Opening one of the channels that the bot will join, set it +s, so normal users wil not see it.

The rest will do a mIRC script, which AKILLs everyone who's joining the channel.

Doesn't have a better solution :-/

Ex

Plasma · Newbie Joined: 10 Dec 2003 Posts: 63

We had these on our network as well and have successfully turned them away...

The bot will leave your server if it finds no channels (that is, it recieves no channels at the end of a /LIST command).

The workaround we coded into our ircd was that when a client joins, they receive a 'END OF /LIST' message (check irc rfc for the correct code) and the bot says 'hey, no channels' (It never requested the list in the first place, it never checks for this), and then instantly disconnects from the network, without registering or joining a channel! Smile

chrishogben · Lurker Joined: 09 Sep 2003 Posts: 218 Location: UK

Just to add, if you run services which have the FORBID option, if you Forbid the channels these spambots enter, they will eventually leave on their own accord. I stumbled across this the other day. I posted some detailed info in another thread.

http://searchirc.com/boards/viewtopic.php?t=978&start=17

EDIT: If you have Unreal3.2-RC2, you can add this to spamfilter.conf, and it'll stop them from messaging your users.

Guest · Guest

We just kline anyone connecting with 2 or more recognisable nicks out if its list. Works a charm.

That bastard Fyle decided to use our network as a controller!

We haven't been able to access the second variant that has some different spam messages and an updated nick list (not the one that changes nicks constantly). Good news is that only one of the spammed out urls is operable. Seems this thing started in january.

We're currently investigating if we can control the bots to notify the user of the computer that their computer is infected and get them to clean it. By unhiding the mirc window or something, dunno yet.

al5001 · Lurker Joined: 17 Jul 2003 Posts: 181 Location: Canada

Edit the IRCd and change /list to /clist. Add the /list command again so that it tells the user to type /clist to list channels.

Mary · SearchIRC Admin Joined: 03 May 2003 Posts: 692

If you do the above, be sure to tell us. Our indexer can't read ;) It will do /list, get no returns, and drop your network from the active list.

Plasma · Newbie Joined: 10 Dec 2003 Posts: 63

No thats a bad modification (breaks RFC and is an inconvenience to users as well)...

Simply send a "End of /LIST" message when the user first signs on to the server, the bots will LOG OFF because they see no channels (you just tricked it into believing it issued a /LIST and has had no channels returned).

This works _fine_ on our network, bots do not appear (we see them connect + disconnect straight away) and users can still list the channels as per normal (and searchirc can still keep up to date with our network).

Listen to me Smile

Jason · Posted: Mar 18, 2004 6:38pm Post subject:

Yeah, the SearchIRC indexer is smart enough to know it didn't yet start a /list, so it ignores the End of List numeric issued immediately after connecting.

Howard · none Joined: 16 Nov 2003 Posts: 34

Jason · Posted: Mar 21, 2004 7:19am Post subject:

It looks like you're sending it as part of the end of motd.

The problem is you put the end of list numeric right when the bot sends list. So there would be no way to know that the end of list displayed is fake.

Try putting it somewhere with the sign on numerics, or at the very least, before the motd is issued.

brut · none Joined: 08 Jun 2003 Posts: 3

well regarding those new bots, what i have done, and found to be very effective is, join one of the channels ( i chose #sex) becuase they are always in that one and i set it +ntslL 1 #ourbotkillchan then made a pseudo client join (in our case operserv) so that the modes would stick, then i use the anope module (cs_joinkill) (which i had in place for the come watch we on my webcam bots) anyway, then i run /chanserv joinkill on after i start services, then whenever one of those bots join #sex they are instantly redirected to the channel that is configured in the module for an akill, this kills 2 birds with one stone, the new bots and the old bots.

the cs_joinkill module should be still on the anope modules site if not and someone wants it email me at brut^at^dilexnet^dawt^net and ill email it to you.

and i guess if you dont use anope 1.5* (soon to be 1.6 stable) you should be, as they are the best set of irc services ever coded Very Happy

Howard · none Joined: 16 Nov 2003 Posts: 34

LIQUID_NiTrO · none Joined: 06 Apr 2004 Posts: 34

Well, unless these channels actually exist on your server, which they don't on most servers I've been to (#sexo, #cybersex, #beginner, #sex, etc.) set AKICK on them to *!*@*.* or set mode +Nsk aflksdjlkfjasdlkfjs or something. Basically, just ban the damn channels Very Happy

emre · Guest