|
|
| Author |
Message |
caNcer_b0y
none
Joined: 13 Nov 2003
Posts: 11
|
 Posted: Feb 26, 2004 12:46pm Post subject: new flavor nick change bot. |
 |
|
over at 7sinz.net we have been seeing a new flavor of mirc "worm" spereading bot in the last couple of days. here is a small example of them:
[10:58:16] <ConnServ> User Signed On: lyssa!mariska@219.93.191.174 (incubus.7sinz.net)
[10:58:55] <ConnServ> Nick Change: lyssa changed nick to alice
[10:59:38] <ConnServ> Nick Change: alice changed nick to vinni
[11:00:21] <ConnServ> Nick Change: vinni changed nick to rebbecca
~broken to save space
[11:34:25] <ConnServ> Nick Change: lyssa changed nick to susanne
[11:36:03] <ConnServ> Nick Change: susanne changed nick to tara
[11:36:48] <ConnServ> Nick Change: tara changed nick to eleen
[11:37:23] <ConnServ> User Signed Off: eleen!~sasha@219.93.66.169 (incubus.7sinz.net)
and again here:
[12:29:46] <ConnServ> User Signed On: marian!~juliane@219.95.120.245 (incubus.7sinz.net)
[12:30:28] <ConnServ> Nick Change: marian changed nick to leona
[12:31:12] <ConnServ> Nick Change: leona changed nick to tracey
[12:32:19] <ConnServ> Nick Change: tracey changed nick to kristin
~broken again to save space
[12:44:24] <ConnServ> Nick Change: maryjane changed nick to janifer
[12:46:08] <ConnServ> Nick Change: janifer changed nick to paulina
[12:46:52] <ConnServ> Nick Change: paulina changed nick to sonya
(SS) Whois Information For: sonya
(SS) Name:(bianka zuzana) vHost:(755E0D1.BE652E19.3C8625C8.IP) Ident:(~juliane)
(SS) UserModes:(+x)
(SS) True Host:(*@219.95.120.245)
(SS) Using Server:(incubus.7sinz.net)
(SS) Idle:(32s) Signon:(Thu Feb 26 2004 @ 12:29:41 pm)
(SS) End sonya Whois Information.
[12:47:28] <ConnServ> User Signed Off: sonya!~juliane@219.95.120.245 (incubus.7sinz.net)
they always seem tu use "human" names, and i have noticed that the bots host never resolves, so they always have the ip as the host. if anyone has recieved a msg from one and downloaded the crap they are trying to give up and knows what the hell this is let me or tiko know. anyone have a fix, or block for it?
sorry its very frustrating, woke up and saw that this last bot was on the net for some time. unfortunatly all our opers were sleeping at the time and could not handle it. just yeah a warning and such. sorry for the lil bit of ramble there.
(edit) the spam messages look a bit like this:
[21:12:30] Session Ident: cheryl (7sinzNet) (~adelina@9C5086B.3F8AA86E.73171E5C.IP)
[21:12:30] <cheryl> allo
[21:12:35] <cheryl> Best Sexo http://www.haywired.com/sexo/sexo.exe
im waiting to see if they are hosted in differant locations or not.
(/edit) |
|
| Back to top |
|
 |
al5001
Lurker
Joined: 17 Jul 2003
Posts: 181
Location: Canada
|
| Posted: Feb 26, 2004 2:16pm Post subject: |
|
|
The bots probably use mIRC... and do //timer 0 1 /nick $read(dictionary.txt)
where dictionary.txt contains a bunch of words on each line |
|
| Back to top |
|
|
al5001
Lurker
Joined: 17 Jul 2003
Posts: 181
Location: Canada
|
| Posted: Feb 26, 2004 2:17pm Post subject: |
|
|
| its probably best not to have connectserv show those notices in your channel or it will flood |
|
| Back to top |
|
|
caNcer_b0y
none
Joined: 13 Nov 2003
Posts: 11
|
| Posted: Feb 26, 2004 5:46pm Post subject: |
|
|
we have connserv do it so we can try to catch it. unfortunatly we dont have a night/morning oper lol. thanks for the concern though  |
|
| Back to top |
|
|
Guest
|
| Posted: Feb 26, 2004 9:24pm Post subject: |
|
|
ive got those messages two...
not sure who clicks on a link like that but *shrugs* some people must. |
|
| Back to top |
|
|
Harlyman
none
Joined: 29 Jun 2003
Posts: 18
|
| Posted: Feb 26, 2004 11:08pm Post subject: |
|
|
| Does this bots have the same message all the time??? if not is there one word they allways use in there spam?? anyone know? |
|
| Back to top |
|
|
caNcer_b0y
none
Joined: 13 Nov 2003
Posts: 11
|
| Posted: Feb 26, 2004 11:11pm Post subject: |
|
|
| so far its the same msg every time. but its like the random nick bot as it changes nicks quickly. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Feb 26, 2004 11:12pm Post subject: |
|
|
| Using AngryWolf's adword module, I've filtered out these spam messages from 7sinz. I plan to contact the webhost directly about removing the file from their servers tonight. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Feb 26, 2004 11:17pm Post subject: |
|
|
And, I forgot to add.. The bot is indeed another mirc script. The exe itself is a VB installer that loads the mirc script. It appears to me to be a zombie script.. packet toys. :/
Anybody want to take a look, contact me. |
|
| Back to top |
|
|
Harlyman
none
Joined: 29 Jun 2003
Posts: 18
|
| Posted: Feb 26, 2004 11:25pm Post subject: |
|
|
| caNcer_b0y wrote: | | so far its the same msg every time. but its like the random nick bot as it changes nicks quickly. |
well if they enter any special channels you could use secureserv (neostats) to handle it, its no problem with all the nickchanges, i use a monbot from secureserv to take care of webcam spammers and it set akill on them every time, you only need to add one word or fraze from the spam they sends you in the viri.dat file if i'm not to wrong |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Feb 27, 2004 1:03am Post subject: |
|
|
| note my response, we are filtering the spam messages. caNcer_b0y and I have contacted the host of the file in question.. Hopefully this one won't spread as the previous Fyle bot did. |
|
| Back to top |
|
|
dj4aces
none
Joined: 25 Feb 2004
Posts: 10
|
| Posted: Feb 27, 2004 2:00am Post subject: |
|
|
| tiko wrote: | | note my response, we are filtering the spam messages. caNcer_b0y and I have contacted the host of the file in question.. Hopefully this one won't spread as the previous Fyle bot did. |
The Fyle bots spread because when the file is deleted from whatever webhost(s) he used, it was then spread directly off the infected person's PC. One need only observe the /privmsg the drone client sends you to know this.
Fyle was obviously no idiot when he created those bots. And who knows? This one may be yet another Fyle creation. The problem thus far is not stopping the bots themselves, but the development of these bots. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Feb 27, 2004 2:49am Post subject: |
|
|
| excellent observation.. or whatever |
|
| Back to top |
|
|
U
Eleet
Joined: 18 Jun 2003
Posts: 521
Location: IRC
|
| Posted: Feb 27, 2004 7:42am Post subject: |
|
|
I have a bot that akills any person sending a message to it with a .exe on the end anyway-so we have been getting these, but the bot has been getting them just like the .mpg ones
Didn't really notice cept for a few more entries in the akill list. |
|
| Back to top |
|
|
tiko
none
Joined: 24 Sep 2003
Posts: 49
|
| Posted: Feb 29, 2004 2:44am Post subject: |
|
|
| This latest 'sexo.exe' is yet another creation by Fyle. Check your netstat for connections to galaxynet. Same script, different detection methods. |
|
| Back to top |
|
|
|
Register
Log in
