IRC hacker - Online Cyber Security News

New IoT Botnet Malware Discovered; Infecting More Devices Worldwide

Monday, October 31, 2016 Swati Khandelwal

The whole world is still dealing with the Mirai IoT Botnet that caused vast internet outage last Friday by launching massive distributed denial of service (DDoS) attacks against the DNS provider Dyn, and researchers have found another nasty IoT botnet.

Security researchers at MalwareMustDie have discovered a new malware family designed to turn Linux-based insecure Internet of Things (IoT) devices into a botnet to carry out massive DDoS attacks.

Dubbed Linux/IRCTelnet, the nasty malware is written in C++ and, just like Mirai malware, relies on default hard-coded passwords in an effort to infect vulnerable Linux-based IoT devices.

The IRCTelnet malware works by brute-forcing a device's Telnet ports, infecting the device's operating system, and then adding it to a botnet network which is controlled through IRC (Internet Relay Chat) – an application layer protocol that enables communication in the form of text.

So, every infected bot (IoT device) connects to a malicious IRC channel and reads commands sent from a command-and-control server.

The concept of using IRC for managing the bots, according to the researchers, is borrowed from the Kaiten malware. The source code used to build the IRCTelnet botnet malware is based on the earlier Aidra botnet.

The malware uses the "leaked" vulnerable IoT device's login credential from the Mirai botnet in order to brute force exposed Telnet ports to the Internet.

The IRCTelnet malware infects insecure devices running a Linux Kernel version 2.6.32 or above and capable of launching DDoS attacks with spoofed IPv4 and IPv6 addresses, though the scanner is programmed only to find and brute-force Telnet via IPv4.

"The botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too," the researchers note in a blog post.

While analyzing the malware's source code, researchers found hard-coded Italian language messages in the user's communication interface, which suggests that the author of the IRCTelnet malware could be Italian.

The security firm found around 3,400 bots infected by the IRCTelnet malware and said that this nasty malware is capable of raising almost 3,500 bot clients within only 5 days.

The initial scans that distributed the IRCTelnet malware came from IP addresses located in Turkey, Moldova, and the Philippines.

Building a legendary, massive botnet that leverages recently vulnerable threat landscape is inviting more incidents like the recent DDoS attack against Dyn that rendered major websites inaccessible, and record-breaking DDoS attack against French Internet service and hosting provider OVH.

British Intelligence Agency DDoSed Anonymous Chatrooms to disrupt communication

Wednesday, February 05, 2014 Swati Khandelwal

Since 2011, the collective hacking group, Anonymous and LulzSec were targeting both Government and law-enforcement websites of U.S and UK, by their own DDoS attack tactics which they used to communicate and plan on Chat rooms known as IRCs, but British intelligence agency GCHQ used their own weapon against them.

According to the recent Edward Snowden document, a division of Government Communications Headquarters (GCHQ), which is also very well known as the British counterpart of the NSA, had shut down communications among Anonymous hacktivists by launching a “denial of service” (DDOS) attacks, making the British government the first western government known to have conducted such an attack, NBC news reports.

The same DDoS technique the hackers use to take down government, political and industry websites, including the Central Intelligence Agency (CIA), Federal bureau of Investigation (FBI), the Serious Organized Crime Agency (SOCA), Sony News International and Westboro Baptist Church.

According to the PowerPoint presentation prepared for a 2012 NSA conference called SIGDEV, shows that there was a special GCHQ unit known as the Joint Threat Research Intelligence Group (JTRIG) launched an operation called ‘Rolling Thunder’ that perform massive DDOS attacks and uses other techniques to scare away 80 percent of the users of Anonymous internet chat rooms.

JTRIG also infiltrated anonymous IRC chatrooms to trace hacktivists real identities and to help send them to the prison for stealing data and attacking several government websites.

The operation allowed JTRIG to identify GZero, whose real name was Edward Pearson, a British hacker of age 25 from New York, who was prosecuted and sentenced to 26 months in prison for stealing 8 million identities and information from 200,000 PayPal accounts.

Another hactivist Jake Davis, nick named Topiary, an 18-year-old member of Anonymous and LulzSec spokesman for Scotland, was arrested in July 2011 and was sentenced to 24 months in a youth detention center.

Today Jake tweeted that, "I plead guilty to two counts of DDoS conspiracy and to my face these GCHQ bastards were doing the exact same thing" and "who are the real criminals?"

A slide headlined “DDOS” refers to the operation known as “Rolling Thunder” The conversation between two hacktivists quotes, “Was there any problem with the IRC [chat room] network?” asks one. “I wasn’t able to connect the past 30 hours.” “Yeah,” responds another. “We’re being hit by a syn flood. I didn’t know whether to quit last night, because of the DDOS.”

In a statement to NBC news, a GCHQ spokesperson said that “All of GCHQ's work is carried out in accordance with a strict legal and policy framework,” and that its activities were "authorized, necessary and proportionate."

Alleged Skynet Botnet creator arrested in Germany

Monday, December 09, 2013 Mohit Kumar

The German Federal Criminal Police Office (BKA) has arrested a gang of cyber criminals believed to be responsible for creating the Skynet Botnet.

Skynet was first detected by Security Firm G DATA in December 2012. It is a variant of the famous Zeus malware to steal banking credentials with DDoS attack and Bitcoin mining capabilities. The Botnet was controlled from an Internet Relay Chat (IRC) server hidden behind Tor network in order to evade sinkholing.

According to a press release from German police, they arrested two people suspected of illegally generating Bitcoins worth nearly $1 million using a modified version of existing malware i.e. Skynet Botnet.

German police conducted raids earlier this week on 3rd December and found evidence of other hacking activities i.e. Fraud and distribution of copyrighted pornographic material. A third person is under suspicion but has not been arrested.

However, Police didn't mention Skynet Botnet in their press release, but just a day after the arrest, Thomas Siebert - Security Researcher at G DATA has also confirmed that the Skynet Botnet authors were arrested by the German Police on 3rd December, 2013.

On 6th December, twitter account of Skynet author tweeted:

'You have the wrong guy. Use this tweet as evidence to do the right thing and release him.'

According to MalwareTech blog post, 'It would seem the tweet is an automated message or he requested a friend post it in the event of his arrest.'

Last year, hacker on a Reddit post described that they have successfully compromised more than 15,000 systems and once infected, the malware downloads Bitcoin miners, exploit computational resources of the victim system and uses them in the mining process.

“My Botnet only mines if the computer is unused for 2 minutes and if the owner gets back it stops mining immediately, so it doesn't suck your fps at MW3. Also its mines as low priority so movies don't lag. I also set up a very safe threshold, the cards work at around 60% so they don't get overheated and the fans don't spin as crazily.”

A Botnet network behind the Tor network makes it much harder for researchers and law enforcement agencies to identify the malware operators and to shut down the server.

It is not clear at the time of writing that Skynet Botnet servers are taken down or not by the German Police, but we have not seen any tweet from the author's account since 6th December.

Stay Tuned to +The Hacker News ! We will let you know the related updates about the case.