Home > Articles > Security > Network Security

  • Print
  • + Share This
Like this article? We recommend

The Uses

The fast machines, those used for warez dumps, were cleaned—which included removing all other hacker root kits, patching the IIS Unicode hole, and erasing logs. These machines were also checked for uptime and hard drive space before cleaning. All had the original bot file removed so they wouldn't be part of any DDoS attack or be used by other members of the crew. They ran in a channel on Efnet (irc.efnet.net) that's no longer in use. Many groups would first release their title to these bots, and then lower-level XDCC channel owners would log in and transfer these files to their private dumps. Because the bots ran so fast, they were highly valued in the hacker community; they were kept below the radar and used in moderation.

The compromised machines that had good uptime were usually university machines (.edu), and were also tested for speed. These hosts were then cleaned and patched, and installed with a modified version of Unreal IRCD. The version was so modified, in fact, that it could probably have been released as its own new version. It used a +u server and channel modification (only IRC operators could view hosts); a channel auto-balance (if one channel exceeded another by more than 100 bots, the software would move them automatically to another specified channel); IP hiding; and the ability to disable such features as whois and DNS lookup.

Since all hosts were installed with a psyBNC, machines with funny hostnames (for example, user@mil2.army.mil, user@pornohut.net, and user@host3.duke.edu) were used to spoof to IRC channels and networks and for general IRC bouncing.

If a host was fast, in the range of 3,000–5,000 Kbps (3–5 MB/second), but lacked the hard drive space or uptime to run as a warez dump, it was used as an XDCC bot for a few channels on networks including Newnet (irc.newnet.net), Efnet (irc.efnet.net), and Undernet (irc.undernet.net). Although these bots ran in XDCC channels, the group didn't run any channel itself.

The remaining infected hosts mostly sat and idled on the IRC servers, for days if not weeks. About half were running at any one time, trying to infect more hosts. Sitting on the IRC channel, these infected machines were only used for ping flooding different web sites and places. Fifteen bots could take down a DSL account, 50 could take down a T1 Internet line, and around 500 could take down a T3 network. The largest network ever attacked was a multi-homed T3.

  • + Share This
  • 🔖 Save To Your Account