10 December 2008

IRC XDCC BOTS

This file was written in order to explain how all this XDCC on IRC is done.

Lets get right to the point.
XDCC bots are "hacked" computers that usually have weak NT passwords
becuase that is the simplest way to get them. Alot of the people that
accually get these bots dont accually know much about computer security
and are just using some kit that there friend gave them to get xdcc bots
for there channel.

American EDU's are the primary target of XDCC. Optonlines are also widly used because of
their speed.

As you will see all of these programs when used alone are not a security threat to anyone,
but when they are combined into a kit like this they can be used to steal thousands of
dollors worth of bandwidth. Please use the information provided to secure your high
bandwidth networks. The best way to prevent this is to scan your own network with the same
tools they use and see if you are valnerable at all.

Now onto the good stuff...

THE ATTACK:
1 - The "hacker" runs X-scan and scans a very large range of IP's. Sometimes he doesnt
Even scan from his own computer and may use a computer which has already been
compromised by him. At this point he is only scanning for Weak NT passwords.
2 - He looks through the scan logs and finds computer that have either no administrator
password, or an easly guessed administrator password. And usually finds quite a few.
3 - He then opens up IE (yes IE) and types "\\127.0.0.1" with the IP of the valnerable
computer in place of 127.0.0.1. He will then be prompted for a username and password,
and just enters the username and password that he received from X-scan.
4 - A series of files are then uploaded to the target computer, usually in the
C:\WINNT\SYSTEM32 directory.
These files are:
A) IROFFER - Iroffer is the accuall XDCC bot and is the program that connects to IRC,
displays what it has available to send, and sends the files to the users
who request them. usually sends are at very fast speeds. Iroffer requires
a config file and cygwin1.dll to run.
B) SERV-U FTP DAEMON - Serv-U is a very powerful FTP server. It is commonly used
because of its ease of use, its remote administrator, and because it allows
for remote execution which come in very handy when Tar'ing files.
C) SECURE.BAT - not always named "SECURE.BAT", but it does the same thing no matter
what it is named. This batch file will simply delete the IPC$, and the
C$ thourgh Z$ share. This will have an effect on the computer until
Windows has been restarted. The reason for removing these shares is so
that no one else can do the same thing that he just did.
D) FIREDAEMON - Used to start ordinary programs as services. This will execute IROFFER,
SERV-U, and SECURE.BAT before the user even logs on.
E) INSTALL BATCH FILE - This is what the "hacker" will use to install and configure firedaemon,
once he has installed the services, he starts the new services using "net start "
5 - The next step is the execute the INSTALL BATCH FILE. So he just goes to his command line
and types "PSEXEC \\127.0.0.1 C:\WINNT\SYTEM32\INST.BAT" that will execute psexec and tell
it to run the INSTALL BATCH FILE on the remote computer.
6 - The computer is now in the IRC channel and the ftp server has been started. He just uploads a few
games/movies/mp3s to the newly obtained bot and he is ready to start serving the latest pirated
software to a large amount of people.

That is really about all that there is to this.

Now to evade detection the person who is doing this crime will rename as many things he possibly can
to make them look like system files. For example, you are most likly now going to see iroffer.exe in
your C:\WINNT\SYSTEM32 folder, you might be named something like system32.exe ssvchost.exe.

Sometimes the people who accually get the bots will have other people scan for them if they do not know
how to remotly scan from a bot they have already obtained. This is common.

NOTES:

The "INSTALL BATCH FILE" looks something like this:
{
@echo off
SET MXHOME=c:\winnt\system32
SET MXBIN=c:\winnt\system32
c:\winnt\system32\firedaemon -i iroff "c:\winnt\system32" "c:\winnt\system32\iroffer.exe" "xdcc.config" Y 0 0 0 Y
c:\winnt\system32\firedaemon -i servu "c:\winnt\system32" "c:\winnt\system32\svchost1.exe" "" Y 0 0 0 Y
c:\winnt\system32\firedaemon -i secur "c:\winnt\system32" "c:\winnt\system32\secur.exe" "" Y 0 0 0 Y
net start iroff
net start servu
net start secur
}

The "SECURE.BAT" looks something like this:
{
@echo off
net share /delete C$ /y >> net.deld
net share /delete D$ /y >> net.deld
net share /delete E$ /y >> net.deld
net share /delete F$ /y >> net.deld
net share /delete G$ /y >> net.deld
net share /delete H$ /y >> net.deld
net share /delete I$ /y >> net.deld
net share /delete J$ /y >> net.deld
net share /delete K$ /y >> net.deld
net share /delete L$ /y >> net.deld
net share /delete N$ /y >> net.deld
net share /delete O$ /y >> net.deld
net share /delete P$ /y >> net.deld
net share /delete Q$ /y >> net.deld
net share /delete R$ /y >> net.deld
net share /delete S$ /y >> net.deld
net share /delete T$ /y >> net.deld
net share /delete U$ /y >> net.deld
net share /delete V$ /y >> net.deld
net share /delete W$ /y >> net.deld
net share /delete X$ /y >> net.deld
net share /delete Y$ /y >> net.deld
net share /delete Z$ /y >> net.deld
net share /delete ADMIN$ >> net.deld
net share /delete IPC$ >> net.deld
}

IMPORTANT SITES:
X-SCAN: http://www.xfocus.org/
IROFFER: http://www.iroffer.org/
SERV-U: http://www.serv-u.com/
FIREDAEMON: http://www.firedaemon.com/
PSEXEC: http://www.sysinternals.com/ntw2k/freeware/psexec.shtml/
there at currently two popular site for searching the xdcc's
http://www.packetnews.com/
http://www.mydownloader.com/


Lifehacker