Dangers of IRC

Aldryic C'boas

The Pony
10:45:23 <+S|nApSE> But is there really such a thing as the wrong hole?

10:45:50 <~Aldryic> zg: I see your link, and counter with https://www.youtube.ru/watch?v=ffDPTKn7HiY

10:46:02 <~Aldryic> S|nApSE: That depends on if the dog is involved.

10:46:18 < zg> whaaaaaaaaaaaaaaat the fuck

10:46:23 <~Aldryic> bwuahahahaha

10:46:30 <~Aldryic> You're welcome :3

10:46:32 <+S|nApSE> Rather knotty of you.

10:46:36 < zg> OH GOD HES DANCING

10:46:37 < zg> OH GOD

10:46:40 < zg> oh jesus christ

10:46:50 <~Aldryic> My day has just been made :3

10:47:08 <~Aldryic> Now I just need to link you to Goosh Goosh.

10:47:09 < zg> is he holding that bag with his ballsack
One of our clients learned today why exchanging links isn't the best of ideas >_> 

On a semi-related note, I just received a text from the regional VP: "Please stop neighing during conference calls.. you're scaring the board"

Aldryic C'boas

The Pony
I should not ask ... but where is the recording of your ... neighing?
Hah.  If there is a recording, I don't have it, sadly (wish I'd thought to make my own recording).  I have access to the Mitel phone boxes.. but only for networking - I can't access or tell if there are any recorded conversations, sadly.


Article Submitter
Verified Provider
No chance I am clicking that link lol.
here is what the link says then.  B)

Back in May of this year, Symantec released an avisory entitled SYM06-010: Symantec Client Security and Symantec AntiVirus Elevation of Privilege. Those that took the time to read it beyond the title noticed that this isn’t just a local privilege elevation exploit. It’s an out and out remote stack overflow using a specific service (TCP port 2967). We started tracking possible exploit activity for this vulnerability in early June using an ATF policy to detect scans and exploits, with our thinking that someone would surely take an interest. Activity for this policy quickly dropped off our radar, buried underneath some juicy Windows and VNC holes that people focused on. We didn’t see many scanners for this service, and only a burst of a scan early last week.

That is, until now, in late November, when we see a bot using an exploit for this (and lots of peopleare curious). We had a look at the bot, and found that it’s a new exploit plugin for a garden variety SDBot. This thing’s a beast! It’s huge, not unlike a bloated bot that someone’s thrown everything into. A partial list of the capabilities this puppy appears to have:

  • SYMC06-010 exploit (TCP port 2967)
  • NetAPI (MS06-040), TCP port 445
  • DDoS and packet flooding (SYN, ACK, ICMP, UDP floods, for example)
  • Password theft and packet sniffing
  • It can enumerate other installed malware
  • The usual bunch of access capabilities
  • The usual bunch of brute force attacks, downloads, upload, proxy checks, etc …
And it tends to do it in the usual bot way, meaning inefficient and slow. Not surprising. This bot requires some reasonable reversing skills and tools; it will look for debuggers and tracing tools, and tries to spot a VMWare installation. If you fail to get past that, it bails, but not until it makes sure it will start on the next reboot. It doesn’t unpack fully in memory, either, and uses the Themida packer. Most sandboxes out there (Norman, CWSandbox) are blind to it. The malware starts, loads a few DLLs, notices it’s being traced, and goes away. Sandbox reports are very, very useless in this situation.


If you’re concerned you’re going to be targeted and that your network is at risk from this bot, you’ll have to block a lot of the standard bot stuff, including ports 139, 445, 2967 (for that Symantec exploit), 1434, and so on. If you haven’t updated your Windows boxes, do so; if you haven’t updated your Symantec clients, do so. Follow the link above for the patch information. Specifically for that bot, it goes to the IRC server at www.flackware.info on TCP port 6667. This currently resolves to 4 IP addresses. Blocking that at the DNS level or using a firewall policy should prevent the bot from getting additional commands.
Last edited by a moderator: