Malware has become a business like any other over the last few year. Individual bot herds will grow, innovate, merge and well, sometimes even fold.
Visiting an IRC server used to control bots, the following message made perfect sense in that respect:
*** Topic for #-sd-bot: $xscan asn139
The channel used to control the bots, '#-sd-bot', is using a standard command to instruct its members to scan an IP range for a particular vulnerability. On the other hand, if a human should connect to the host and issue a '/list' command to find out about channels on that server, the following message is displayed:
We do not know if the owner of 'Nortonantiviruses.com' is actually associated with the bot channel. But the site is not a legit Symantec/Norton site. Instead, its "placeholder" site collecting referral fees. Its whois registration is anonymous. The referral site does not appear to be malicious.
This is just a logical evolution of the current bot business. Like any business, the operators try to maximize the revenue they receive from a customer. If a customer found out that they are infected, and is visiting the bot server to find out more, they may as well try to get a cut on the cleanup revenue which would otherwise be lost.
This was posted to the 'funsec' list a while ago:
"So he changed his topic:
-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT -
WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.
-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC
-:- Connection closed from xx.43.235.xxx: Success
-:- BitchX: Servers exhausted. Restarting.
Score: ISC 1 - Burt0n 0
Cool if things work out "right" sometimes.
"my connection aint secured, im str8 to you guys theres is no buisness market using my bots, I did not even noticed nortonantiviruses.com isnt the symantec site. SORRY. BYE."
Hmmm... So maybe just a good ol' dumb script kiddie? Why did he infect the systems in the first place? The message was posted from a Sympatico IP address in Canada.
I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019
Jan 14th 2006
1 decade ago