[Operators] Let's start some witch-hunt

viq vicviq at gmail.com
Tue Jun 15 18:10:01 CDT 2010

On Wed, Jun 16, 2010 at 1:00 AM, Martin Sebald <msebald at hot-chilli.net> wrote:
> Hello viq!
>>> Maybe I'm stating the obvious here, but this really sounds like a
>>> virus-originated botnet using XMPP as the control channel.
>> I am thinking it would be interesting to see some of the content they are
>> sending. I wonder if it would be feasible to set up a 'honeypot' server
>> for them, just for the purpose of observing the traffic and what they are
>> doing - maybe that would let figure out in more details what it is and
>> what it does, maybe even it's origin.
> The thing is how to make this honeypot server a target.
> What I don't understand is that just three servers are affected, all other
> known server admins did not experience this. Sure there might be more
> affected servers, but how are they targeted? From the public services list
> at xmpp.org? Hardly because there are so many servers on this list, and why
> they picked jabber.ccc.de and our server plus a third server?
> And with ~2000-3000 accounts alltogether on these three servers this would
> not make the trojan/virus very effective...
> Well, it might be that there are numerous other infected servers, but why
> there is just nothing about all this on Google or XMPP related resources
> like this list?

Maybe the people didn't notice that? Either because they are "too
small" to be targeted (what would the criteria be?), or too big to
feel it. Or didn't think to look ;)

But indeed, how to make them target that... First thought is some DNS
poisoning, another is IP/GeoIP redirection - it was said they come
mostly from US mobile networks, have a look at the affected servers to
see how many valid connections come from such addresses, and possibly
use a firewall to redirect all the traffic to the honeypot server?

> Hm...
> Regards,
> Martin


More information about the Operators mailing list