[Operators] Let's start some witch-hunt

Adam Seabrook adam at seabrook.me
Tue Jun 15 18:57:01 CDT 2010


I had 5,000 accounts registered on chatmask.com and about 1,000 
concurrent logins after which the server would block them. Banned all of 
them but they continue to try and log in but have stopped creating 
accounts. I personally think it is not a bot but some type of free 
messaging application as I captured some of the traffic and all it was 
is messages like this:

[9:05 AM]	1273938324173lmc: 	8017038491:8016548939:2
[9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:05 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:05 AM]	1273938324173lmc: 	8017038491:8016548939:0:what's up cutie
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:2
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:2
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:06 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:07 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:07 AM]	1273938324173lmc: 	8017038491:8016548939:0:what's up cutie
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:2
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:08 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:10 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:10 AM]	1273938324173lmc: 	8017038491:8016548939:0:this app is kinda 
messed up you should text me on my phone
[9:10 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:10 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:1
[9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:0
[9:18 AM]	1273938324173lmc: 	8017038491:8016548939:1:0

All of the connections seem to send a keep alive message of 1 or 0 every 
second and after a while they connect to another account on the server 
and exchange messages or another server.

I can see the accounts have been created on the following servers:
jabber.linux.it
jabber.cc
jabber.no
jabber.meta.net.nz

I suggest someone try to send messages to the accounts they have logged 
in and see if they can get a response from the users so we can find out 
what app it is.

On 15/06/10 6:00 PM, Martin Sebald wrote:
> Hello viq!
>
>>> Maybe I'm stating the obvious here, but this really sounds like a
>>> virus-originated botnet using XMPP as the control channel.
>> I am thinking it would be interesting to see some of the content they are
>> sending. I wonder if it would be feasible to set up a 'honeypot' server
>> for them, just for the purpose of observing the traffic and what they are
>> doing - maybe that would let figure out in more details what it is and
>> what it does, maybe even it's origin.
>
> The thing is how to make this honeypot server a target.
>
> What I don't understand is that just three servers are affected, all other
> known server admins did not experience this. Sure there might be more
> affected servers, but how are they targeted? From the public services list
> at xmpp.org? Hardly because there are so many servers on this list, and why
> they picked jabber.ccc.de and our server plus a third server?
>
> And with ~2000-3000 accounts alltogether on these three servers this would
> not make the trojan/virus very effective...
>
> Well, it might be that there are numerous other infected servers, but why
> there is just nothing about all this on Google or XMPP related resources
> like this list?
>
> Hm...
>
> Regards,
> Martin
>


More information about the Operators mailing list