[Operators] Let's start some witch-hunt

Dieter Lunn coder2000 at gmail.com
Tue Jun 15 19:57:27 CDT 2010


It seems like an IM spam bot to me. I don't run a public server yet
but have been considering it for some ideas I have.

Dieter Lunn
http://www.coder2000.ca



On Tue, Jun 15, 2010 at 6:57 PM, Adam Seabrook <adam at seabrook.me> wrote:
> I had 5,000 accounts registered on chatmask.com and about 1,000 concurrent
> logins after which the server would block them. Banned all of them but they
> continue to try and log in but have stopped creating accounts. I personally
> think it is not a bot but some type of free messaging application as I
> captured some of the traffic and all it was is messages like this:
>
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up
> cutie
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:07 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:07 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up
> cutie
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:0:this app is
> kinda messed up you should text me on my phone
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
>
> All of the connections seem to send a keep alive message of 1 or 0 every
> second and after a while they connect to another account on the server and
> exchange messages or another server.
>
> I can see the accounts have been created on the following servers:
> jabber.linux.it
> jabber.cc
> jabber.no
> jabber.meta.net.nz
>
> I suggest someone try to send messages to the accounts they have logged in
> and see if they can get a response from the users so we can find out what
> app it is.
>
> On 15/06/10 6:00 PM, Martin Sebald wrote:
>>
>> Hello viq!
>>
>>>> Maybe I'm stating the obvious here, but this really sounds like a
>>>> virus-originated botnet using XMPP as the control channel.
>>>
>>> I am thinking it would be interesting to see some of the content they are
>>> sending. I wonder if it would be feasible to set up a 'honeypot' server
>>> for them, just for the purpose of observing the traffic and what they are
>>> doing - maybe that would let figure out in more details what it is and
>>> what it does, maybe even it's origin.
>>
>> The thing is how to make this honeypot server a target.
>>
>> What I don't understand is that just three servers are affected, all other
>> known server admins did not experience this. Sure there might be more
>> affected servers, but how are they targeted? From the public services list
>> at xmpp.org? Hardly because there are so many servers on this list, and
>> why
>> they picked jabber.ccc.de and our server plus a third server?
>>
>> And with ~2000-3000 accounts alltogether on these three servers this would
>> not make the trojan/virus very effective...
>>
>> Well, it might be that there are numerous other infected servers, but why
>> there is just nothing about all this on Google or XMPP related resources
>> like this list?
>>
>> Hm...
>>
>> Regards,
>> Martin
>>
>


More information about the Operators mailing list