[Operators] Let's start some witch-hunt

viq vicviq at gmail.com
Wed Jun 16 06:08:11 CDT 2010


This makes me think of two things.

First, lop, or LoP, gives me some links to LikedProcess, some
"Distributed processing over XMPP"

Second, "Tool Automates Social Engineering In Man-In-The-Middle
Attack" http://www.darkreading.com/insiderthreat/security/privacy/showArticle.jhtml?articleID=225600304

On Wed, Jun 16, 2010 at 1:57 AM, Adam Seabrook <adam at seabrook.me> wrote:
> I had 5,000 accounts registered on chatmask.com and about 1,000 concurrent
> logins after which the server would block them. Banned all of them but they
> continue to try and log in but have stopped creating accounts. I personally
> think it is not a bot but some type of free messaging application as I
> captured some of the traffic and all it was is messages like this:
>
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:05 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up
> cutie
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:06 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:07 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:07 AM]       1273938324173lmc:       8017038491:8016548939:0:what's up
> cutie
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:2
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:08 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:0:this app is
> kinda messed up you should text me on my phone
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:10 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:1
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
> [9:18 AM]       1273938324173lmc:       8017038491:8016548939:1:0
>
> All of the connections seem to send a keep alive message of 1 or 0 every
> second and after a while they connect to another account on the server and
> exchange messages or another server.
>
> I can see the accounts have been created on the following servers:
> jabber.linux.it
> jabber.cc
> jabber.no
> jabber.meta.net.nz
>
> I suggest someone try to send messages to the accounts they have logged in
> and see if they can get a response from the users so we can find out what
> app it is.
>
> On 15/06/10 6:00 PM, Martin Sebald wrote:
>>
>> Hello viq!
>>
>>>> Maybe I'm stating the obvious here, but this really sounds like a
>>>> virus-originated botnet using XMPP as the control channel.
>>>
>>> I am thinking it would be interesting to see some of the content they are
>>> sending. I wonder if it would be feasible to set up a 'honeypot' server
>>> for them, just for the purpose of observing the traffic and what they are
>>> doing - maybe that would let figure out in more details what it is and
>>> what it does, maybe even it's origin.
>>
>> The thing is how to make this honeypot server a target.
>>
>> What I don't understand is that just three servers are affected, all other
>> known server admins did not experience this. Sure there might be more
>> affected servers, but how are they targeted? From the public services list
>> at xmpp.org? Hardly because there are so many servers on this list, and
>> why
>> they picked jabber.ccc.de and our server plus a third server?
>>
>> And with ~2000-3000 accounts alltogether on these three servers this would
>> not make the trojan/virus very effective...
>>
>> Well, it might be that there are numerous other infected servers, but why
>> there is just nothing about all this on Google or XMPP related resources
>> like this list?
>>
>> Hm...
>>
>> Regards,
>> Martin
>>
>



-- 
viq


More information about the Operators mailing list