[Operators] DarkOrbit cheater bot

Ed - 0x1b, Inc. jabberd2 at 0x1b.com
Tue Aug 21 19:24:15 UTC 2012


On Tue, Aug 21, 2012 at 9:47 AM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 7/27/11 8:45 AM, Peter Saint-Andre wrote:
>> A program that enables you to cheat at DarkOrbit ("The ultimate
>> Browser Game space adventure") has established itself on the XMPP
>> network. In essence, you pay for a license and then you are able to
>> "chat" over IM to obtain real-time instructions about how to cheat
>> in the DarkOrbit game. Originally this bot had a JID at jabber.org.
>> I disabled the account at jabber.org because it had a very large
>> buddy list and because I don't like cheaters. It then moved to
>> wippien.com. I told the Wippien admins and they shut down the bot.
>> The bot then moved to jabber.ru. It has gone through several JIDs
>> at jabber.ru (e.g., kbot499 at jabber.ru, kbotik at jabber.ru) but still
>> resides at that domain. I have seen many users at jabber.org who
>> have this bot in their rosters (these cheaters often seem to forget
>> their passwords), so other server admins might want to be aware
>> that such users are becoming quite common. I contacted the creators
>> of the DarkOrbit game in early March but did not receive a reply
>> from them. If you play that game or have a way to contact the
>> creators, please ping me off-list.
>
> By the way, an attack against this bot's users appears to be the cause
> of the DDoS launched against jabber.org on August 4 and renewed again
> early this morning (they are attacking jabber.org because the KBot
> cheating service tells its users to register XMPP accounts at jabber.org):
>
> http://www.elitepvpers.com/forum/darkorbit/2042232-announcement-ddos-attacks-all-bots.html
>
> The jabber.org admins are taking protective measures.
>
> Peter
>
> - --
> Peter Saint-Andre
> https://stpeter.im/
>

How do you recognize the bot - is it just in the logs, or is there a
signature handshare on the wire?
As an advisory alert, it would be good to be able to describe the bot
at a technical level. I am guessing the expected impact of the bot is
"many new JIDs with very large rosters" - that and the cheating,
anything else?


More information about the Operators mailing list