ISC Shuts down botnet.

[Nicholas Albright <nalbright () shadowserver org>]

{snip isc.sans.org}
The channel used to control the bots, '#-sd-bot', is using a standard command 
to instruct its members to scan an IP range for a particular vulnerability. 
On the other hand, if a human should connect to the host and issue a '/list' 
command to find out about channels on that server, the following message is 
displayed:


/list
*** Channel    Users  Topic
*** #help      1       IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE INFECTED ONE 
OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED WITH THE DRONES, FOR 
FURTHER INFORMATION  ON REMOVALS PLS VISIT - WWW . NORTONANTIVIRUSES . COM - 
OR LEAVE A MSG KTHX.

{snip}

So he changed his topic: 
-:- Topic (#help): changed by burt0n: IF YOU ARE HERE ITS BECAUSE I MIGHT HAVE 
INFECTED ONE OF YOUR MACHINES, DONT WORRY NOTHING IS GONNA BE HARMED
 WITH THE DRONES, FOR FURTHER INFORMATION ON REMOVALS PLS VISIT - 
WWW.SYMANTEC.COM - OR LEAVE A MSG KTHX.

....however, I guess he didn't like the exposure...after a few hours:

-:- SignOff burt0n: #help (User has been permanently banned from burt0n.IRC 
(#linuxsex@undernet))
-:- Connection closed from xx.43.235.xxx: Success
-:- BitchX: Servers exhausted. Restarting.

Score:  ISC 1 - Burt0n 0


:)

-- 
Nicholas Albright

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.