Subject:[stevebass] Gibson's Denial of Service Tale
Date: Wed, 30 May 2001
You may have heard Steve Gibson's site was attacked and shut down for a
period of time. Here's Steve's just released story.
grc.com
And if you want a real kick in the pants, read the captured transcript
Steve Gibson had with a couple of hackers on IRQ. It's long (and unedited) and makes for fascinating reading.
_________________________
Date: Sat, 26 May 2001 00:15:30 -0700
From: Steve Gibson <steve@grc.com>
Friends,
No screen writer could have done a better job than this real-life IRC
dialog with a top IRC Bot hacker.
As most of you know I've been in full-on hacker Bot reverse-engineering
mode, tracking down the hacker(s) who took GRC down with several
Distributed Denial of Service attacks several times several weeks ago. The
result will some really fun new pages for grc.com.
Well, I had some fun tonight.
Emboldened by my first test IRC chat with Ray and Mona from my private
newsgroups (I had never used IRC before), I seized an opportunity tonight...
Earlier today one of my spy-bots picked up a conversation on one of the
many hacker channels I have infiltrated and have been monitoring for the
past week or so. This was between the two guys who I had pretty much
determined were the top guys around. "B0ss" was preparing a new version of
his Bot for "lithium" and I saw the URL flash past for "lithium" to
download, so I grabbed a copy of the new Bot for myself in order to add it
to my growing Bot collection. (You can't ever have too many Bots! :)
Well, later this evening I decided to see whether this new Bot had anything
new to teach me, so I quickly disassembled it and poked around a bit. My
eye immediately spotted a bug in the Bot which had clearly been introduced
by "B0ss's" misuse of a hex editor earlier in the day. :)
I knew by then that "B0ss" was not the multiple attacker of my site, but I
also knew that he was running a nice sized Bot army, and I wanted an "in"
to the group. This was my opportunity for a benevolent introduction.
I checked my "Bot Mon" and saw that "B0ss" was currently logged onto his
Bot's private and secret channel, so I joined his secret, password
protected channel on IRC, and just said "heh".
You can see the whole thing for yourself. It's pretty classic...
>-------------------------------------------------------------------
<Gibson> heh
<mimic> who are you
<Gibson> Hi B0ss. I'm steve gibson (grc.com) ... ShieldsUP, OptOut,
Leaktest ... and all that stuff.
<mimic> how did you get in here
<mimic> ?
<mimic> your not a IRCop
<Gibson> As you might know, my site was attacked (but I don't think
by your bots) a few weeks ago.
<Gibson> Some guy, calling himself "Wicked"
<mimic> my bots?
<mimic> no no
<mimic> I know wicked
<mimic> it was not my bots I promise
<mimic> Wicked has his own
<Gibson> Hey, it's okay
<mimic> alot of bots
<mimic> heh
<Gibson> I know.
<mimic> yeah
<mimic> I promise it wasn't mine
<Gibson> I wanted to let you know that the bot
<Gibson> you made earlier for Lithium would not work
<mimic> what about the bot?
<mimic> you know Lithium
<Gibson> since it has "periods" (2E) instead of NULLS (0) separating
<mimic> ?
<Gibson> the "Channel" and "Key" strings
<mimic> you his friend
<Gibson> no.
<Gibson> I wanted to learn about this shit
<mimic> then how did you know
<Gibson> since Wicked was attacking me
<mimic> you have your own server?
<Gibson> So I wrote some fake bots to monitor various Bot networks
so that I could learn.
<mimic> damnit
<mimic> so you been spying?
<mimic> hehe
<Gibson> Yeah
<Gibson> But not to worry, I'm no narc.
<Gibson> I don't care WHAT you guys do, so long as I'm left alone.
<^b0ss^> but how did you get the Key
<^b0ss^> I don't even know you
<Gibson> I have NO PROBLEM with hackers, you guys are fine.
<^b0ss^> I don't bother anyone with my bots
<Gibson> Check out GRC.COM. That's me.
<^b0ss^> okay
<^b0ss^> you don't like wicked?
<Gibson> Well ..................
<Gibson> I can't say that I know him,
<Gibson> but he spent a few weeks blasting my site
<^b0ss^> damn
<Gibson> since he thought (he sez that Hellfirez and DrGreen told him)
<Gibson> that I was referring to them as "script kiddies" ..
<^b0ss^> hehe, I got enough bots to blast away a site
<^b0ss^> but I don't use them for that
<^b0ss^> lol
<Gibson> (You have 241 Bots!)
<^b0ss^> thats not it
<^b0ss^> not just on this server
<^b0ss^> how in the hell do you know how many bots I have
<^b0ss^> damn
<Gibson> I've tracked 241 coming and going over the past four days.
<^b0ss^> let me get some of your bots
<^b0ss^> lol
<^b0ss^> I can't believe this shit, what kind of bot you have
<Gibson> Do you know where Wicked got his? He claims that he wrote it,
<Gibson> but it looks like a pure hex-edit to me.
<^b0ss^> oh no
<^b0ss^> lol
<^b0ss^> he didn't make them
<^b0ss^> he got his bot from these bots in this room
<Gibson> You really ought to check out my site. grc.com
<^b0ss^> I am right now
<^b0ss^> ;)
<^b0ss^> nice page
<Gibson> Yeah, I believe that about Wicked.
<Gibson> His channel is #pines1 and Key is "penile"
<Gibson> (pines1 is "penis1" with the vowels swapped).
<^b0ss^> lol
<^b0ss^> damn
<^b0ss^> you are pretty good
<Gibson> Anyway, last week I learned IRC protocol and wrote a bunch of
<Gibson> infiltration bots in order to figure out where
<Gibson> all these attacks were coming from.
<^b0ss^> hmmm
<Gibson> It looks like he's lost his dynDNS
<^b0ss^> you know what serve he keeps them all on
<^b0ss^> yup
<Gibson> yeah, I have his server, but I think he's off the air for
now and won't be bothering me again any time soon.
<^b0ss^> we had alot of bots on ips.mine.nu
<^b0ss^> but they took it down
<^b0ss^> for illegal use
<Gibson> Cool!!! I was hoping that might be it.
<^b0ss^> oh, I wouldn't say that
<^b0ss^> he is gettin army back
<^b0ss^> heh
<^b0ss^> I know he has more
<^b0ss^> somewhere
<Gibson> I don't care if he wants to blast IRC folks,
<Gibson> but I haven't done anything to bother him.
<Gibson> If he blasts me again I'll take them away.
<^b0ss^> lol, he is 13
<^b0ss^> did you know that
<Gibson> Yeah, he said, and he writes like he is.
<Gibson> But I didn't think he could really write that Bot from scratch.
<Gibson> He didn't even know how eMail attachments are handled.
<^b0ss^> which bot you talkin about
<^b0ss^> do you know mimic
<Gibson> You call yours "evilbot" (version 0.4c) ... he renamed it "WkD
Bot" (version 1.0)
<^b0ss^> yeah
<Gibson> I don't know anyone. YOU are the first person I've talked to on
IRC. Wicked and I have eMailed.
<^b0ss^> mimic has a hell of a bot
<Gibson> Its really cool shit.
<^b0ss^> so, you set up a bot in this channel spying?
<Gibson> Yep .... about a week ago. I have a list of all the attacks
you've made, etc. etc.
<^b0ss^> shit
<Gibson> The one on a machine within IBM freaked me out.
<^b0ss^> so how did you get the key to my channel to get the bot in
<^b0ss^> IRCop
<^b0ss^> ?
<Gibson> Like I said, I just needed to learn about this shit so that I
could defend myself.
<^b0ss^> man, I wouldn't attack you I promise you that
<^b0ss^> I have no reason
<Gibson> I asked all of the ISP's of the people whose machines were
attacking me for a Bot.
<^b0ss^> oh
<Gibson> Someone sent me one ... and from there I knew what I needed.
<^b0ss^> hehe
<Gibson> Then I wrote a custom "spy bot" and started monitoring more
and more conversations, following leads, URL's, etc. etc.
<^b0ss^> hmmm
<Gibson> that's how I know about you making the new custom bot for
lithium this afternoon.
<^b0ss^> damnit
<Gibson> but when I finally looked at it I saw that it wouldn't work,
<Gibson> so I figured I'd introduce myself and let you know. :)
<^b0ss^> lol
<Gibson> And of course the Bot itself knows how to logon here! <<grin>>
<^b0ss^> yeah
<^b0ss^> good job
<^b0ss^> I must say
<Gibson> Well, it was nice to meet you.
<^b0ss^> nice to meet you to
<^b0ss^> You are pretty good
<Gibson> And, again, that Bot you made for lith earlier won't work ...
<^b0ss^> may I ask how old you are?
<Gibson> so make sure he doesn't deploy it until you fix it for him.
<Gibson> I'm 46! (Been hacking since I was 14!)
<^b0ss^> lol, alright, thanx
<^b0ss^> damn
<Gibson> see: grc.com
<^b0ss^> you are good
<^b0ss^> ?
<^b0ss^> you gonna leave your bot in here
<Gibson> Nope. It's done it's job. I'm working on a new web page
<^b0ss^> alright thanx
<Gibson> to talk about the Wicked attacks, and to explain this whole
<Gibson> bizarre world.
<^b0ss^> hehe, yeah
<Gibson> Check back at grc.com in a few daze.
<^b0ss^> okay
<^b0ss^> I will
<Gibson> later.
<^b0ss^> hey
<^b0ss^> hold up
<Gibson> okay
<^b0ss^> do you have a good compressor
<^b0ss^> I cant find a good one
<Gibson> I've looked at them a lot.
<Gibson> I write ALL of my Windows apps in 100% assembler
<Gibson> so they're already small, but the MSFT PE format sucks
<Gibson> so it still needs compression.
<^b0ss^> oh
<Gibson> I REALLY think that the best is UPX.
<^b0ss^> yeah
<^b0ss^> alright
<^b0ss^> thanx
<Gibson> no prob.
<^b0ss^> see you later
<Gibson> If you ever need to reach me, I setup eMail: DDoS@grc.com
<Gibson> :)
<^b0ss^> alrgith
<^b0ss^> I will email you sometime
(Parted and reJoined)
<Gibson> Heh ... me again ...
<Gibson> If you see Wired, tell him we had a nice chat
<Gibson> and ask him to lay off. I don't want to upset him,
<^b0ss^> okay
<Gibson> but I need to, and will, defend my site.
<Gibson> Thanks!!!!
<Gibson> .
<^b0ss^> hehe, okay
<^b0ss^> welcome |
