RE: IRC DDoS bots

• Previous message: DY: "Re: unidentified DOS "bad traffic" -- SOLVED"
• In reply to: Johannes Ullrich: "Re: IRC DDoS bots"
• Next in thread: Jon Nelson: "Re: IRC DDoS bots"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "James C Slora Jr" <Jim.Slora@phra.com>
To: "'Johannes Ullrich'" <jullrich@euclidian.com>, "'grwolf'" <grwolf@adelphia.net>
Date: Fri, 14 Mar 2003 14:17:41 -0500

Johannes Ullrich wrote Friday, March 14, 2003 12:56
> > It's another mIRC based DDoS trojan that scans for NT-Password and IIS
> > unicode exploits.
> > So the next questions is... How do we go about apprehending the culprits?
> > Can we somehow get wxmail.net revoked?

> IRC bots are a common plague. We do play 'whack the bot' once in a while
> if we find out about it. So far, I have yet to see a case successfully
> prosecuted.

One ray of hope:

The "TK worm" botnet was hit in a cooperation between U.S. and British
authorities. They arrested at least some of those responsible. The botnet was
not shut down by the arrests, but there was some forward progress. TK worm was
responsible for the ww.tk.gov queries that were common late last year. Like
most botnets, it did not make a lot of news but it owned at least 18K
computers and caused millions in damages.

TK worm is a classic botnet, but it does use a worm component for unattended
propagation.

Here's the news story of the bust:
http://www.theregister.co.uk/content/56/29221.html

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

• Previous message: DY: "Re: unidentified DOS "bad traffic" -- SOLVED"
• In reply to: Johannes Ullrich: "Re: IRC DDoS bots"
• Next in thread: Jon Nelson: "Re: IRC DDoS bots"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]