[ISN] The Internet's Wilder Side

From: InfoSec News (isn@private)
Date: Thu May 06 2004 - 03:09:41 PDT

  • Next message: InfoSec News: "[ISN] Sasser infections hit Amex, others"

    Published: May 6, 2004
    IT was just another Wednesday on the sprawling Internet chat-room
    network known as I.R.C. In a room called Prime-Tyme-Movies, users
    offered free pirated downloads of "The Passion of the Christ'' and
    "Kill Bill Vol. 2.'' In the DDO-Matrix channel, illegal copies of
    Microsoft's Windows software and "Prince of Persia: The Sands of
    Time,'' an Xbox game, were ripe for downloading. In other chat rooms
    yesterday, whole albums of free MP3's were hawked with blaring capital
    letters. And in a far less obtrusive channel, a hacker may well have
    been checking his progress of hacking into the computers of
    unsuspecting Internet users.
    Even as much of the Internet has come to resemble a pleasant,
    well-policed suburb, a little-known neighborhood known as Internet
    Relay Chat remains the Wild West. While copyright holders and law
    enforcement agencies take aim at their adversaries on Web sites and
    peer-to-peer file-sharing networks like Napster, I.R.C. remains the
    place where people with something to hide go to do business.
    Probably no more than 500,000 people are using I.R.C. worldwide at any
    time, and many of them are engaged in legitimate activities, network
    administrators say. Yet that pirated copy of Microsoft Office or
    Norton Utilities that turns up on a home-burned CD-ROM may well have
    originated on I.R.C. And the Internet viruses and "denial of service''
    attacks that periodically make news generally get their start there,
    too. This week, the network's chat rooms were abuzz with what seemed
    like informed chatter about the Sasser worm, which infected hundreds
    of thousands of computers over the weekend.
    "I.R.C. is where you are going to find your 'elite' level pirates,''
    said John R. Wolfe, director for enforcement at the Business Software
    Alliance, a trade group that fights software piracy. "If they were
    only associating with each other and inbreeding, maybe we could
    coexist alongside them. But it doesn't work that way. What they're
    doing on I.R.C. has a way of permeating into mainstream piracy.''
    Two weeks ago, the F.B.I., in conjunction with law enforcement
    agencies in 10 foreign countries, announced an operation called
    Fastlink, aimed at shutting down the activities of almost 100 people
    suspected of helping operate illegal software vaults on the Internet.  
    The pirated copies of music, films, games and other software were
    generally distributed using a separate Internet file-transfer system,
    said a Justice Department spokesman, but the actual pirates generally
    used I.R.C. to communicate and coordinate with one another.
    "The groups targeted as part of Fastlink are alleged to have used
    I.R.C. to have committed their crimes, like almost all other warez
    groups,'' the spokesman, Michael Kulstad, said in a telephone
    interview. Warez, pronounced like wares, is techie slang for illegally
    copied software.
    When I.R.C. started in the 1980's, it was best known as a way for
    serious computer professionals worldwide to communicate in real time.  
    It is still possible - though sometimes a bit difficult - to find
    mature technical discussions among the tens of thousands of I.R.C.  
    chat rooms, known as channels, operating at any one time. There are
    also respectable I.R.C. systems and channels - some operated by
    universities or Internet service providers - for gamers seeking
    opponents or those who want to talk about sports or hobbies.
    Still, I.R.C. perhaps most closely resembles the cantina scene in
    "Star Wars'': a louche hangout of digital smugglers, pirates,
    curiosity seekers and the people who love them (or hunt them). There
    seem to be I.R.C. channels dedicated to every sexual fetish, and
    I.R.C. users speculate that terrorists also use the networks to
    communicate in relative obscurity. Yet I.R.C. has its advocates, who
    point to its legitimate uses.
    "I.R.C. is where all of the kids come on and go nuts,'' William A.  
    Bierman, a college student in Hawaii who helps develop I.R.C. server
    software and who is known online as billy-jon, said in a telephone
    interview. "All of the attention I.R.C. has gotten over the years has
    been because it's a haven for criminals, which is a very one-sided
    "The whole idea behind I.R.C. is freedom of speech. There is really no
    structure on the Internet for policing I.R.C., and there are
    intentionally no rules. Obviously you're not allowed to hack the
    Pentagon, but there are no rules like 'You can't say this' or 'You
    can't do that.' "
    It is almost impossible to determine exactly how many people use
    I.R.C. and what they use it for, because it takes only some basic
    technical know-how to run an I.R.C. server. Because it is generally a
    text-only medium, it does not require high-capacity Internet
    connections, making it relatively easy to run a private I.R.C. server
    from home.
    Some Internet experts believe that child pornography rings sometimes
    use their own private, password-protected I.R.C. servers. Particularly
    wary users can try to hide their identity by logging in to I.R.C.  
    servers only through intermediary computers. There are, however,
    scores of public I.R.C. networks, like DALnet, EFNet and Undernet.  
    Each typically ties together dozens of individual chat servers that
    may handle thousands of individual users each.
    "We're seeing progressively more and more people coming onto the
    network every year,'' said Rob Mosher, known online as nyt (for
    knight), who runs a server in the EFNet network. "As more and more
    people get broadband, they are moving away from AOL and they still
    want to have chat.''
    For end users, using I.R.C. is relatively simple. First, the user
    downloads an I.R.C. client program (in the same way that Internet
    Explorer is a Web client program and Eudora is an e-mail client
    program). There are a number of I.R.C. clients available, but perhaps
    the most popular is a Windows shareware program known as mIRC
    When users run the I.R.C. program, they can choose among dozens of
    public networks. Within a given network, it does not really matter
    which individual server one uses. Alternately, if users know the
    Internet address of a private server, they can type in that address.  
    Once logged in to a public server, the user can generate a list of
    thousands of available channels. On an unmoderated network, the most
    popular channels are often dedicated to trading music, films and
    That is because in addition to supporting text-only chat rooms, I.R.C.  
    allows a user to send a file directly to another user without clogging
    the main server.
    That capability has a lot of legitimate uses for transferring big
    files that would be rejected by an e-mail system. Want to send your
    brother across the country a digital copy of your home movie without
    burning a disc and putting it in the mailbox? The file-transfer
    capability in I.R.C. may be the most convenient way.
    Naturally, that file-transfer capability also has a lot of less
    legitimate uses. Advanced I.R.C. pirates automate the distribution of
    illegally copied material so that when a user sends a private message,
    the requested file is sent automatically. It is fairly common on
    I.R.C. for such a system to send out hundreds or even thousands of
    copies of the same file (like a music album or a pirated copy of
    Windows) over a few weeks.
    An official from the Recording Industry Association of America said
    that some hackers even obtain albums that have been recorded but not
    yet released. "Quite often, once they get their hands on a prerelease,
    they will use I.R.C. as the first distribution before it goes out into
    the wider Internet,'' Brad A. Buckles, the association's executive
    vice president for antipiracy efforts, said in a telephone interview.
    But perhaps the most disruptive use of I.R.C. is as a haven and
    communications medium for those who release viruses or try to disable
    Web sites and other Internet servers.
    In some ways, the biggest problem is Microsoft Windows itself. Windows
    has holes that can allow a hacker to install almost anything on a
    computer that lacks a protective program or device called a firewall.  
    Users' vulnerability can be compounded if they have not installed the
    latest patches from Microsoft.
    Hackers scan through millions of possible Internet addresses looking
    for those unprotected computers and then use them to initiate
    coordinated "denial of service'' attacks, which flood the target
    machine (say, a Web site) with thousands or millions of spurious
    requests. In all of the noise, legitimate users find the target site
    How can a hacker direct his army of compromised drones to the target
    of the day? Through I.R.C.
    "Each time it breaks into a new computer and turns it into a drone,
    the program copies itself and proceeds to keep scanning, and so very
    quickly you can have a very large number of drones,'' Mr. Bierman
    said, adding that a worm may well include a small custom-made I.R.C.  
    client. "Then all of the drones connect to I.R.C. and go into one
    channel made especially for them. Then the runner can give commands to
    all of those drones.''
    Chris Behrens, an I.R.C. software developer in Arizona known online as
    Comstud, said: "It's amazing how many machines at home are hacked or
    have been exploited in some way. We have seen 10,000 hacked machines
    connect to I.R.C. at one time, and they all go park themselves in a
    channel somewhere so someone can come along and tell them who to
    Mr. Bierman and other I.R.C. developers and administrators said that
    they were contacted by federal law enforcement officials fairly often.  
    Mr. Bierman said that he sometimes cooperated in helping the
    government track down specific people using I.R.C. to wage major
    attacks. He added, however, that he had refused government officials'
    requests to build a back door into his I.R.C. software that would
    allow agents to monitor I.R.C. more easily.
    "Basically the F.B.I. is interested in the best way to monitor the
    traffic,'' Mr. Bierman said.
    Mr. Kulstad of the Justice Department declined to comment on its
    specific contacts with the I.R.C. community.
    Mr. Bierman and other I.R.C. administrators said that in addition to
    their free-speech concerns, they were also reluctant to confront
    hackers, because angry hackers often turn their drones against I.R.C.  
    servers themselves.
    Mr. Mosher echoed other I.R.C. administrators in saying that attempts
    to regulate the shady dealings online were doomed to failure.
    "Look, if we find one channel and close it, they move to another,'' he
    said. "It's been like this for years. You can't really stop it.''
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Thu May 06 2004 - 04:33:28 PDT