One of the more interesting parts of my malware hunting routine is when I notice new command & control hubs for bot networks in the source of ircbot malware content. I am not the type to just look and not play, I always dive into these networks and poke around. When it gets really fun is when the attackers get lazy thinking they are untouchable and leave open their irc networks with a series of simple administrator nick names that can be used to control the bots on the network.
So, what I sometimes do is sign into these irc networks, monitor & log them for a little while for abuse reporting purposes to the network hosting them, then I literally, jack the network from under the attacker and make every single bot exit with by telling all the bots to e.g: “killall -9 perl” which terminates the bot program. Some of the rage from these little kiddies is obscenely retarded but at the same time incredibly fun to watch prepubescent teens get mad over shit they should rightly be tossed into jail for.
Now, on occasion, this does backfire on me, I have had my home internet DDoS to death more than a few times to the point where I had to unplug my cable modem for hours to let the DHCP IP release and renew as a new one. It still is worth it and incredibly fun to ruin these kiddies week or month, with all the hard work they put into these bot networks amassing hundreds upon hundreds of zombies. Just as fun is when the kiddies think they’ve got you all figured out and locked the bot network down, you get a reply from a network administrator over at the company you sent an abuse email too telling you they are looking into the matter then minutes later, the network goes tits up cause the server hosting it was shut down 🙂
Yup that was my story time for the day, I will try post some of the funnier bits from network take down shortly, I will also be putting up some c&c stats into the soon-to-be-released threat statistics section, thats it for now, kthxbye!