Interview with Barbara DALnet IRC Operator

1.Can you tell me a little bit about yourself. Background information etc?

In 1997-98 I came across a ghost channel called #nohack, no ops and people joined trying to find help removing script.ini and dmsetup Trojan. As time went by, #nohack began to grow, and www.nohack.net was born. In the last couple of years and all the hard work of the ops in #Nohack, it has become a major source of IRC trojan/virus removal information.

2. What made you get interested in studying IRC Bots and Trojans?

I remember a user messaging me a few years ago, crying. She was so upset because she was using her parents computer and someone was typing things and making screens pop up. I think thats when I started to become more interested in trying to stop this type of abuse from people who infect others on IRC.

3. Can you tell me a little about your work in the #nohack channel or exploits team?

Well at the beginning I was very active in #nohack, when i became an IRC Operator on DALnet it was harder for me to be as active in the channel, but I did continue my work outside of it, as I seem to attract alot of abusive users when I am opped in a channel. DMsetup was a nightmare at the time, I was removing 1000's of users everyday infected with this trojan, sending them to www.nohack.net for the appropriate removal information. (thanks to a certain #Mirc op for scripting such a script ;) ) After that we implemented very effective akills/bans, and dmsetup began to die out.

4. How do you for see the future for these bots? As in do you think the problem will
escalate or die out?

This is a hard question to answer. If the public is educated on protecting their computers
then it will die out. It could go either way.

I see a huge problem with the floodnet bots, mostly GT (globalthreat). I think if we could get cable companies like @home more active in protecting their customers from these malicious files or simply educating them when they sign up for an account.

5. How do you think the problems could be avoided and solved for both the users and the IRC Service?

Users need to protect themselves properly from this type of abuse. Installing appropriate anti-virus software is the second step, the first step is not opening or accepting files without knowing what they are or having adequate protection against trojans.

6. How much have you learned about these Bots and how many Bots roughly have you
learned about and where did you learn about them?

I've learnt about these bots by observing the people responsible for creating them, and turning them in to the proper authorities. The only solution I see is, removing the creators first.

7. Is there any other comments you would like to add?

Just that #NoHack ops are a special breed. We are all non-profit. None of us get
paid for what we do. We suffer attacks from hackers, abuse from users and hours of
endless directions to people to help them remove a file they unwittingly installed.
And I think that most enjoy it, in spite of all that. I do it mostly for the education
value. Being in #NoHack has taught me a great deal about Windows. I am still learning.
I think the "Working towards a virus free irc" slogan on the nohack.net web site is
a vain goal. It will never be achieved that I can see. But at least we can help those
we can...and learn along the way. That's a fair trade.

8. Can you tell me a little about your work with the Exploits team?

DALnet Exploit Prevention Team is a very efficent group of operators who work on a daily bases to protect our users from being exploited.

- Contacting the Internet Service providers on these users who create,spread, attacking IRC users.
- Send information to the appropriate Law enforcement agencies
- Contacting webhosting companies and having the infected files removed
- finding solutions for removing new trojans
- sending new trojans/virus files to anti-virus software companies to be added to new dat files
- analyzing files for the purpose of locating who is creating and spreading these files
- banning users who are infecting other users with self sending files
- removing abusers who are exploiting other users