Interview with Fruit^Loop DALnet IRC Operator (IRCOP)

1. Can you tell me a little bit about yourself?
Background information etc?

Im a 32 yr old female from Florida with a successful business
and a 10 year old son I adore. I’m an active IRC user and I
normally can be found on DALnet where I have "resided"
for my 5 yrs using IRC ( Inter Relay Chat ). I am now an IRCop
on vortex.hub.us.dal.net , as well as being an Oper I op and
help in #Mirchelp and #No Hack as well as some other smaller
help channels . I’m known as Fruit^Loop and have been called
Ms.Idle because I don’t say too much ...
I am one who looks, listens and learns silently in the background.
I am also more of an observer than a chatter you might say .

2. What made you get interested in studying IRC Bots and Trojans?

As for the Trojans in general ..I downloaded a crack for some
software and became infected with Sub7 , fortunate for me I
saw this within 5 minutes or so and cleaned it after reading some
info on the Trojan . I then became intrigued and could relate to the
panic that others feel when they realize they are infected , hence
my campaign to help ..so I wondered into #No Hack one day and
stayed, a few months later I became a "sop" .

As for how I became interested in GTBots.... #No Hack things
seemed to quiet down , NetBus and BackOriface seemed to be
declining and replaced with worms such as Love Letter and
Life Stages and of course more serious problems such as Hybris
havocking peoples "InBox" . But in general it almost seemed like
things were quiet. However, when I least expected it a user came
in complaining about his connection speed being very slow , even
being on @home , which for him was normally quick . After checking
his netstat report , I found something I’d heard of but never seen
for myself until that moment . His netstat showed another active
IRC connection which he claimed he was not on , being as nosey
as I am I decided to hop on the server and see for myself .
I saw a server with hundreds of users and like 4 channels but
none of these hundreds of users were IN a channel . At this time
my thoughts were in fact concluded that this man was being used
as a "bot" so I went to work and with his cooperation found the
infecting files, so I could now find out what channel he was in on.
I found the secret network as well as the key that they had used
to keep it safe from us "do-gooders" and "bot theifs ". All of those
users were now seen in that channel with 2 ops that were "masters" .
I then sat and hid , logged on while at work and slept for about 24 hrs ,
my patience had finally paid off . I was able to see the master "log in "
and have these 300 + bots packet one IP they had assigned ...
That was the start of my intrigue , soon to become an addiction to
find these BotNets and help the innocent users who became infected.
My searching remains as do my questions about things I see and
maybe don’t understand , I seek information from any source that I
deem reliable .

3. Can you tell me a little about your work in the #No Hack channel?

My work varies from simple things such as a infected script or a
long detailed removal of things such as CIH and Pe_Spaces ,
in between there are the troublesome .vbs files and Trojans
such as NetBus , Sub7 , Bo and now I am overwhelmed with
users having a "bot" hidden somewhere in their computers .
Since I started in #No Hack this is the WORST problem I have seen .
I'd guess an average of 2 out of 5 are infected and maybe 1 out
of 50 KNOW they are .

Often I look around dalnet and join the channels with some problems ,
you can actually join a channel and get hit with 30 + dcc sends of
infected files , normally when it’s a mass amount like that you can
bet it'll be a version of a GTbot .


4. How do you foresee the future for these Bots?
As in do you think the problem will escalate or die out?

As of now it seems to be a new "toy" for the "hackers " or "want
to be hackers" , as most anyone can change a few things ,
distribute the files and now have a 100+ Bots for themselves .
Its a trend , an easy one as the works been done for them ...with a
few keystrokes they now can have a set of victims ready to packet ,
flood and infect at their fingertips . Will it die out in the near future?
Not from what I see no ..it’s too easy to do .


5. How do you think the problems could be avoided and solved
for both the users and the IRC Service?

Users need to be informed , and they can be if they wish to be.
There is information available everywhere on the web about
Trojans and virus's ..bits and pieces here and there.
I myself would love a fully updated site on every Trojan out
there , with information on each listed ..this is a lot of work
and I really doubt we'll ever see it .

To be honest I see a lot of Trojans and GtBots being hidden
in Porn files and warez files ...My advice is to buy the Porn
magazine at the store , or rent the video if you must view porn,
buy the software that’s on the market or take a large chance
of becoming infected.

The simple fact users who are blind to the fact that there are
many people on the net awaiting you to become their next
victim , using YOUR IP to packet someone they don’t like
( or for whatever reason they packet )

I'll add one comment in here about something I hate with the
MIRC client and that’s in the last few versions the new feature
to "click" on the url and your there. I believe this is a feature
that was added with good intention , however can be deadly
for some ..they click , get an .exe and run it , bam infected .
Also they can click it and there is some activex and again ,
they are infected .


6. How much have you learned about these Bots and how
many Bots roughly have you learned about and where did
you learn about them?

By viewing the files I received from infected users. Hunting
down BotNets and watching what they do gave me some insight ..
by this I saw there wasn’t just one bot , there were many...
some worked a bit different , some masters had different purposes .

I also talked to some of the bot owners and asked questions.
Questions like as to "why infect these people " "how does this
and that work " etc , you name it I pretty much asked it.
Honestly most of these people were nice and gave me more
insight..surprising I know after what they do as a hobby .

I ran some files as well using another computer I dedicated to
Trojans and watched myself be used , this was the best way
to see what happens when your "owned"
I knew what I was doing , I can only sympathize with those who
have no clue ..

I sought I asked , I still seek I still ask , and more than likely I
wont stop seeking and asking in the near future as I don’t see
this going away anytime soon.

As for the number of Bots , I need to be brief here with an answer
of " too many ", there is many more than one.

7. Is there any other comments you would like to add?

Its very easy to become infected ..I really can't tolerate when
some say when they state " Your stupid to be infected "
I have yet to see any antivirus/Trojan scan or firewall detect it ALL,
so if your relying on that only to protect you think again.
The AV's need the to have it in their Database to see the file ,
without that your Nortan Or AVP says its clean so you think
it’s ok and run it . guess what you’re now a victim .
Only until the AVP has the sigs in their software can they
detect and remove it , with a new worm , Trojan , virii or
backdoor made daily you cant expect them to see everything.
I’m not saying don’t use them by no means , but I’m simply
saying NO AV or firewall is perfect , nor can we expect them to be .

You as the computers owner /user need to take care , use
common sense when downloading a file and running it ,
know your source , remember not everyone is so nice on the
net , not just on IRC , but anywhere ..ICQ , AIM , MSN etc .
Just because that email with that intriguing named .exe file
came from a friend doesn’t mean it is a good file as many
people are infected and do not know it spreads the virus
among to others. This is how things work you see.
The more it spreads the more people are infected.

If you run a file use the "find" feature to see what was
created the day you ran the file which can be of help.

Use your task manager to find out what’s running there
that your not sure of . Check your start up , to see what’s
starting up that you didn’t ask to be started up?
Unhide file extensions , you never know what you’re maybe
hiding. Do not depend on online "port scanners " such as
grc.com because most Trojans don’t use assigned ports anymore.
Hence, something like shields up wont show it open , use netstat
and look for connections .
Use the basic tools Windows has and you'd be shocked at how
much you can in fact find.
   
       
    Questions? Comments?
E-mail Web master: www@lockdowncorp.com
Copyright © 2001 by LockDown Corp. All rights reserved.
Site is optimized for 800x600 resolution or greater.