March 5, 2004

A peek at script kiddie culture

Author: Robin 'Roblimo' Miller

The more things change, the more they stay the same. Andrew D. Kirch, security administrator for AHBL, infiltrated several script kiddie groups and shared some of his findings with us via IRC. From the (edited) interview transcript, you'll learn that one of the "new waves" in DDoS coordination is hijacking corporate conference call facilities, which is really an update of good old '60s-style phone phreaking, plus some insight into why some DDoSers do what they do -- and some tips on how they might be stopped.

Roblimo: How and why did you get started tracing DDoS perpetrators?

Andy: Part of it landed in my lap, and part of it was the attacks on the blacklists last summer. I met a [foreign] hacker a few years back on [major IRC network], and we founded an IRC network. Last March he contacted me, as I have some influence on [major IRC network]. An administrator was running illegal (against network policy) code, and they wanted someone from the outside that could independently log and prove it.

Roblimo: So this started on IRC?

Andy: Correct. Most things that these kiddies are doing are coordinated on IRC, or hijacked conference lines through carriers like AT&T or XO.

Roblimo: When you say "hijacked conference lines" do you mean phone conference lines?

Andy: Correct, business conference lines.

Roblimo: I've seen nothing in the press about this problem.

Andy: There is still an element of phone phreaking, it's simply upscaled in technology. Want to talk on one right now? :)

Roblimo: How does one go about hijacking a phone conference line?

Andy: That's one I haven't figured out yet. I'd have to assume it'd involve wardialing extensions into the system. Occasionally they're also liberated from work.

The policies on [major IRC network] allow quite a bit of freedom and privacy and make an excellent place to coordinate actions if they're to be taken off the network, or start "wars" with each other. Largely these actions have been ignored up to now. These kiddies band together into groups that have something between a street gang and Mafia personality. Friends of friends type stuff. When there's a major war, as there was a month or so ago, alliances get changed. The same occurred when the RPC.DCOM exploit came out last May. (And no, May isn't a typo.)

Editor's note: per the link above, the RPC.DOM exploit wasn't known to most of the world until September 2003.

The [hacker] group I've been monitoring just picked up a few people who are into that sort of thing, but I haven't seen them work much yet. A common theme is everyone switches sides about once every 6-7 months.

Roblimo: Switches sides?

Andy: Consider the people and the medium. You've got a lot of adolescents, and young adults with minimal if any social life. The interaction is not going to be on the same level as people with broader social experience. Considering that, and the ability to cripple a medium-sized ISP, there's going to be relationship issues, especially when you throw the sparse quantity of girls into the mix.

There was a girl in the channel, went by the nick ricki [name changed to maintain confidentiality]. Along with the phone conference aspect, there's also the prank calls. Friends even prank each other. Well, one of the guys pranked ricki. She took offense, and convinced two members of the channel to take it over. Both sides started firing packets, and my line was down for about 2 hours until the channel was sorted.

The war isn't really won on IRC. A win looks something like this: (if it's still up)
This guy hung up on a conf when it was decided to prank him. So the general course of a war is that words get exchanged over whatever the current "drama" is. Packets are fired, and shellhosts or IPv6 tunnels go down. Then there's a mad rush to "pull dox" on the other script kiddie -- expose who he really is hoping people will prank him and harass him until he gives up.

I've had my nick juped (taken by a bot) with my phone number and the away message "CALL ME FOR HOT ANAL SEX." No one called. I think perhaps I'm losing my sex appeal. Though I think the reason more likely is that I'm not packeting anyone or really involved except that I'm sitting in a channel watching all of this.

Roblimo: How do these "wars" affect the ISPs the kiddies use?

Andy: It varies. As the kiddies use shells from providers like the now defunct foonet, or pyroshells, or other DoS-hardened facilities, it's like letting them play in the sandbox. You say you haven't heard about it, it's because the kiddies are hitting things that either don't care, or if they're tricked (this is considered a real win) into hitting a government site, the FBI and Secret Service doesn't talk about their investigations.

I've seen ISPs crippled. A small Qwest acquisition was targeted by ADP [script kiddie nickname] as the user was an op in [a channel] on [major IRC network]. ADP knocked out the entire ISP (two T3s) for almost six hours. He was at one time affiliated with EMP [another nickname] who packeted the blacklists.

I have all of ADP's information, and a city and state on EMP. Unfortunately, until a few weeks ago the only authorities I could get to listen to me was Scotland Yard in England, and both ADP and EMP are Americans.

Most of these kiddies popped up after MyDoom. EMP's been around awhile, but ADP, SLiM (who recently attacked the NSA and NIPC websites, along with the White House mailserver), and izm purchased DoSnets (lists of "exploited" servers that can be used in DDoS attacks) with 10,000 hosts on them for the bargain value of $500. Since dcom was an NT exploit -- also for 2000 and XP -- all these machines can effectively spoof packets.

Roblimo: These are attacks we never hear about, right?

Andy: Yes. Unless you're watching.

The government on a whole is still very insecure. I've found several .gov machines in kiddies' DoSnets, some even from DoE fusion research labs, happily packeting away for them. Since you can spoof packets with Windows XP, most kiddies won't packet through proxies anymore. ISPs and major backbones don't effectively prevent bogon (unallocated and unannounced) IP space from traversing the wide Internet. Therefore a hacker with minimal sophistication can attack you from IP addresses that don't exist.

Roblimo: Wait -- you mentioned Win XP. You mean these aren't Linux advocates bent on destroying Windows?

Andy: Many of them use Linux. Having a compiler is a convenience. Using something like Wine to cross-compile is useful, but there are Windows users with minimal skill, and you have the eccentrics who swear no operating system has worked since Tru64.

Roblimo: But apparently we are *not* talking about Linux zealots attacking Windows out of moral conviction, right?

Andy: No.

To steal a phrase from the con artists, Windows users are pretty clueless. It makes them an easy mark.

Though to prove they are elite, there are kiddies who will specifically target another OS. Solaris and Irix are popular as they're usually fast or enterprise-scale on large pipes. 20-30 Solaris machines will do the same damage in general as 2-300 Windows users on DSL because they're on business connections.

Roblimo: One thing Microsoft spokespeople say is that if Linux were as popular as Windows, it would be attacked as much, and that as Linux starts getting used by more clueless people, those attacks will get easier.

Andy: With the sorry security history Microsoft has, and the low level of computing proficiency its customers have, not to mention the abundance of machines on cable and DSL IP ranges that aren't behind hardware routers, I agree to a good extent with Microsoft. People switching to Linux do not de facto get smarter. Pushing automated updates from a company like Red Hat will cause an outright revolt on sites like Slashdot, whereas with Microsoft we shrug and grumble a bit, then move on.

Though my equipment is DoS and intrusion hardened, I can guarantee you no end user who's just installed Mandrake or Red Hat for the first time will be able or willing to read through the GRSecurity manual pages and implement policies and overflow protection in a recompiled kernel.

They'll run on stock and run the updates, which is usually good enough when someone like eEYE discovers a vulnerability. But when "ryan1918" does or some of the more obscure 0day sites it can take days in the open source community or months for Microsoft to release a patch. 0day is the list of vulnerabilities and exploits which have not been publicly acknowledged (SecurityFocus) or patched (vendors). No one knows about them. Since they're not public knowledge, no one shares them.

I don't have access to 0day resources, but I generally know what's there -- and last fall I had my sshd safely out of harms reach when I knew there'd be at least three rapidfire remote overflows.

Roblimo: Who maintains this list? Where is it?

Andy: The list isn't coordinated or maintained except in discussion on IRC. Apparently when you're committing crimes, documenting it is a bad idea. :)

But I've seen security analyst types get fed up and drop exploits on IRC. DCOM, I think, was an example of that, though I was away when that started. It was discovered in February or perhaps earlier.

Roblimo: Doesn't this give the lie to a recent Microsoft statement that most exploits are done by reverse-engineering their security patches?

Andy: Absolutely. I quoted you May as when I found out about DCOM. Do you remember when they patched it?

Roblimo: No.

Andy: July. Consider I don't have access to these 0day exploits. That puts it around February or March that it was discovered.

Roblimo: Who *does* have 0Day access?

Andy: Friends of friends, anyone that someone who already has access trusts. Obviously trusting someone who would leak it would compromise you and cause you to be removed from the circle most actively developing exploits, and if you aren't involved in a 0day group, developing and releasing a new exploit to a group is usually a good ticket for admission. Like this:

You are now talking on #antirat0r
--- Topic for #antirat0r is Thank You for supporting the 
cause / rid (major IRC network) of the biggest f**k up 
in history. Let him know how u feel (phone # removed)
Topic for #antirat0r set by 
darkwave! at 
Fri Feb 27 08:48:37

Andy: It never ends. He posted nude pictures of one of the females after he found out she was playing a love triangle between her and another kiddie, jupes.

Roblimo: How wise do you think law enforcement is to any of this?

Andy: The general answer I've gotten is, "We don't have the time or resources to have our agents monitor IRC." They know, but they've adamantly got their fingers in their ears whistling loudly.

Roblimo: And yet, you're telling me attacks on DoD and other critical networks are often coordinated on IRC.

Andy: Of course, Department of Homeland Security is barely off the ground. They're starting to come around. Al Qaida, or whoever, with enough money could buy these kids, have them phonephreak 911 facilities, packet government mail and Web servers, attack Department of Energy facilities and local and state government for large cities and states. Even if nothing really serious happened the effect on our economy, since the FBI and DHS's answer has to be "Well, umm, we've been ignoring this entirely actually," wouldn't be fun to watch.

Roblimo: "These kids" are not necessarily in the U.S., are they?

Andy: There are a few in Canada and in Europe. As far as "evil countries" or our ever popular "axis of terror," no.

They buy and sell DoSnets. I'd have to guess they'd buy and sell their patriotism as well.

Roblimo: You're painting a picture of bored pimple-faced kids messing up the Internet as a hobby.

Andy: It's not a hobby, it's a social life. These kids don't have much outside of this. Most of them, if they were to go parties they would get beat up. This is their social life.

Roblimo: Do you think law enforcement could shut them down easily if they really tried?

Andy: Easily, no. But they could.

Roblimo: Why don't the FBI, Secret Service, etc., get on the case?

Andy: They're kids. You slap cuffs on them, confiscate the family computer, and they're in jail until they're 18? And then it's all wiped?

Roblimo: Why not with a whole bunch of them, not just a few?

Andy: The most effective method would be to actively police these DoSnets. They're easier to find, and without them, no one can be attacked. And if you can catch the guy running commands, toss him in jail.

Roblimo: But they're not all in the U.S., are they?

Andy: Most are. You need a grunty machine to handle 10,000 connections on IRC and a fast pipe with low latency. Most are hidden on machines from colocation services. I once found a DoSnet on Ice-T (the rapper's) Web server.

Roblimo: And on some government servers too, right?

Andy: Drones, you mean, not the DoSnets themselves.

DoSnets have three components. A binary, either a trojan or worm (if it's self-spreading) infects machines which are called drones. These drones then connect to a DDoS server, which is generally an IRC server which has been stripped down to make detecting and cleaning the drones more difficult.

There are operators on [major IRC network] who dedicate a large part of their time to finding and deleting these drones and drone servers, along with contacting providers whose machines are putting out the binaries. It should be noted however that this activity is ILLEGAL and viewed by the authorities as a violation of computer crimes laws. As a rule of thumb, unless you have paperwork from a judge saying you can touch a compromised machine, or you own the machine in question, don't touch it.

Picking up and putting your fingerprints on a gun found in the street is unwise. So vigilantism or "policing your network" or server is illegal. If you touch those compromised boxes, you go to jail; if you don't, the kiddie, seeing you, might very well turn around and packet you. It's not a good situation.

Roblimo: What about informing the compromised machines' owners? Do many of them listen or take action when alerted?

Andy: Nope, nor do the ISPs.

Roblimo: There are reportedly a *few* FBI people who will listen, but they're not easy to find. Or so I hear.

Andy: Generally, calling the FBI will yield you a transfer to the "Computer Crimes Unit," which has a heavily overused answering machine. $1,000 (in alleged loss due to a DDoS or other computer crime) gets you an agent who will take a report. $10,000 gets you an agent who will pretend to care and might even come out on site to take it. $100,000 is required to get action. Those aren't official numbers, of course, but just based on aggregrate data gathered on IRC from admins complaining about DDoS.

Roblimo: That's about right -- your numbers -- from what I've heard from FBI people.

You've obviously had plenty of contact with the underground "script kiddie" culture. What would *you* do to shut it down or at least make it less of a threat?

Andy: Part of it will take care of itself. FBI agents who have grown up with this are now starting to have a say in the Bureau. I've seen a huge difference in the FBI attitude in the last few months.

Part of it is on the press. Dig, publicize, rub their noses in this if you have to. If it prevents a war, or prevents our government and way of life from being crippled...

As far as a technical solution, Tier-1 providers and local ISPs need to filter traffic. If you are using and the IPs in the packet headers leaving your network are from something else, your configuration is broken. All the suddenly spoofed packets can be located to within a Class C.

Roblimo: That sounds simple!

Andy: It should be, but there are tens of thousands of routers, and not everyone's competent. ISPs and Tier-1s use bogon space internally on their networks. if this practice was stopped and IPs were allocated as necessary, things would also be easier.


The rest of the conversation was about specific ISP and Tier-1 provider policies. Our friend spoke highly of Paul Vixie and some of his ideas on how to prevent DDoS attacks and other Internet maliciousness.

In any case, after reading this interview, you probably do not want to pick up the novel Cyberterror, by R. J. Pineiro, who in his "day job" is a product engineering director for AMD, so he knows a little more about technology than your average thriller writer.

If thriller novels don't appeal to you but you want a nice cyberterrorism scare anyway, check this headline from The Washington Times: Senator urges confronting 'real threat' of cyberterror.

Or is this all just alarmism and conspiracy thinking run amok? That's the big question, and it looks like the only way to answer it is to wait and see if we do have any major cyberterrorism incidents, with or without help from the (American) script kiddies our informant claims form "groups that have something between a street gang and Mafia personality."


  • Software
Click Here!