Talkative botnet herder taunts security researchers

Talkative botnet herder taunts security researchers

Summary: The botnet operator behind the virulent Nirbot Trojan is having a field day taunting anti-virus researchers. While it is common to find messages and shout-outs buried in virus code, the person(s) behind Nirbot is rather talkative, leaving hostile threates directed at specific individuals, a strange apology for something involving "hospital computers" and even a mock CNN interview that discusses the bot's intent.

SHARE:
TOPICS: Security, Hardware
5
The botnet operator behind the virulent Nirbot Trojan is having a field day taunting anti-virus researchers.

While it is common to find messages and shout-outs buried in virus code, the person(s) behind Nirbot is rather talkative, leaving hostile threates directed at specific individuals, a strange apology for something involving "hospital computers" and even a mock CNN interview that discusses the bot's intent.

The messages are being added to updated versions of the code on a daily basis as the bot author reacts to news stories and blog entries about the attacks, which exploit an old -- and already patched -- buffer overflow in several versions of Symantec Client Security and Symantec AntiVirus Corporate Edition.

Here's a sampling of what's been found in the code so far, via Jose Nazario:

A message aimed at member of the Symantec security research team:

Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. F@?k you assholes, especially Stephen Doherty who is the biggest f@??#t I know of.

This note was found embedded in the code: "Sorry about the hospital computers :(". Researchers believe this is linked to a Nirbot-related attack that infected the Quebec healthcare system.

Another note makes a rather pleasant request that the bot is defined as Irnbot, which the author claims is the true name.

Rinbot message

 

The Internet Storm Center's Johannes Ullrich is also targeted in the code with intimidatory, foul-mouthed threats.

Researchers at the Offensive Computing project noticed a mock CNN interview in the code:

Tonight on CNN: An interview with the author(s) of Rinbot. Who are you? Hacker(s). Are you actually disgruntled? No. Then why are you actively going after Symantec? The worm is designed for getting the highest yield of computers infected, not to aggravate Symantec; there is no hate. So why attack the Symantec anti-virus program? A lot of businesses and universities run the application, making it a prime target for exploitation. Are you aware that your worm is crippling computer networks? Yes that can happen on slow networks or networks with many computers; the worm also searches and removes other worms from the system, acting as a small anti-virus program if you will. If you wish not to have those problems keep your software updated. Why did you taunt Symantec and other security companies? They were the first to list the worm on their site and try and get servers shut down. What do you intent to use the infected computers for? Nothing very malicious; no fraud or anything like that. What is the real name of the worm and how did you come up with it? The real name is IrnBot, it is named after a popular soft drink called IrnBru. Thank you for your time author of Rinbot. You are very welcome CNN, thank you for the opportunity to explain.

Immediately after the text of the CNN interview was posted on the Offensive Computing blog, the IRC (Inter Relay Chat) channel controlling the zombies was changed to #OC and the leet-speak spelling of OffensiveComputing.

Topics: Security, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • This hacker is an idiot

    [i]So why attack the Symantec anti-virus program? A lot of businesses and universities run the application, making it a prime target for exploitation.[/i]

    Why on earth would he target something just because it had a lot of marketshare? Doesn't he know that the Mac zealots believe marketshare has nothing to do with how the "bad guys" write their malware? He should read Apple zealot posts on ZDNet to learn something about how to write malware because he is quite obviously clueless.
    NonZealot
    • Marketshare

      The most virus stuffed OS on the planet is Windows. Even if there were only 10 Windows users on the planet, the Windows OS itself would still be the MOST vulnerable, the MOST hacked, the MOST owned OS on the face of the planet. This hacker's attacking Symantec product because Symantec are one of the vast, wealthy businesses who's product lines are only possible because the most popular OS is the most vulnerable and insecure OS. For the past 15 years Windows has been completely un-useable without the additional cost of anti Windows virus products. Now that Microsoft have purchased some of those companies they're going to integrate the antibiotic right into the middle of the septic sore, and sell them as a single unit. Now that's innovation ...
      whisperycat
      • Yawn.

        'nuff said.
        John Zern
    • No, you're the idiot

      If you can't understand why someone would attack a piece of software because it has a lot of market share, then you sir are the idiot. Since more people run anti-virus software from Symantec then from some other small company that means a higher number of possible infections which is the goal of the worm. That is the reason hardly anyone attacks Mac computers, not because they aren't vulnerable but because almost no one uses them. Low number of potential infects == Low amount of profit. Next time think before you post.
      DamnZealot
  • Idiots

    Idiots have their uses...this moron has none to speak of.
    edronex2@...