Spazbox Reloaded

Remember in the Matrix Reloaded, when Neo stepped through the door of light, into the chamber of all (digital) creation? Well, I had an experience like that just recently. Except the door was more of a hole, the bright light was more muddy brown and the smell reminiscent of a morgue where they forgot to switch the air conditioning on. What could I possibly be talking about?

The Spazbox IRC Network, that's what.



I said I'd find my way in, and sure enough, with my best prying and jimmying suit on, I managed to (eventually) bluff my way past the bouncers with a fake ID and a whole lot of guns. And what did I find there? Thousands upon thousands of channels? Hundreds of angry Crackers? Zillions of malicious bots?

No. I found...nothing?

That's right - the Spazbox IRC admins obviously don't want their secrets blasting all over the internet, and its locked down nice and tight. So much so, that regular IRC commands don't actually seem to work. Try pulling up a list of channels, and watch as not very much happens. Try getting a list of active users - second verse, same as the first.

Message of the day?

Yep, that's gone too. It looked as if the deck had been cleared, and all the fun stuff had been shipped off in crates to that warehouse in Indiana Jones. But fear not! With my best bullwhip in hand and a healthy fear of snakes to boot, I simply started to type in

/join (random channel name goes here over and over again)

And the results were, as they say in those detergent commercials, dazzling.

From the one scrap of evidence I had, I entered the only channel name I knew - and (lo and behold) I was in. And (like all good explorers) I made sure I took a few snaps:



As you can see from the below shot, the channel is "secret" - that is, it won't turn up in any "list channel" searches:



It's a fair bet that all the other channels on this network are the same, making the task of discovery so much harder. You're also not allowed to have more than one channel open at a time. So it's very much small needle, big haystack time. But what exactly does

.advscan lsass 200 5 0 -b -r

in the channel's Topic mean?

Well, before we get to that, the important thing to note is the rather random stream of letters at the top of the IRC box: CmMnstu. These are permissions set by the channel owner, and you're not allowed to talk without permission, the channel is moderated and hidden from view. Additionally, it looks like the IRCd (which sends the message of the day, channels etc) has been altered - to hide the number of bots in the channels. That's right, invisible bots ahoy - not only can we not see any channel names, but the bots are hiding in the undergrowth too.

When you join the #Pawnz0z channel, the bot (or bots) in there accept the channel topic as a command, and (in this case) performs the below function:

They scan the first 2 numbers of your IP range, then select random numbers after that. The command itself uses that information as a starting point and tells your PC to scan 200 "threads" a minute with a 5 second delay - for an infinite length of time (or at least until you bless your PC with holy water!)

Every time your machine finds a vulnerable IP it copies itself to the machine, which then repeats the whole process. Meanwhile, the Bot Controller recieves a log containing the IP addresses of all the infected / scanning PCs vulnerable to the LSASS exploit.

Now, even with one or two Bots spewing out this kind of traffic, that's a lot of garbage filling the networks. But it's certain that they didn't go to this much trouble to have an entire network dedicated to just one Bot. The question is, how many other bots are there - how many channels are there - and what other vulnerabilities are being searched for from the Spazbox IRC network?

It's hard to say, especially as you're effectively reduced to typing in random channel names to see if they already exist. But one thing's for sure, there's a lot more exploring to do in IRC land...