Ident FAQ
Windows Ident
Macintosh Ident
Unix Ident
Microsoft ICS
Proxies & Firewalls
Routers
Security Check
Akill Information
Specific Fixes
Contact Us

DDoS Bots

DALnet has recently experienced an extended attack from various types of automated clients, resulting in a sustained Denial of Service attack. We have taken emergency measures to control this attack by detecting and banning any client which appears to be infected by one of these drones. As a result, users may be disconnected from DALnet with the following message :

[exp/os] Due to abuse from this host, you are no longer welcome on DALnet. See http://kline.dal.net/exploits/akills.htm#os for more information.

This page provides information on locating and removing some of the most common variations of these drones. As there are such a large number of possible variations, the information may not apply fully to every situation, you will need to adapt it to suit your particular circumstances. These procedures require a reasonable degree of knowledge, if you do not feel confident enough to follow these instructions we suggest you take you PC to a local repair facility for professional attention.

As with any other system compromise, removing the bot alone may not fully secure your system. Please see our security breach recovery guide for further information on how to fully secure your system.

Please note : DALnet can offer no further assistance with this problem. If you are unable to deal with the issue using the information on this page, please consult a computer professional or knowledgable friend for help.

There is a more in-depth discussion on the history of these bots and what they can do available on the Lockdown website (link will open in a new window).

Anatomy of a DDoS Bot

These bots usually consist of a single executable and a collection of supporting files. In the majority of cases, the executable and supporting files are stored in one directory, usually a subdirectory of the system directory (c:\windows). They are typically around 550kb when compressed, expanding to around double that when installed. Mostly the files are compressed into a single executable for distribution using one of several proprietory file compressors (UPX or PaquetBuilder 32 being the favourites).

There is also a second type of bot which is much smaller. Often around 7-10kb, these are more limited in facilities and almost exclusivly packaged using the UPX compressor.

Both types of bots use a technique which enables them to 'hide' from the normal task list under Windows 95/98/ME and to a lesser extent on Windows NT and 2000. Their behaviour under Windows XP is largely unknown at this time.

What to look for (and how to find it)

• Disable the 'hide files' options within windows. To do this, open windows explorer, choose tools, folder options, view and instruct windows to Show all files. Also disable the hiding of file extensions and the hiding of system files as both of these can disguise the location of DDoS bot files.
  
  
• Search all files and folders for a file called mirc.ini. If this file is found anywhere other than in your mIRC directory, it's probable that there's a bot installed in that directory. There should NEVER be a mirc.ini file in the system directory or any subdirectory of it - if you find one there it's almost certain there's a hidden bot installed on your machine.
  
  
• Check for running processes that you don't recognise. To do this, you'll need to shut down all programs and disconnect from the internet. You should then run the Microsoft System Information utility (C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSinfo32.exe) . Once open, select Running Tasks from the list of options under software environment. This will show you a list of tasks running on your machine. Compare this list to the one found under Startup Programs. Anything found in both lists is worth a closer look. Check for files you don't recognise or which seem to be in unusual places or which you don't think should be running automatically when you restart your machine.

• Check the registry for startup programs you don't recognise. Using the Startup Programs option of MSinfo, look for programs you don't recognise being started from the run, runonce or run services keys in the registry. Also check the startup folder.

Getting Rid of the Bot

Getting rid of these bots is usually as simple as finding the startup line (see above) and removing it, then rebooting the system and deleting the actual bot executable and associated files. The reboot is required because you won't be able to delete the bot while it's running (it's hidden from windows Task Manager, so you can't kill the process individually).

What files do the bots use?

The bots can use almost any filenames, some of the most common ones we've seen are shown below.

My virus or trojan scanner says I'm clean!

Sadly many of these bots are still undetected by antivirus or antitrojan packages. Norton & Mcafee detect some, Trend Micro detects most of the older ones, the Cleaner finds a select few and Lockdown will find most of them but only when they are executed. This is one instance where your anti-virus or anti-trojan package may not be totally effective.

Isn't there an easier way than this to get rid of these things?

You could try the semi-automated remover available for free from Lockdown at the following URL :

http://lockdowncorp.com/bots/downloadswatit.html (link will open in a new window)

Please be aware that this tool may not find all types of these bots and is not supported in any way by either DALnet or Lockdown Corp.