Got asked what the first supply chain attack I came across was, and it reminded me of a funny story from my previous career.
Some time around 2009/2010 someone snuck a backdoor into the source code of UnrealIRCd, which was a super popular IRC server software at the time. I have no idea who backdoored it or why, but we found out about the backdoor before the developers did.
Back then most cybercriminals used IRC as the control protocol for their botnets, so a lot of botnet infrastructure was built on top of UnrealIRCd. We wrote a script to basically crawl DNS blocklists and antivirus blogs for botnet command and control servers, then connect to them and check to see if they're running a backdoored version of UnrealIRCd. When we found botnets using backdoored versions, we'd connect to their server and sit in the control channel and wait for the operator to log on and start issuing commands.
Once we'd figured out what username/hostname the operator uses, as well as the command to download and run code on the infected systems, we'd use the backdoor to edit their IRCd config file and make ourselves admin, then issue a command to all their bots to run our own executable on the infected systems. The code would basically edit the hosts/routes file to redirect their control server domain/ip to our own server, where we'd just collect all the infected systems as trophies. Sometimes the original operator would figure out what happened then connect to our server and rage at us, or pay to have it DDoSed.
Marcus Hutchins :verified: /
npub1uu…hgs7t
2024-06-03 23:00:13
Author Public Key
npub1uu7gddsfwccptfz3wgqqgxz0wuwx302e07k3u475he6qzasfkz4q0hgs7tPublished at
2024-06-03 23:00:13Event JSON
{
"id": "7c09a196079332ce1a726c85bc1dcd0f2dd25ab9d71caf7755b70903cd70a81d",
"pubkey": "e73c86b609763015a451720004184f771c68bd597fad1e57d4be74017609b0aa",
"created_at": 1717455613,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@malwaretech/112555171107076171",
"web"
],
[
"proxy",
"https://infosec.exchange/users/malwaretech/statuses/112555171107076171",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/malwaretech/statuses/112555171107076171",
"pink.momostr"
]
],
"content": "Got asked what the first supply chain attack I came across was, and it reminded me of a funny story from my previous career.\n\nSome time around 2009/2010 someone snuck a backdoor into the source code of UnrealIRCd, which was a super popular IRC server software at the time. I have no idea who backdoored it or why, but we found out about the backdoor before the developers did. \n\nBack then most cybercriminals used IRC as the control protocol for their botnets, so a lot of botnet infrastructure was built on top of UnrealIRCd. We wrote a script to basically crawl DNS blocklists and antivirus blogs for botnet command and control servers, then connect to them and check to see if they're running a backdoored version of UnrealIRCd. When we found botnets using backdoored versions, we'd connect to their server and sit in the control channel and wait for the operator to log on and start issuing commands.\n\nOnce we'd figured out what username/hostname the operator uses, as well as the command to download and run code on the infected systems, we'd use the backdoor to edit their IRCd config file and make ourselves admin, then issue a command to all their bots to run our own executable on the infected systems. The code would basically edit the hosts/routes file to redirect their control server domain/ip to our own server, where we'd just collect all the infected systems as trophies. Sometimes the original operator would figure out what happened then connect to our server and rage at us, or pay to have it DDoSed.",
"sig": "feadbe99be0345405e9f3c2f1ca0d193f31065d4763253bf043051a445f6a77a1b0f8ba43c790d9981b16c4787e4a3c1bb899cdeb5cf3964a09668e4a3cf39e8"
}