How to deal with trojan channels

From Blitzed

Sometimes the hardest part of dealing with suspected trojan channels is actually finding them. There are often subtle clues that a trojan channel might have appeared on the network such as an inflated user count.

Trojan channels often take advantage of the features of IRC which make it difficult to enter and find channels, such as the +k and +s channel modes. Therefore even to find them means using your greater IRC operator or admin powers.

There is obviously the potential for abuse here. For example if you see a user with a % next to a channel name in /whois it's your responsibility to not discuss these channels with anyone who isn't a Blitzed staff member. Even then, it should be kept to only the people who need to know about the channel's existence.

There are also many legitimate reasons why a channel might be +s and you should respect the privacy that users expect from such a channel mode if you can see no evidence for it being a trojan channel. There are many channels on Blitzed who do not want strangers coming in, and use the +s mode for this reason.

Generally once a trojan channel is found and confirmed to definitely be a trojan channel it should be closed down as soon as possible. Although watching the channel (like in Steve Gibson's (in)famous report) seems a good idea, the repercussions can be greater because the trojan's DDoS power is not contained.

Before deciding to try and learn about the trojans in the channel, make sure you have the time and expertise to get anywhere with this, and check if it is likely you can actually do it without being spotted by the trojan owners. Usually there is no advantage to be gained from keeping the channel around, and in fact if the kiddies think they can bargain with you then the situation can escalate. If they don't know you and have had no contact with other Blitzed staff, there is less chance they will bother to attack us when their channel is closed.

[edit] Useful methods for finding trojan channels

You will need the server administrator mode set (umode +A) to be able to use most of the commands below.

One of the most useful commands for finding trojan channels is /who. Bahamut supports extended WHO syntax which lets you find all sorts of information.

The /who +C flag is also good for seeing +s channels in use.

One useful command is

/who +Cs yourserver.blitzed.org

(you have to put the full server name). It lets you see all the channels that a sample of the users are on (you could use /who +C * but that tends to be too many users).

Trojans often have patterns in their usernames, nicknames or realnames. You can use /who to search on these (with the +u, +n and +g /who flags) and if you are lucky to find a pattern then it can be used to get the clients off the network.

Unfortunately, carefully looking through all the users is sometimes the only way to identify trojans. Remember the /who output is sorted by time, so if the trojans have recently connected they will be near the top.

Remember to ask on /chatops if anyone else is around, another opinion is often valuable.

[edit] Confirming the channel is a trojan channel

See what the topic is.

/list #channelname

You can check for patterns in nickname, etc with this.

/who +c #channelname

If it is registered, check services info and founder's nickname.

/cs info #channelname

They are often one of the few people opped in the channel.

A CTCP version (or maybe even USERINFO) of some of the clients in the channel (bots and owners) can be informative since the trojan owners also often use 'war' type scripts that can't help but shout about what they are. Many trojans now try to return real-looking replies to CTCP commands, so this can't totally confirm it.

[edit] Closing trojan channels down

All of this will usually need a Services admin.

Channel names can be "quarantined". This means that a QLINE will be distributed between all Blitzed servers which prevent matching channels from existing on those servers. It will effectively stop any client from getting into the channel, which will stop the channel from ever being created as well.

Many types of trojan are unusable if their IRC bot is not in the same channel as the trojan owner, so this is the next best thing to getting the bots off the network. It's often the best and only thing you can do.

/os quarantine add ^#channelname$

Remember to escape any special characters in the channel name otherwise chaos can result!

By quarantining first you ensure only operators or admins will be able to join the channel.

Next step is to join the channel. Generally the way that will work in almost all cases is to get OperServ to invite you with:

/os raw :operserv invite your-nickname #channel

This gets you past keys and any other modes.

Now you are actually in the channel it's often easier to make any last checks that the channel is actually a trojan channel (although you should be pretty sure by this stage).