[ISN] The Internet's Wilder Side

InfoSec News isn at c4i.org
Thu May 6 06:09:41 EDT 2004


Published: May 6, 2004

IT was just another Wednesday on the sprawling Internet chat-room
network known as I.R.C. In a room called Prime-Tyme-Movies, users
offered free pirated downloads of "The Passion of the Christ'' and
"Kill Bill Vol. 2.'' In the DDO-Matrix channel, illegal copies of
Microsoft's Windows software and "Prince of Persia: The Sands of
Time,'' an Xbox game, were ripe for downloading. In other chat rooms
yesterday, whole albums of free MP3's were hawked with blaring capital
letters. And in a far less obtrusive channel, a hacker may well have
been checking his progress of hacking into the computers of
unsuspecting Internet users.

Even as much of the Internet has come to resemble a pleasant,
well-policed suburb, a little-known neighborhood known as Internet
Relay Chat remains the Wild West. While copyright holders and law
enforcement agencies take aim at their adversaries on Web sites and
peer-to-peer file-sharing networks like Napster, I.R.C. remains the
place where people with something to hide go to do business.

Probably no more than 500,000 people are using I.R.C. worldwide at any
time, and many of them are engaged in legitimate activities, network
administrators say. Yet that pirated copy of Microsoft Office or
Norton Utilities that turns up on a home-burned CD-ROM may well have
originated on I.R.C. And the Internet viruses and "denial of service''
attacks that periodically make news generally get their start there,
too. This week, the network's chat rooms were abuzz with what seemed
like informed chatter about the Sasser worm, which infected hundreds
of thousands of computers over the weekend.

"I.R.C. is where you are going to find your 'elite' level pirates,''
said John R. Wolfe, director for enforcement at the Business Software
Alliance, a trade group that fights software piracy. "If they were
only associating with each other and inbreeding, maybe we could
coexist alongside them. But it doesn't work that way. What they're
doing on I.R.C. has a way of permeating into mainstream piracy.''

Two weeks ago, the F.B.I., in conjunction with law enforcement
agencies in 10 foreign countries, announced an operation called
Fastlink, aimed at shutting down the activities of almost 100 people
suspected of helping operate illegal software vaults on the Internet.  
The pirated copies of music, films, games and other software were
generally distributed using a separate Internet file-transfer system,
said a Justice Department spokesman, but the actual pirates generally
used I.R.C. to communicate and coordinate with one another.

"The groups targeted as part of Fastlink are alleged to have used
I.R.C. to have committed their crimes, like almost all other warez
groups,'' the spokesman, Michael Kulstad, said in a telephone
interview. Warez, pronounced like wares, is techie slang for illegally
copied software.

When I.R.C. started in the 1980's, it was best known as a way for
serious computer professionals worldwide to communicate in real time.  
It is still possible - though sometimes a bit difficult - to find
mature technical discussions among the tens of thousands of I.R.C.  
chat rooms, known as channels, operating at any one time. There are
also respectable I.R.C. systems and channels - some operated by
universities or Internet service providers - for gamers seeking
opponents or those who want to talk about sports or hobbies.

Still, I.R.C. perhaps most closely resembles the cantina scene in
"Star Wars'': a louche hangout of digital smugglers, pirates,
curiosity seekers and the people who love them (or hunt them). There
seem to be I.R.C. channels dedicated to every sexual fetish, and
I.R.C. users speculate that terrorists also use the networks to
communicate in relative obscurity. Yet I.R.C. has its advocates, who
point to its legitimate uses.

"I.R.C. is where all of the kids come on and go nuts,'' William A.  
Bierman, a college student in Hawaii who helps develop I.R.C. server
software and who is known online as billy-jon, said in a telephone
interview. "All of the attention I.R.C. has gotten over the years has
been because it's a haven for criminals, which is a very one-sided

"The whole idea behind I.R.C. is freedom of speech. There is really no
structure on the Internet for policing I.R.C., and there are
intentionally no rules. Obviously you're not allowed to hack the
Pentagon, but there are no rules like 'You can't say this' or 'You
can't do that.' "

It is almost impossible to determine exactly how many people use
I.R.C. and what they use it for, because it takes only some basic
technical know-how to run an I.R.C. server. Because it is generally a
text-only medium, it does not require high-capacity Internet
connections, making it relatively easy to run a private I.R.C. server
from home.

Some Internet experts believe that child pornography rings sometimes
use their own private, password-protected I.R.C. servers. Particularly
wary users can try to hide their identity by logging in to I.R.C.  
servers only through intermediary computers. There are, however,
scores of public I.R.C. networks, like DALnet, EFNet and Undernet.  
Each typically ties together dozens of individual chat servers that
may handle thousands of individual users each.

"We're seeing progressively more and more people coming onto the
network every year,'' said Rob Mosher, known online as nyt (for
knight), who runs a server in the EFNet network. "As more and more
people get broadband, they are moving away from AOL and they still
want to have chat.''

For end users, using I.R.C. is relatively simple. First, the user
downloads an I.R.C. client program (in the same way that Internet
Explorer is a Web client program and Eudora is an e-mail client
program). There are a number of I.R.C. clients available, but perhaps
the most popular is a Windows shareware program known as mIRC

When users run the I.R.C. program, they can choose among dozens of
public networks. Within a given network, it does not really matter
which individual server one uses. Alternately, if users know the
Internet address of a private server, they can type in that address.  
Once logged in to a public server, the user can generate a list of
thousands of available channels. On an unmoderated network, the most
popular channels are often dedicated to trading music, films and

That is because in addition to supporting text-only chat rooms, I.R.C.  
allows a user to send a file directly to another user without clogging
the main server.

That capability has a lot of legitimate uses for transferring big
files that would be rejected by an e-mail system. Want to send your
brother across the country a digital copy of your home movie without
burning a disc and putting it in the mailbox? The file-transfer
capability in I.R.C. may be the most convenient way.

Naturally, that file-transfer capability also has a lot of less
legitimate uses. Advanced I.R.C. pirates automate the distribution of
illegally copied material so that when a user sends a private message,
the requested file is sent automatically. It is fairly common on
I.R.C. for such a system to send out hundreds or even thousands of
copies of the same file (like a music album or a pirated copy of
Windows) over a few weeks.

An official from the Recording Industry Association of America said
that some hackers even obtain albums that have been recorded but not
yet released. "Quite often, once they get their hands on a prerelease,
they will use I.R.C. as the first distribution before it goes out into
the wider Internet,'' Brad A. Buckles, the association's executive
vice president for antipiracy efforts, said in a telephone interview.

But perhaps the most disruptive use of I.R.C. is as a haven and
communications medium for those who release viruses or try to disable
Web sites and other Internet servers.

In some ways, the biggest problem is Microsoft Windows itself. Windows
has holes that can allow a hacker to install almost anything on a
computer that lacks a protective program or device called a firewall.  
Users' vulnerability can be compounded if they have not installed the
latest patches from Microsoft.

Hackers scan through millions of possible Internet addresses looking
for those unprotected computers and then use them to initiate
coordinated "denial of service'' attacks, which flood the target
machine (say, a Web site) with thousands or millions of spurious
requests. In all of the noise, legitimate users find the target site

How can a hacker direct his army of compromised drones to the target
of the day? Through I.R.C.

"Each time it breaks into a new computer and turns it into a drone,
the program copies itself and proceeds to keep scanning, and so very
quickly you can have a very large number of drones,'' Mr. Bierman
said, adding that a worm may well include a small custom-made I.R.C.  
client. "Then all of the drones connect to I.R.C. and go into one
channel made especially for them. Then the runner can give commands to
all of those drones.''

Chris Behrens, an I.R.C. software developer in Arizona known online as
Comstud, said: "It's amazing how many machines at home are hacked or
have been exploited in some way. We have seen 10,000 hacked machines
connect to I.R.C. at one time, and they all go park themselves in a
channel somewhere so someone can come along and tell them who to

Mr. Bierman and other I.R.C. developers and administrators said that
they were contacted by federal law enforcement officials fairly often.  
Mr. Bierman said that he sometimes cooperated in helping the
government track down specific people using I.R.C. to wage major
attacks. He added, however, that he had refused government officials'
requests to build a back door into his I.R.C. software that would
allow agents to monitor I.R.C. more easily.

"Basically the F.B.I. is interested in the best way to monitor the
traffic,'' Mr. Bierman said.

Mr. Kulstad of the Justice Department declined to comment on its
specific contacts with the I.R.C. community.

Mr. Bierman and other I.R.C. administrators said that in addition to
their free-speech concerns, they were also reluctant to confront
hackers, because angry hackers often turn their drones against I.R.C.  
servers themselves.

Mr. Mosher echoed other I.R.C. administrators in saying that attempts
to regulate the shady dealings online were doomed to failure.

"Look, if we find one channel and close it, they move to another,'' he
said. "It's been like this for years. You can't really stop it.''

More information about the ISN mailing list