Thursday, March 17, 2011

AT&T Equates IRC to Bot-Nets, suggests WEP

One of the more interesting things that happens in the tech world, is when companies do something unusual, and on a topic which they should know better. Sometimes, it helps them sell an agenda, or cut a cost, but all too often, it's the result of a misunderstanding by a non-technical person. Such is the case here with AT&T and IRC.


I'm a massive IRC user, as my long-time readers will know. I have been since around 1997, and I have a core of 25 channels (that's 'chat rooms' if you prefer the term) that I stay in pretty much constantly. Some are Pirate Party channels (channels for the US and UK parties, as well as Pirate Party International), some are general technology channels (the Freeside Atlanta channel springs to mind, along with Students for Free Culture) or news (wikinews), but the majority of them are related to bittorrent. From the support channel for the ĀµTorrent client and the general bittorrent protocol discussion channel, to ones for sites like the Pirate Bay, Demonoid, and eztv (as well as the TorrentFreak channel, of course)

They are an invaluable source for research when it comes to bittorrent, and bittorrent related news; handy when you are a researcher for TorrentFreak. It's also, in many ways, my social network. They are to me, what Facebook is to many other people (not that I don't use Facebook as well). During 9/11, it was a major help in keeping track of just 'what went on', and it also helps me keep track of news in general, including the news piece that started this chain.

My connection, the fastest
AT&T offer in my area
(supposed to be 6/0.5)
Earlier this week, a news story came out about AT&T imposing caps. 150GB isn't much really – 5Gb/day – especially when it's split amongst multiple computers (I'll come back to this another time), and I've got no choice of ISP (not even a cable company). I thus check my AT&T email account (which, to cut on costs, they've 'sold' to yahoo – not cool) and while there's no notice about any caps (yet) there was this one from almost a month ago (I don't check it often) about IRC usage.

From: AT&T Internet Services Security Center ([email protected])
Subject: WARNING NOTICE from AT&T Internet Services Security Center
To: **MY ISP email Address**
Date: Friday, February 18, 2011, 4:33 PM

IMPORTANT COMPUTER SAFETY NOTICE from AT&T Internet Services Security Center -“IRC Traffic Detected”

We have evidence which indicates a computer accessing the Internet via your Internet connection may be infected with malicious software such as a virus or worm.

Our investigation shows the following IP was assigned to your log-on session at the indicated time and was using IRC connections to a computer network, sometimes known as a Botnet.


Date: (UTC) => Your IP:
2011-02-18 00:04:26 => 98.88.115.xxx
2011-02-17 16:23:08 => 72.152.16.xxx
2011-02-17 16:23:08 => 72.152.16.xxx
2011-02-18 00:04:26 => 98.88.115.xxx



IRC bot infected systems commonly send or receive commands that can SPAM email, spread malicious software, and perpetrate identity theft.

IRC traffic on ports other than those normally used by IRC can be an indication of backdoor trojans or bots on a host or an attempt to subvert security restrictions for a network.

We realize is some cases this may be normal activity if you are running and IRC server, but as always please make sure protect yourself and others we recommend you scan all computers utilizing the internet connection with an up-to-date Anti-virus program. Verify your anti-virus software is up to date before scanning as some malware is known to tamper with or disable anti-virus software on the infected system. Also ensure your operating system has all necessary updates from the manufacturer.

If your computer meets the minimum requirements you can install the AT&T Internet Security Suite - Powered by McAfee. If your computer does not meet the minimum requirements you will need to obtain comparable software through an alternate means. Instructions on downloading and installing the AT&T Internet Security Suite - Powered by McAfee can be found here:
http://helpme.att.net/article.php?item=12149

Below are some additional sites you can visit for tools or information:

AT&T PC Health Check - Online virus,malware and spyware scan.
https://pccheck.att.com/index.aspx?RID=AG

Microsoft Systems Anti-virus:
http://www.microsoft.com/security_essentials/

Microsoft Malicious Software Removal Tool:
http://www.microsoft.com/security/malwareremove/default.aspx

Apple Systems Anti-virus:
http://www.apple.com/downloads/macosx/networking_security/avastantivirusmacedition.html

We also recommend you run anti-spyware application, like Malwarebytes or Spybot:
http://malwarebytes.org/mbam.php
http://www.safer-networking.org/en/index.html

Customers with wireless a wireless modem/router should check to make sure WEP is enabled. WEP (Wired Equivalent Privacy) is the underlying security technology for wireless devices. Enabling WEP is very important as it provides the basic level of security for your wireless network and prevents unwanted access to your home network.

If you need help with virus, malware or spyware removal, please contact you current Anti-virus provider or call your current security PC specialist.


We welcome feedback on what removal tool or method was used to clean or secure your system(s).

AT&T Internet Services Security Center
[email protected]


SAFETY NOTE: We have included links in this email as a convenience. Please note that it is always safer to copy and paste URLs included in email directly into your browser to reach the referenced site.

Yep, IRC, that stalwart of net communication, which has been around since 1988, may be not be the harmless tool of communication I believe it to be, but a weapon of mass spammage. It's not bad enough to have the protocol demonised by countless TV shows and governments world-wide as a system used to groom children for sexual abuse (UK cop show The Bill was pretty bad about this), but because I used IRC, I clearly had been infected.

Why they picked those four instances, I don't know. On any given day, I'll do at least one, more typically 10+ connections to IRC, as existing connections drop, servers drop offline, get congested etc. So, there's a greater question of 'why'.

Did the person that wrote this filter and notification system recently watch an episode of numb3rs, and pick up the following explanation from it?


Or is it a bit more simple. IRC is persistent. You can stay logged on for hours, days, weeks at a time, using 'connections' and a trickle of data. It takes up connections that could be spread to more people. That was also one of the major reasons that AT&T were so quick to capitulate to NY Attorney General Andrew Cuomo when he claimed Usenet was full of child-porn. It meant they had an excuse to shut down servers which cost them in hardware and bandwidth. Could this be a start for IRC?

We know it's not actually to do with bot-nets. They (or at least the IRC-requiring variety) have been on the decline, and are now less common than ever, even less common now than web-based ones. So, if an alert was to be sent out, surely 3 years ago, when I first got this account with AT&T (and thus connected to IRC) would have been when I got the notice. Or maybe it's more to do with Anonymous. I did spend a fair bit of time in their IRC channels, during Operation Payback, and again during their wikileaks 'support' efforts, but none of that was in February. So, it's confusing as to their motive.

Anything with this logo, can do WPA2
So, there was only one thing to do. Set them straight. And you can bet I've mentioned that their suggestion to enable WEP is utterly ridiculous. WEP which was superceeded in 2003 by WPA (and officially depreciated in 2004 because it failed to meet security standards) and can be cracked in a matter of minutes. WPA2 came out in 2004 (prompting the depreciation) and since 2006, all hardware carrying the WiFi logo has to support WPA2. To suggest WEP is lunacy.

It's almost as if the people running the filters, don't know what they're talking about.

I'll let you know what they respond with, if at all.

6 comments:

  1. And just in case you think I was infected, I made VERY sure my system was clean before I posted this.

    ReplyDelete
  2. I just got the same email. I don't know what I find more annoying, the fact that they're ignorant, or the fact that they're basically invading my privacy.

    ReplyDelete
  3. Upon further investigation I found similar emails like this to be a phishing scam email. So I wouldn't trust jack from it.

    ReplyDelete
  4. Don't you just love phishing scams? They look so legit.

    ReplyDelete
  5. There is a reason I believe itt o be legitmate.

    First, AT+T are hte only people who legitimately have that address. It's used for nothing BUT emails from them. The IP addresses were also mine at the times mentioned (my irc logs keep track of my IP address) and theres no way to guessthe email from my onine presence.

    ReplyDelete
  6. Customers with wireless a wireless modem/router should check to make sure WEP is enabled. WEP (Wired Equivalent Privacy) is the underlying security technology for wireless devices.

    that's pretty lol.

    ReplyDelete