Symantec said Wednesday it plans to tweak the behavior of its Norton Internet Security and Norton Personal Firewall products so that they are no longer vulnerable to an annoying but otherwise harmless prank that “script kiddie” hackers have been using for the past week or so to knock users off online chat channels.
Last week, a hacker known as HM2K posted a note on his blog about a Norton security feature that could be abused on Internet relay chat (IRC) networks, simple, text-based communities that predate modern instant messaging systems. (Most IRC networks are used for the same purpose as regular instant-message networks like AOL Instant Messenger or MSN Messenger — to facilitate real-time online communication between two or more people at once. But virus and worm writers also use IRC to update and control their networks of infected computers.)
Turns out that if someone types “startkeylogger” or “stopkeylogger” in an IRC channel, anyone on the channel using the affected Norton products will be immediately kicked off without warning. These are commands typically issued by the Spybot worm, which spreads over IRC and peer-to-peer file-swapping networks, installing a program that records and transmits everything the victim types (known as a keylogger).
Though the author said he didn’t post the information so that people would abuse it, abuse it they did. It wasn’t long after his posting that you could see users dropping like flies from IRC channels in some of the larger communities like Efnet and Dalnet as pranksters began typing the command all over the place, in some cases repeatedly on the same channel. According to several posters on his blog, a number of IRC channels are now filtering out those phrases.
The funny thing is, it DOES work… I just nailed two people on #mortalkombat with that. And yes, I did warn people I was going to do so first… :-)