Botnets multiplying over IRC

Discussion in 'other security issues & news' started by spy1, Mar 16, 2005.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC

    A newly published report by the Honeynet Project and Research Alliance has shown that internet relay chat (IRC) is crucial to hackers running so-called botnets of virus-infected PCs.

    The team, which uses test machines to analyse hacker behaviour, found many IRC bots which were being used to control infected PCs in distributed networks.

    Home users with broadband are increasingly being targeted for infection since their PCs generally have poor security and can be used remotely without the user knowing.

    "We have identified many different versions of IRC-based bots with varying degrees of sophistication and implemented commands, but all have something in common," the report stated.

    "The bot joins a specific IRC channel on an IRC server and waits there for further commands. This allows an attacker to remotely control this bot and use it for fun and for profit."

    Such networks are powerful; 1,000 compromised machines would have more bandwidth than most corporate IT systems. The bots spread by trying to propagate via open ports, with over 80 per cent using ports 445, 139, 137 and 135 - which are all used by Windows software.

    "A lot of these people like IRC because it's old school," said Olaf Linder, director of Symantec's security services.

    "It is a text-based system and has been around since the dawn of the internet. It's also anonymous, which is another big advantage."

    The team tracked more than 1,000 botnets in the past four months, and observed 226 distributed denial of service attacks, in some cases using botnets of more than 50,000 computers. Hackers running the botnets were found to openly discuss progress with each other over IRC.

    The report suggested that the chief culprits running botnets are "young males with surprisingly limited coding skills" who have regular nicknames and chatter a lot via IRC.

    The Honeynet Project report can be found here: ."

    (So much for those under the mis-apprehension that DDoS attacks aren't much of an issue anymore). Pete
Thread Status:
Not open for further replies.