[Dshield] IRC BotNet Connection Question

Joel Esler eslerj at gmail.com
Fri Aug 26 19:20:12 GMT 2005


Yes, usually in a packet dump you can see the password.  If you  
provide a pcap, or an ascii dump of the traffic, it's easy to point  
out the password.

J


On Aug 26, 2005, at 2:27 PM, McAndrews, Michael wrote:

> I am a security professional at a global corporation and each month we
> get hit with 2 or 3 new viruses.  Often times we can identify an
> infected machine by the anomalous behavior and quite often we are able
> to locate the infection, place a copy in a test environment and  
> dissect
> it.  This is usually when we submit it to our virus protection vendor.
> So far this year we've been the first to submit 37 new pieces of  
> malware
> to our vendor.  That's the good news...
>
> The bad news is a lot of these viruses use IRC and try to join  
> botnets.
> Of course, all the warning bells sound and we try to stop them at the
> firewall but sometimes we let a control machine go through just to see
> what happens.
>
> Here's my question:  Once we identify a target IRC server and a  
> channel
> (if we're lucky) we'll usually try to connect and see what's happening
> out there.  Many times we connect without a problem but sometimes  
> we get
> a password mismatch error.  I'll modify my nick to fit their  
> conventions
> (recently USA|######) but it still doesn't work.  Does anyone know how
> these servers are identifying the clients and denying others?  Are  
> they
> somehow passing a password in the connection string?  If so, is a
> capture the best way to see it?
>
> Thanks in advance!
>
> BTW - Here' an example:  A client connected to an IRC server at
> 66.45.255.198  on port 8899 this morning.  The channel was #mktr  
> and the
> nick was ESP|######.  When I connect I am denied due to password
> mismatch.
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list
>



More information about the list mailing list