[Dshield] IRC BotNet Connection Question

jayjwa jayjwa at atr2.ath.cx
Sat Aug 27 14:30:42 GMT 2005

On Fri, 26 Aug 2005, Joel Esler wrote:

-> Yes, usually in a packet dump you can see the password.  If you provide a
-> pcap, or an ascii dump of the traffic, it's easy to point out the password.

-> > Here's my question:  Once we identify a target IRC server and a channel
-> > (if we're lucky) we'll usually try to connect and see what's happening
-> > out there.  Many times we connect without a problem but sometimes we get
-> > a password mismatch error.  I'll modify my nick to fit their conventions
-> > (recently USA|######) but it still doesn't work.  Does anyone know how
-> > these servers are identifying the clients and denying others?

Unless it's an SSL'ed connection. The bot the OP asked about was an rBot 
varient (guessing by the country nick) and it doesn't use SSL-enabled 
server connections, but some of the other bots do have this functionality. 
I'm waiting for a Silc-bot, myself.

Sometimes the channels are set secret, private, and/or key as well, in 
addition to the server pass that Joel noted.

I've followed captured bots back "home" to their channels, and even 
managed to sit in some for awhile. Once I was in one in Romainia, and 
these Optix servers where being replaced. I never saw anything like 
it: thousands and thousands of machines. The botnet master spotted me and 
said something probably not to nice in Romainian before he kick-banned me.

More information about the list mailing list