[Dshield] IRC BotNet Connection Question

Kelly Hamlin k.hamlin at t3com.com
Fri Aug 26 19:16:20 GMT 2005

A packet capture might reveal the key. Usually these IRC channels are
protected by a "Key", and its used in the /join string. Search your packet
capture for a /join command, should look something like the following:
/join #channel channelkey

Hope this helps.


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of McAndrews, Michael
Sent: Friday, August 26, 2005 2:28 PM
To: list at lists.dshield.org
Subject: [Dshield] IRC BotNet Connection Question

I am a security professional at a global corporation and each month we
get hit with 2 or 3 new viruses.  Often times we can identify an
infected machine by the anomalous behavior and quite often we are able
to locate the infection, place a copy in a test environment and dissect
it.  This is usually when we submit it to our virus protection vendor.
So far this year we've been the first to submit 37 new pieces of malware
to our vendor.  That's the good news...

The bad news is a lot of these viruses use IRC and try to join botnets.
Of course, all the warning bells sound and we try to stop them at the
firewall but sometimes we let a control machine go through just to see
what happens.  

Here's my question:  Once we identify a target IRC server and a channel
(if we're lucky) we'll usually try to connect and see what's happening
out there.  Many times we connect without a problem but sometimes we get
a password mismatch error.  I'll modify my nick to fit their conventions
(recently USA|######) but it still doesn't work.  Does anyone know how
these servers are identifying the clients and denying others?  Are they
somehow passing a password in the connection string?  If so, is a
capture the best way to see it?  

Thanks in advance!

BTW - Here' an example:  A client connected to an IRC server at  on port 8899 this morning.  The channel was #mktr and the
nick was ESP|######.  When I connect I am denied due to password

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list