[Dshield] IRC BotNet Connection Question

Mike LeBlanc mlinfosec at comcast.net
Sat Aug 27 13:21:14 GMT 2005


Michael,
Two things:
1/ Channels on irc can be password protected and as Joel
mentioned you should be able to capture that in a sniffer
(or other) trace.  The traditonal join is like /join #channelname password
if memory server.

2/ You might consider fooling the malware by creating your
own IRC server and having the malware loaded machine with a host
file with the hostname it is looking for.  Ex: instead of using
66.45.255.198
if it is looking for a dns record, using a private address you have assigned
to your test IRC server.  If it is hardcoded, create your own test lab with
the hardcoded address (maybe even with VMware?) I would assume it
would announce it's presence on channel or something, maybe even give
its command list? (If you are lucky)  Otherwise I would guess you would
just have to let it sit on channel and capture all the commands from there.
Most bots have a command character (like ! $ . etc) the prepends the
command, which might make it a little tougher to brute force.

Of course the assumes you only want to see what the client does and not
what the bot commands are.  If that is the case I would make sure your
test machine is in it's own little dmz or something.

Just my 2 cents.  Please excuse me if I have said anything obvious to
(any of) you.

----- Original Message ----- 
[ quoted part removed as requested by author of quoted message ]



More information about the list mailing list