[Dshield] IRC BotNet Connection Question
mlinfosec at comcast.net
Sat Aug 27 13:21:14 GMT 2005
1/ Channels on irc can be password protected and as Joel
mentioned you should be able to capture that in a sniffer
(or other) trace. The traditonal join is like /join #channelname password
if memory server.
2/ You might consider fooling the malware by creating your
own IRC server and having the malware loaded machine with a host
file with the hostname it is looking for. Ex: instead of using
if it is looking for a dns record, using a private address you have assigned
to your test IRC server. If it is hardcoded, create your own test lab with
the hardcoded address (maybe even with VMware?) I would assume it
would announce it's presence on channel or something, maybe even give
its command list? (If you are lucky) Otherwise I would guess you would
just have to let it sit on channel and capture all the commands from there.
Most bots have a command character (like ! $ . etc) the prepends the
command, which might make it a little tougher to brute force.
Of course the assumes you only want to see what the client does and not
what the bot commands are. If that is the case I would make sure your
test machine is in it's own little dmz or something.
Just my 2 cents. Please excuse me if I have said anything obvious to
(any of) you.
----- Original Message -----
[ quoted part removed as requested by author of quoted message ]
More information about the list