[Dshield] IRC BotNet Connection Question

Jon R. Kibler Jon.Kibler at aset.com
Sun Aug 28 17:38:47 GMT 2005


jayjwa wrote:
> On Fri, 26 Aug 2005, Joel Esler wrote:
> 
> -> Yes, usually in a packet dump you can see the password.  If you provide a
> -> pcap, or an ascii dump of the traffic, it's easy to point out the password.
<SNIP!>
> Unless it's an SSL'ed connection. The bot the OP asked about was an rBot 
> varient (guessing by the country nick) and it doesn't use SSL-enabled 
> server connections, but some of the other bots do have this functionality. 
> I'm waiting for a Silc-bot, myself.
<SNIP!>

Even if it is an SSL connection, it may be possible to capture the plain text password. On any *nix box, you can truss/strace the read/write system calls on the bot process and see everything in the clear before it goes through the SSL tunnel. (Don't believe it? Try truss-ing your ssh daemon sometime.)

I don't do Windozes, but I have to believe that there are equivalent debugging tools available from M$.

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214


More information about the list mailing list