[Dshield] IRC BotNet Connection Question

stu secmail at patchsupplier.dyndns.org
Sun Aug 28 17:48:42 GMT 2005

Have never used truss/strace on nix, however I found:

Similar to that?

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Jon R. Kibler
Sent: 28 August 2005 18:39
To: General DShield Discussion List
Subject: Re: [Dshield] IRC BotNet Connection Question

jayjwa wrote:
> On Fri, 26 Aug 2005, Joel Esler wrote:
> -> Yes, usually in a packet dump you can see the password.  If you
provide a
> -> pcap, or an ascii dump of the traffic, it's easy to point out the
> Unless it's an SSL'ed connection. The bot the OP asked about was an
> varient (guessing by the country nick) and it doesn't use SSL-enabled 
> server connections, but some of the other bots do have this
> I'm waiting for a Silc-bot, myself.

Even if it is an SSL connection, it may be possible to capture the plain
text password. On any *nix box, you can truss/strace the read/write
system calls on the bot process and see everything in the clear before
it goes through the SSL tunnel. (Don't believe it? Try truss-ing your
ssh daemon sometime.)

I don't do Windozes, but I have to believe that there are equivalent
debugging tools available from M$.

Jon Kibler
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list