Infected windows boxes with IRC controlled trojans on them

Dave Dittrich dittrich at
Wed Apr 10 18:55:01 GMT 2002

> BTW if anyone has any good advice on how to sniff IRC channels and
> passwords from IRC bound traffic please let me know. Ideally when I
> spot one of these I'd like to be able to watch more carefully before
> turning a system off.  Any tools for snarfing just IRC commands sort
> of like Dug Songs urlsnarf?

We were hit with the same thing.  In several cases, it was related to
DDoS attacks.  In others, distributed warez via bots using DCC.

Short answer is look at "ngrep".  I have examples of its use in the
Trinoo, Stacheldraht, and "Power" bot, DDoS analyses on my DDoS page:

Also useful are "tcpdstat" and "tcptrace".  I am also working on a
talk to be given at CanSecWest about taking down IRC based DDoS
networks.  (Look for a link to the talk notes on my web page in early

Dave Dittrich                           Computing & Communications
dittrich at             University Computing Services    University of Washington

PGP key
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

More information about the unisog mailing list