Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:01 PM
Connect Directly

IRC Botnets Are Not Quite Dead Yet

The handful that still operate are more sophisticated and resilient than before, Zscaler says.

Far from going the way of the dodo as many had surmised, Internet Relay Chat (IRC) botnets are alive and thriving.

A new study by security vendor Zscaler shows that IRC botnets, while not growing at a particularly rapid rate, continue to be active and have incorporated several new features over the years that make them as a potent a threat as ever.

The focus of Zscaler’s analysis was on four new IRC botnet families that hit the company’s cloud sandboxes worldwide in 2015. The company identified the four botnets as DorkBot, IRCBot.HI, RageBot and Phorpiex. Of this, the most prevalent IRC botnet is DorkBot, according to the company.

Though the payloads from such botnets represented only a very small proportion of the new payloads for all known botnet families, they still represented a threat, said Zscaler researcher director Deepen Desai. The top five locations currently getting hit by IRC botnet payloads include the USA, Germany and India.

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication, we continue to see a steady number of new IRC based botnet payloads being pushed out into the wild [regularly],” he said in an emailed comment to Dark Reading.

IRC botnets were especially prevalent in the 1990s and early to mid 2000’s but have been gradually dwindling in numbers since then. Such botnets basically are comprised of a collection of infected systems that are controlled remotely via a preconfigured IRC server and channel. While such botnets can be effective, they are also susceptible to a single point of failure if someone were to take down the IRC server or channel of block IRC communications, he said.

Back in 2007, when there were still thousands of IRC botnets operating in the world, researchers found that most had a life span of just two months because of how easy they were to take down. That’s the reason why cybercriminals have moved to different web-based C&C communication channels over the years, he said. But what Zscaler’s analysis showed is that IRC botnets have evolved as well, Desai said.

While the core C&C communication protocol that is used remains IRC, several new features have been added that make them comparable to some of the more sophisticated web-based botnets out there, he said. For example, IRC botnet operators these days use multiple servers and channels for command and control purposes, so they no longer have a single point of failure like before.

Many use encryption to protect all IRC communication between an infected host and C&C server. New payloads, including new C&C information, are downloaded periodically from preconfigured URLS to infected systems and many use anti-analysis techniques to deter automated sandboxing, Desai said.

The enhancements don’t stop there. IRC botnets use the same kind of propagation methods that other botnets do including file injection, P2P applications, instant messaging, and via compromised removable drives. IRC botnets are also used for many of the same applications including for launching denial of service attacks, for installing or uninstalling other malware payloads for a fee and for stealing user credentials and other sensitive information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2015 | 5:33:13 PM
IRC Bot or Clever Geek?
The most dangerous of the IRC bots are those that have been in place for years and as far as anyone knows are some clever geek (or jerk) haunting the IRC channels.

I recall being on an OpenVMS channel for a long time and exchanging some words with a guy who I thought just had bad English. I should talk since I use Google Translate constantly to talk to people who must cringe when they seem my messages fly by :-)

Long story short, turns out the geek was a bot; I was less careful back then and could basically have been owned by whomever placed the IRC bot there since I was completely convinced it was a person.

While I tend to stick to Freenode these days, I used to connect to dozens of servers, hundreds of channels. IRC is alive and well, but as noted by Joe here, lots of people don't really think about IRC anymore (like BBS) and in a way, neither do we - the regular users - since it's about as comfortable as a desk phone and the feeling of picking up the receiver after hearing a ring.

Yeah, we need to get less comfortable and more alert, for both our sake and that of our fellow IRCers.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/29/2015 | 11:53:40 PM
Of course, not a lot of people think about IRC anymore...except the techies, hackers, and people active in certain communities (like reddit and 4chan).  Thanks for this important reminder that, as IRC still proliferates, so too do IRC vulnerabilities.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-15
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges. This has been patched in WordPress 5.7.1, along with the older affected versions via minor releases. It...
PUBLISHED: 2021-04-15
Lotus is an Implementation of the Filecoin protocol written in Go. BLS signature validation in lotus uses blst library method VerifyCompressed. This method accepts signatures in 2 forms: "serialized", and "compressed", meaning that BLS signatures can be provided as either of 2 un...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Sydent also does not limit response size for requests it mak...
PUBLISHED: 2021-04-15
Sydent is a reference Matrix identity server. Sydent can be induced to send HTTP GET requests to internal systems, due to lack of parameter validation or IP address blacklisting. It is not possible to exfiltrate data or control request headers, but it might be possible to use the attack to perform a...
PUBLISHED: 2021-04-15
Sydent is a reference matrix identity server. A malicious user could abuse Sydent to send out arbitrary emails from the Sydent email address. This could be used to construct plausible phishing emails, for example. This issue has been fixed in 4469d1d.