Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:01 PM
Connect Directly

IRC Botnets Are Not Quite Dead Yet

The handful that still operate are more sophisticated and resilient than before, Zscaler says.

Far from going the way of the dodo as many had surmised, Internet Relay Chat (IRC) botnets are alive and thriving.

A new study by security vendor Zscaler shows that IRC botnets, while not growing at a particularly rapid rate, continue to be active and have incorporated several new features over the years that make them as a potent a threat as ever.

The focus of Zscaler’s analysis was on four new IRC botnet families that hit the company’s cloud sandboxes worldwide in 2015. The company identified the four botnets as DorkBot, IRCBot.HI, RageBot and Phorpiex. Of this, the most prevalent IRC botnet is DorkBot, according to the company.

Though the payloads from such botnets represented only a very small proportion of the new payloads for all known botnet families, they still represented a threat, said Zscaler researcher director Deepen Desai. The top five locations currently getting hit by IRC botnet payloads include the USA, Germany and India.

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication, we continue to see a steady number of new IRC based botnet payloads being pushed out into the wild [regularly],” he said in an emailed comment to Dark Reading.

IRC botnets were especially prevalent in the 1990s and early to mid 2000’s but have been gradually dwindling in numbers since then. Such botnets basically are comprised of a collection of infected systems that are controlled remotely via a preconfigured IRC server and channel. While such botnets can be effective, they are also susceptible to a single point of failure if someone were to take down the IRC server or channel of block IRC communications, he said.

Back in 2007, when there were still thousands of IRC botnets operating in the world, researchers found that most had a life span of just two months because of how easy they were to take down. That’s the reason why cybercriminals have moved to different web-based C&C communication channels over the years, he said. But what Zscaler’s analysis showed is that IRC botnets have evolved as well, Desai said.

While the core C&C communication protocol that is used remains IRC, several new features have been added that make them comparable to some of the more sophisticated web-based botnets out there, he said. For example, IRC botnet operators these days use multiple servers and channels for command and control purposes, so they no longer have a single point of failure like before.

Many use encryption to protect all IRC communication between an infected host and C&C server. New payloads, including new C&C information, are downloaded periodically from preconfigured URLS to infected systems and many use anti-analysis techniques to deter automated sandboxing, Desai said.

The enhancements don’t stop there. IRC botnets use the same kind of propagation methods that other botnets do including file injection, P2P applications, instant messaging, and via compromised removable drives. IRC botnets are also used for many of the same applications including for launching denial of service attacks, for installing or uninstalling other malware payloads for a fee and for stealing user credentials and other sensitive information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/30/2015 | 5:33:13 PM
IRC Bot or Clever Geek?
The most dangerous of the IRC bots are those that have been in place for years and as far as anyone knows are some clever geek (or jerk) haunting the IRC channels.

I recall being on an OpenVMS channel for a long time and exchanging some words with a guy who I thought just had bad English. I should talk since I use Google Translate constantly to talk to people who must cringe when they seem my messages fly by :-)

Long story short, turns out the geek was a bot; I was less careful back then and could basically have been owned by whomever placed the IRC bot there since I was completely convinced it was a person.

While I tend to stick to Freenode these days, I used to connect to dozens of servers, hundreds of channels. IRC is alive and well, but as noted by Joe here, lots of people don't really think about IRC anymore (like BBS) and in a way, neither do we - the regular users - since it's about as comfortable as a desk phone and the feeling of picking up the receiver after hearing a ring.

Yeah, we need to get less comfortable and more alert, for both our sake and that of our fellow IRCers.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/29/2015 | 11:53:40 PM
Of course, not a lot of people think about IRC anymore...except the techies, hackers, and people active in certain communities (like reddit and 4chan).  Thanks for this important reminder that, as IRC still proliferates, so too do IRC vulnerabilities.
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.