Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/29/2015
05:01 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

IRC Botnets Are Not Quite Dead Yet

The handful that still operate are more sophisticated and resilient than before, Zscaler says.

Far from going the way of the dodo as many had surmised, Internet Relay Chat (IRC) botnets are alive and thriving.

A new study by security vendor Zscaler shows that IRC botnets, while not growing at a particularly rapid rate, continue to be active and have incorporated several new features over the years that make them as a potent a threat as ever.

The focus of Zscaler’s analysis was on four new IRC botnet families that hit the company’s cloud sandboxes worldwide in 2015. The company identified the four botnets as DorkBot, IRCBot.HI, RageBot and Phorpiex. Of this, the most prevalent IRC botnet is DorkBot, according to the company.

Though the payloads from such botnets represented only a very small proportion of the new payloads for all known botnet families, they still represented a threat, said Zscaler researcher director Deepen Desai. The top five locations currently getting hit by IRC botnet payloads include the USA, Germany and India.

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication, we continue to see a steady number of new IRC based botnet payloads being pushed out into the wild [regularly],” he said in an emailed comment to Dark Reading.

IRC botnets were especially prevalent in the 1990s and early to mid 2000’s but have been gradually dwindling in numbers since then. Such botnets basically are comprised of a collection of infected systems that are controlled remotely via a preconfigured IRC server and channel. While such botnets can be effective, they are also susceptible to a single point of failure if someone were to take down the IRC server or channel of block IRC communications, he said.

Back in 2007, when there were still thousands of IRC botnets operating in the world, researchers found that most had a life span of just two months because of how easy they were to take down. That’s the reason why cybercriminals have moved to different web-based C&C communication channels over the years, he said. But what Zscaler’s analysis showed is that IRC botnets have evolved as well, Desai said.

While the core C&C communication protocol that is used remains IRC, several new features have been added that make them comparable to some of the more sophisticated web-based botnets out there, he said. For example, IRC botnet operators these days use multiple servers and channels for command and control purposes, so they no longer have a single point of failure like before.

Many use encryption to protect all IRC communication between an infected host and C&C server. New payloads, including new C&C information, are downloaded periodically from preconfigured URLS to infected systems and many use anti-analysis techniques to deter automated sandboxing, Desai said.

The enhancements don’t stop there. IRC botnets use the same kind of propagation methods that other botnets do including file injection, P2P applications, instant messaging, and via compromised removable drives. IRC botnets are also used for many of the same applications including for launching denial of service attacks, for installing or uninstalling other malware payloads for a fee and for stealing user credentials and other sensitive information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
4/30/2015 | 5:33:13 PM
IRC Bot or Clever Geek?
The most dangerous of the IRC bots are those that have been in place for years and as far as anyone knows are some clever geek (or jerk) haunting the IRC channels.

I recall being on an OpenVMS channel for a long time and exchanging some words with a guy who I thought just had bad English. I should talk since I use Google Translate constantly to talk to people who must cringe when they seem my messages fly by :-)

Long story short, turns out the geek was a bot; I was less careful back then and could basically have been owned by whomever placed the IRC bot there since I was completely convinced it was a person.

While I tend to stick to Freenode these days, I used to connect to dozens of servers, hundreds of channels. IRC is alive and well, but as noted by Joe here, lots of people don't really think about IRC anymore (like BBS) and in a way, neither do we - the regular users - since it's about as comfortable as a desk phone and the feeling of picking up the receiver after hearing a ring.

Yeah, we need to get less comfortable and more alert, for both our sake and that of our fellow IRCers.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/29/2015 | 11:53:40 PM
IRC
Of course, not a lot of people think about IRC anymore...except the techies, hackers, and people active in certain communities (like reddit and 4chan).  Thanks for this important reminder that, as IRC still proliferates, so too do IRC vulnerabilities.
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9268
PUBLISHED: 2020-02-18
SoPlanning 1.45 is vulnerable to SQL Injection in the OrderBy clause, as demonstrated by the projets.php?order=nom_createur&by= substring.
CVE-2020-9269
PUBLISHED: 2020-02-18
SOPlanning 1.45 is vulnerable to authenticated SQL Injection that leads to command execution via the users parameter, as demonstrated by export_ical.php.
CVE-2020-9270
PUBLISHED: 2020-02-18
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to password reset via service.php.
CVE-2020-9271
PUBLISHED: 2020-02-18
ICE Hrm 26.2.0 is vulnerable to CSRF that leads to user creation via service.php.
CVE-2020-9265
PUBLISHED: 2020-02-18
phpMyChat-Plus 1.98 is vulnerable to multiple SQL injections against the deluser.php Delete User functionality, as demonstrated by pmc_username.