Security Incidents mailing list archives
Re: IRC-bots: what are they for ?
From: sinster () BALLTECH NET (Jon Paul, Nollmann)
Date: Wed, 12 Jan 2000 12:50:09 -0800
Sprach Jens Hektor <hektor () RZ RWTH-AACHEN DE>:
is anybody out there who could explain to me why on nearly every cracked machine I get in touch with the crackers have installed IRC-bots, most of the time "eggdrop" ?
I'm not speaking directly about eggdrop here, but more about the general case of IRC-bots. In my experience, the most common use for a cracked machine is as a staging area for cracking further machines. As all of us who have dealt with the law enforcement side of this issue can attest, the chances of anything happening to an attacker (whether or not he was successful) is very slim unless we can point to their dialup account. The attackers know this, and by launching new attacks from 3rd party machines, they insulate themselves from a lot of risk. That aside, there are a lot of exploits against IRC clients (see BUGTRAQ and NT BUGTRAQ for a smattering), and a number of these exploits are implemented in bots that listen for properly formatted messages in particular IRC channels on particular IRC servers. So someone who wants to "safely" attack someone's IRC client merely has to send the right message into the correct IRC channel in order to trigger an effectively anonymous attack. Sometimes attackers do it to install BO2K on a victim's windoze box, and sometimes its just to knock someone off of IRC temporarily because of some petty offense or slight. Whatever the reasons, IRC apparently occupies a very central role in the world-view and status gathering of script kiddies. -- Jon Paul Nollmann ne' Darren Senn sinster () balltech net Unsolicited commercial email will be archived at $1/byte/day. You can go a long way with a smile. You can go a lot further with a smile and a gun. Al Capone
Current thread:
- Re: Ports 12345, 5742 and 20034, (continued)
- Re: Ports 12345, 5742 and 20034 Michal Rok (Jan 10)
- Re: Ports 12345, 5742 and 20034 Artur Nowak (Jan 11)
- Re: Ports 12345, 5742 and 20034 Michal Rok (Jan 10)
- Re: Distributed Scanning? Richard Bejtlich (Jan 08)
- Port 4 Arne Vidar Sjønøs (Jan 09)
- Re: Port 4 Keith Owens (Jan 10)
- Re: Port 4 Sean Sosik-Hamor (Jan 11)
- Re: Port 4 Philipp Buehler (Jan 11)
- Re: Port 4 Sean Sosik-Hamor (Jan 11)
- Re: Port 4 Boris Badenov (Jan 11)
- IRC-bots: what are they for ? Jens Hektor (Jan 12)
- Re: IRC-bots: what are they for ? Jon Paul, Nollmann (Jan 12)
- Re: IRC-bots: what are they for ? SecOrg (Jan 12)
- Re: IRC-bots: what are they for ? Ninja Information Systems. (Jan 12)
- Re: IRC-bots: what are they for ? Jens Hjalmarsson (Jan 12)
- Re: IRC-bots: what are they for ? tyler (Jan 12)
- Re: IRC-bots: what are they for ? David Brumley (Jan 12)
- Re: IRC-bots: what are they for ? The Undernet Bonk (Jan 12)
- Re: IRC-bots: what are they for ? Filip M. Gieszczykiewicz (Jan 12)
- Strange behaviour Belgarion of Riva (Jan 13)
- Re: Strange behaviour Richard Bejtlich (Jan 15)
- UDP probing [ trojan? ] mabrown () SECUREPIPE COM (Jan 17)