Sunday, July 17, 2011

The Artificial Lurkers of IRC



I guess most of you are familiar with the IRC or the Internet Relay Chat. According to Wiki, IRC is a form of real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file sharing.

But is IRC still alive these days? Yes it is, in fact it is the home of underground hackers and crackers, to name a few; defacers, rooters, carders, script kiddies, hardcore Linux users, etc. IRC is often referred as a primitive way of chatting because of its style and because of the new generation of voice and video chatting just like Tinychat and Facebook. And because of Facebook, some of the teenagers don't even know how to use IRC clients.

But of course, we will not deal more about how to use it and where to have a good chat mate. Instead we will talk about some of the hidden agendas of IRC users and the dark side of IRC. Forgive me for referring to it as the dark side thingy but that's what other IRC users usually call it.

In IRC there are some users that have botnets or bots in their channel which can do ; udpflooding, check for vulnerable websites, portscanning, nmap, sqli, rfi, lfi, check for good credit cards and many more. These botnets are coded in languages like perl, php and python.

In fact, some of these bots are hosted on a hacked or rooted boxes or even websites that have backdoor shells. Users with bad intentions like doing a DDoS attack would not run their scripts on their own machine in order to avoid getting traced or caught.

The images below are screenshots I took and uploaded so that people may be aware that these kinds of lurkers exist in the cyber world and could also be a threat or an advantage.



Thus it would be easier to say that an IRC bot is an independent program or script that connects to IRC as one of the clients but differs to other clients because it performs automated functions.


Nowadays, these bots are often scattered in public channels and who knows, you may be able to encounter one. Now don't panic, they won't infect you, they are just waiting for their handlers to command them. Like I said, they are different from infecting botnets like the Zeus Bot.

The bots shown here are for educational purposes only, no live accounts and servers were tested and rooted in order to run these scripts.



About the Contributor:

Shipcode is an InfoSec enthusiast from Cebu. During his high school days he was just an ordinary script kiddie. He loves to search for web exploits and other issues concerning network / wireless security.



ROOTCON is managed by like minded InfoSec professionals across the Philippines. All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.