IRC Trojans
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: IRC Trojans

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    651

    IRC Trojans

    Hey good people. I recently fell victim to an irc trojan at home. This has sparked my interest in irc and irc trojans. I found a couple pieces of info here, and I have a couple items from a google, but I wanted to see if someone was holding onto a "golden" resource, a gem... I would appreciate resources of information on IRC and/or IRC-based trojans and attacks. I can't figure out how he/she infected me. The way I found out was by noticing some strange traffic on my personal firewall (Outpost) going out to some weird site. I tracked down the application, and after some effort, I got it removed. Come to find out, the attacker had me setup for a DDOS attack against Qwest Comm.! Obviously, this has peaked my interest. I mean, just the thought of someone being able to manipulate your machine by issuing irc commands is amazing, and scary might I add... Has anyone else out there seen these things in action or have some resources that I could tap to learn more. Again, I would greatly appreciate it.


    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    103
    well, i cant really help you with the info but i do think you should notify quest, all we need is another TV reporter saying "hackers kill server" or somethin lol. i hope you find what you are looking for though.

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Thanks TheFiend. I just had a thought. When I first started using IRC, I had auto-get enabled for files for which I was queued. After reading one of the articles I found, it was decided that this was not a good idea. Of course, I have disabled that feature now. I'm thinking that the attacker could have somehow initiated a file transfer, which I automatically accepted without knowing. It's just an idea...I'm still new to this. It's just so fascinating. Well anyway, the post is still open to any takers. Again, I appreciate it. I have copies of the files if anyone is interested, but I don't think that I will be able to get them to you if your ISP's email server has an active and up-to-date virus wall scanning emails you recieve. I wish I could understand the coding. Maybe I will post some of it so that you guys can take a look. Let me know if you guys are interested. Thanks again.

    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

  4. #4
    Junior Member
    Join Date
    Nov 2002
    Posts
    10
    hey man, i was just thinking, if u don't know _how_ you were infected, how do u know it was related to IRC? there's a lot of ways to recieve malware these days as i'm sure u are aware - e.g. maybe the file was bundled with some less-than-reputable package off the web or P2P or something?

  5. #5
    Senior Member
    Join Date
    Dec 2002
    Posts
    107
    hey t2k2...how'd you get into your firewall tracker to see the commands that were going through...the reason i mention this is because it might be related to something different, something worse, but you just don't know it yet...

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I apologize for not giving more details; I thought that I had given enough info, but I probably didn't. Ok, here's the deal. I check my firewall logs on a regular basis, and last week, I saw some peculiar traffic that I was pretty sure I didn't generate. At the time, I didn't have the time to really investigate, so I kind of dismissed it since it could have been my wife or my son... The next day, I checked again, and I saw many many hits to this strange site, which appeared to be a mail server (mail.mtvxxx.com), and that's the exact site. I tried pinging this site, but got no response. I began to focus on the origin of the activity, which was apparently coming from an application called arial.com. Now, after some searching, I found that this application was sitting in c:\windows\fonts\fonts along with about 10-12 other freaky looking files. Note: They were actually mostly disguised to look like files that had something to do with real fonts. I knew better since many of them were executables. I even found a vb script file with the "ping of death" pointed towards Qwest. You ask, how I know it had something to do with irc commands: I opened the executables in an editor and found irc commands, channels, and the such... I even saw what looked like a makeshift portscanner so they could scan from my machine. I was very impressed. Too bad I don't know how to code as well as know irc very well. This made me want to learn both, definitely. There was also a mIRC.ini file in the folder. First, I tried to delete the folder, but I was unable to delete the arial.com file; it came back with an "Access Denied" message. The mirc.ini file would come right back every time I deleted it, so I had to figure out what kept writing that damned file back to my machine. I went to the sysinternals website and downloaded filemon to see what was writing the file, and I found that there was a process called arial.com running, which kept writing mirc.ini. I checked my Task Manager, and sure enough, it was there (it seemed to be appearing and disappearing from the list, but this may have been my eyes crossing from sleep deprivation). I ended it, and deleted the rest of the fake directory. Since then, I have not had any issues. JagFire, you're right, it could be something worse, and that's why I am watching my computer even closer lately. I also made sure that my machine had an AV package installed with up-to-date signatures. When I took copies of the files to work, a couple of them were moved/cleaned and identified as a trojan called trojan_gtbot.a or irc_gtbot.a. I saw two different names after I looked up information on the trojan. The AV vendor's site didn't give too much information about it, so this made me want to understand this even more. It makes since that this would have made it past my firewall since it was allowing all activity for the mirc application. I hope this clears it up a bit. I am in the process of trying to figure out the source (IP of the attacker), although I may never find that out with the way this may have been designed and implemented. I don't know if the attacker wrote all of these scripts, or if it's just one of the many skiddies being a busy body.


    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

  7. #7
    Senior Member n01100110's Avatar
    Join Date
    Jan 2002
    Posts
    347
    t2k2 ,

    What you have to remember is the fact that some E-mail born viruses effect your IRC client.A buddy of mine got infected with a virus through the internet , and it compromised his IRC client in just hours.So i doubt that you may have encountered the trojan on the IRC client itself , but probably encountered it by someone that doesnt like you on the internet or something of that matter.But until then , update your virus scanners , download trojan remover from www.simplysup.com , and Good Luck !
    -N
    "Serenity is not the absence of conflict, but the ability to cope with it."

  8. #8
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Point taken. I would think that the virus wouldn't make it past my ISP's virus wall, however. It apparently is a trojan that's been around for several months. It's possible though. Thanks for the idea. I have not yet scanned with a trojan scanner in particular, only a thorough scan with an updated Norton package. I will do that also. It's a good idea, and you can never be too safe.


    Thanks.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  9. #9
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    the best site for IRC trojans would be www.nohack.net (I think) and #Nohack on irc.dal.net
    They deal specificaly with IRC trojans and worms.
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  10. #10
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Thanks Noia. Excellent site! I really appreciate it. And now for the reading... If anyone has any other suggestions for IRC/mIRC or IRC trojans, feel free to PM me or just post to this thread. I will be checking it, of course. Once again, AO has come through for me in the form of Noia!

    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides