IRC Trojans

[t2k2]

Hey good people. I recently fell victim to an irc trojan at home. This has sparked my interest in irc and irc trojans. I found a couple pieces of info here, and I have a couple items from a google, but I wanted to see if someone was holding onto a "golden" resource, a gem... I would appreciate resources of information on IRC and/or IRC-based trojans and attacks. I can't figure out how he/she infected me. The way I found out was by noticing some strange traffic on my personal firewall (Outpost) going out to some weird site. I tracked down the application, and after some effort, I got it removed. Come to find out, the attacker had me setup for a DDOS attack against Qwest Comm.! Obviously, this has peaked my interest. I mean, just the thought of someone being able to manipulate your machine by issuing irc commands is amazing, and scary might I add... Has anyone else out there seen these things in action or have some resources that I could tap to learn more. Again, I would greatly appreciate it.


t2k2

[TheFiend]

well, i cant really help you with the info but i do think you should notify quest, all we need is another TV reporter saying "hackers kill server" or somethin lol. i hope you find what you are looking for though.

[t2k2]

Thanks TheFiend. I just had a thought. When I first started using IRC, I had auto-get enabled for files for which I was queued. After reading one of the articles I found, it was decided that this was not a good idea. Of course, I have disabled that feature now. I'm thinking that the attacker could have somehow initiated a file transfer, which I automatically accepted without knowing. It's just an idea...I'm still new to this. It's just so fascinating. Well anyway, the post is still open to any takers. Again, I appreciate it. I have copies of the files if anyone is interested, but I don't think that I will be able to get them to you if your ISP's email server has an active and up-to-date virus wall scanning emails you recieve. I wish I could understand the coding. Maybe I will post some of it so that you guys can take a look. Let me know if you guys are interested. Thanks again.

t2k2

[halfdoghalfman]

hey man, i was just thinking, if u don't know _how_ you were infected, how do u know it was related to IRC? there's a lot of ways to recieve malware these days as i'm sure u are aware - e.g. maybe the file was bundled with some less-than-reputable package off the web or P2P or something?

[JagFire19]

hey t2k2...how'd you get into your firewall tracker to see the commands that were going through...the reason i mention this is because it might be related to something different, something worse, but you just don't know it yet...

[t2k2]

I apologize for not giving more details; I thought that I had given enough info, but I probably didn't. Ok, here's the deal. I check my firewall logs on a regular basis, and last week, I saw some peculiar traffic that I was pretty sure I didn't generate. At the time, I didn't have the time to really investigate, so I kind of dismissed it since it could have been my wife or my son... The next day, I checked again, and I saw many many hits to this strange site, which appeared to be a mail server (mail.mtvxxx.com), and that's the exact site. I tried pinging this site, but got no response. I began to focus on the origin of the activity, which was apparently coming from an application called arial.com. Now, after some searching, I found that this application was sitting in c:\windows\fonts\fonts along with about 10-12 other freaky looking files. Note: They were actually mostly disguised to look like files that had something to do with real fonts. I knew better since many of them were executables. I even found a vb script file with the "ping of death" pointed towards Qwest. You ask, how I know it had something to do with irc commands: I opened the executables in an editor and found irc commands, channels, and the such... I even saw what looked like a makeshift portscanner so they could scan from my machine. I was very impressed. Too bad I don't know how to code as well as know irc very well. This made me want to learn both, definitely. There was also a mIRC.ini file in the folder. First, I tried to delete the folder, but I was unable to delete the arial.com file; it came back with an "Access Denied" message. The mirc.ini file would come right back every time I deleted it, so I had to figure out what kept writing that damned file back to my machine. I went to the sysinternals website and downloaded filemon to see what was writing the file, and I found that there was a process called arial.com running, which kept writing mirc.ini. I checked my Task Manager, and sure enough, it was there (it seemed to be appearing and disappearing from the list, but this may have been my eyes crossing from sleep deprivation). I ended it, and deleted the rest of the fake directory. Since then, I have not had any issues. JagFire, you're right, it could be something worse, and that's why I am watching my computer even closer lately. I also made sure that my machine had an AV package installed with up-to-date signatures. When I took copies of the files to work, a couple of them were moved/cleaned and identified as a trojan called trojan_gtbot.a or irc_gtbot.a. I saw two different names after I looked up information on the trojan. The AV vendor's site didn't give too much information about it, so this made me want to understand this even more. It makes since that this would have made it past my firewall since it was allowing all activity for the mirc application. I hope this clears it up a bit. I am in the process of trying to figure out the source (IP of the attacker), although I may never find that out with the way this may have been designed and implemented. I don't know if the attacker wrote all of these scripts, or if it's just one of the many skiddies being a busy body.


t2k2

[n01100110]

t2k2 ,

What you have to remember is the fact that some E-mail born viruses effect your IRC client.A buddy of mine got infected with a virus through the internet , and it compromised his IRC client in just hours.So i doubt that you may have encountered the trojan on the IRC client itself , but probably encountered it by someone that doesnt like you on the internet or something of that matter.But until then , update your virus scanners , download trojan remover from www.simplysup.com , and Good Luck !
-N

[t2k2]

Point taken. I would think that the virus wouldn't make it past my ISP's virus wall, however. It apparently is a trojan that's been around for several months. It's possible though. Thanks for the idea. I have not yet scanned with a trojan scanner in particular, only a thorough scan with an updated Norton package. I will do that also. It's a good idea, and you can never be too safe.


Thanks.

[Noia]

the best site for IRC trojans would be www.nohack.net (I think) and #Nohack on irc.dal.net
They deal specificaly with IRC trojans and worms.

[t2k2]

Thanks Noia. Excellent site! I really appreciate it. And now for the reading... If anyone has any other suggestions for IRC/mIRC or IRC trojans, feel free to PM me or just post to this thread. I will be checking it, of course. Once again, AO has come through for me in the form of Noia!

t2k2