The evolution of IRC bots

John Canavan Symantec Security Response

Over the last year, we have seen an explosive growth of IRC bots. New variants are emerging at the rate of over 600 a month making IRC bots the most prevalent Win32 threat. Their modular design and open source nature has allowed them to thrive, outwitting many signature based anti-virus products simply due to the vast numbers of variants being produced.

This paper will examine the core features of popular IRC bots and track their evolution from a single code base. This analysis will demonstrate how many of the common IRC bots such as Agobot, Randex, Spybot, and Phatbot actually share common source code. In addition, interesting techniques utilized by specific variants will also be presented.

Finally, the paper will discuss the reasons for the recent proliferation of IRC bots and the motivation behind distributing one including revenue generation, spam relays, adware installation, DoS attacks, and distributed computing.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘The VB conference is must-see event undoubtedly. A reference event in the field, definitely.’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

Virus Bulletin

In this month's magazine:

Welcome to 2009
Anti-unpacker tricks – part two
A day in the life of an average user
Advancing malware techniques 2008
VB2009 Geneva: call for papers
MicroWorld eScan Internet Security Suite 10
Introducing VB anti-spam testing

Subscribe now!

Virus Bulletin currently has 148,281 registered users.

Fighting malware and spam