The evolution of IRC bots

John Canavan Symantec Security Response

Over the last year, we have seen an explosive growth of IRC bots. New variants are emerging at the rate of over 600 a month making IRC bots the most prevalent Win32 threat. Their modular design and open source nature has allowed them to thrive, outwitting many signature based anti-virus products simply due to the vast numbers of variants being produced.

This paper will examine the core features of popular IRC bots and track their evolution from a single code base. This analysis will demonstrate how many of the common IRC bots such as Agobot, Randex, Spybot, and Phatbot actually share common source code. In addition, interesting techniques utilized by specific variants will also be presented.

Finally, the paper will discuss the reasons for the recent proliferation of IRC bots and the motivation behind distributing one including revenue generation, spam relays, adware installation, DoS attacks, and distributed computing.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘An excellent conference. The schedule ran very precisely and the flow of the conference was very good.’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

Virus Bulletin

In this month's magazine:

Social networking meets social engineering
Flying solo
Geneva convention
7th German Anti Spam Summit 2009
Anti-phishing landing page: turning a 404 into a teachable moment
An update on spamming botnets: are we losing the war?
Windows Server 2008 Standard Edition SP2 x86

Subscribe now!

Virus Bulletin currently has 190,781 registered users.

Fighting malware and spam