The evolution of IRC bots

John Canavan Symantec Security Response

Over the last year, we have seen an explosive growth of IRC bots. New variants are emerging at the rate of over 600 a month making IRC bots the most prevalent Win32 threat. Their modular design and open source nature has allowed them to thrive, outwitting many signature based anti-virus products simply due to the vast numbers of variants being produced.

This paper will examine the core features of popular IRC bots and track their evolution from a single code base. This analysis will demonstrate how many of the common IRC bots such as Agobot, Randex, Spybot, and Phatbot actually share common source code. In addition, interesting techniques utilized by specific variants will also be presented.

Finally, the paper will discuss the reasons for the recent proliferation of IRC bots and the motivation behind distributing one including revenue generation, spam relays, adware installation, DoS attacks, and distributed computing.

 del.icio.us  digg this! digg this

Quick Links

Poll
The Japanese government is reported to have commissioned a 'defensive virus'. Is 'defensive' malware ever a good idea?
Yes
No
I don't know
Leave a comment
View 11 comments

99 Subscription Promo

Virus Bulletin
In this month's magazine:
  • Living the meme
  • If Svar is the answer...
  • Static analysis of mobile malware
  • And the devil is six: the security consequences of the switch to IPv6
  • Behind enemy lines: reporting from the CCC 28C3 Congress
Virus Bulletin 02 2012
Subscribe now!

Virus Bulletin currently has 224,243 registered users.