Cleaning Over 10 Million IRC Bots


No one could have anticipated all the ways that Internet Relay Chat (IRC) would eventually be used when it was ‘created’ in Finland during the late 1980s. People really started picking up on IRC in the early 1990s, and as with virtually all popular technologies, it started to get abused.


IRC enables a single user to communicate with many other users in the same “chat room” (known as a channel). Miscreants quickly realized that this architecture is very well suited for controlling multiple compromised machines at once, as instead of having to send instructions to each host (as was the case with traditional trojans)- they could simply send instructions to the channel. The fact that many underground channels exist where people discuss the various intricacies of these malicious applications caused IRC-related threats to become increasingly prevalent.


These IRC based threats grew enormously in popularity until around 2005-2006, where they started to peak out. These threats are still with us today, but their numbers are not increasing as rapidly as they once did—so although they’re not exactly going away, they’re definitely slowing down. Unfortunately there are a variety of new methods to command and control compromised hosts which don’t involve IRC, but we’ll leave those for another day.


People often ask what miscreants do with compromised computers. Below is a short list, but we will be describing threats and their exact behavior in more detail in the weeks and months ahead…



  • Saved passwords may be stolen

  • Keystrokes may be recorded

  • Credit card data may be stolen

  • Software licenses and serial numbers may be stolen and pirated

  • Identity may be stolen

  • Email accounts may be compromised

  • Spam messages may be transmitted

  • Denial of service attacks may be initiated against other servers on the internet

  • Pirated software, music, and pornography may be hosted and distributed

Those are some of the worst-case scenarios that we’ve seen happen to people who got infected with these malware families.


For all these reasons, it should come as no surprise that we’ve included IRC bot families in MSRT since our very first release. Here’s a list of just some of the IRC-related threats that we’ve covered:



MSRT has cleaned 9.1 million distinct machines since 2005, 1.4 million distinct machines in 1H08. You can find a full list of malware families cleaned by MSRT here.


 


MSRT Telemetry – all time






































Family


Distinct Machines Cleaned


Win32/Rbot


5,974,075


Win32/Sdbot


2,035,420


Win32/IRCbot


1,162,927


Win32/Gaobot


370,456


Win32/Spybot


309,662


Win32/Wootbot


193,239


Win32/Codbot


108,640


Win32/Esbot


68,667


Win32/Spyboter


47,888


 


MSRT Telemetry – 1H08






































Family


Distinct machines cleaned


Win32/Rbot


950,013


Win32/Sdbot


270,153


Win32/IRCbot


234,704


Win32/Spybot


21,723


Win32/Wootbot


21,541


Win32/Gaobot


11,923


Win32/Codbot


1,746


Win32/Spyboter


564


Win32/Esbot


221


That’s over 10 million distinct removals of these malware families alone! Perhaps this graph will put things into a little more context:


MSRT IRC Bot Graph


Win32/Rbot, Win32/Sdbot, and Win32/IRCbot remain to be amongst the top threats over the past 12 months. The trend is generally downward, but it’s clear that these threats aren’t going away. For more telemetry, please take a look at our Security Intelligence Report.


We plan on continuing our assault on IRC-based threats, so keep your eyes on this space for more information.


-Scott Wu & Tareq Saade

Comments (0)