Redemption
| Last article | Table of contents | Next article |
|---|
| Last article | Table of contents | Next article |
|---|
Strange Article - P2P and IRC, what is the connection ? by Slage Hammer
Let me do a little bit of history, the first P2P (peer to peer) network was Napster,
and after some legal problems, almost everyone in the world, knew, even if not related to
PC stuff, what P2P software and its purpose is. Nowadays the number of P2P networks is > 30
bigger or smaller, known, or not very known, it seems this is one of the families of software
that will never die for now.
About IRC (Internet Relay Chat), to he honest I don't know the history of IRC clients
(is not my area of working) but for sure Mirc is one (maybe the one) more common in the IRC
world of users but there are other clients like Trillian and others. IRC are virtual rooms
organized trough IRC servers and channels were ppl discuss in real time about common interests.
Now getting to the topic of this article, what is the connection (in what way are related)
IRC and P2P networks ? For now does not exist any virus that is able to spread using P2P protocols
but a large number of worms exist (they are identified in AV bases as Worm.P2P.XXXXXX or similar)
that are able to spread through one or more P2P clients.
The first P2P worms were able to spread only using Kazaa client, nowaday it's common to see one
P2P worm that "supports" 8 or 10 different P2P clients. About Irc-Worms (they are identified in
AV bases as Irc-Worm; Irc.Worm and similar ways) are worms that spread mainly using Mirc , Pirc,
IRC clients.
You, poor reader of this article, you will be pissed off because for now you don't see yet where
or what the connection between IRC and P2P is, don't worry you are not stupid, I am getting to
this point, pls wait....
P2P networks were to share MP3 audio files but after some times, were used more and more
to share what is called in slang "Warez" that means Pirate software and every kind of crack,
key-gen, and what is supposed to be porn and or illegal stuff. At this point P2P worm coders
have only to write a smart names list with this kind of words as the file name of their P2P worms
and the normal user will download, and execute a crack that in real has nothing to with a crack
except the name.
IRC worms spread through DCC, that means by file transfer from one user to another. As P2P worms
were getting very common, irc worm coders discovered how to make an IRC worm / backdoor that is
able to spread through one or more P2P clients, which makes an easy job spreading fast even
because who doesn't have installed an IRC client for sure is a music or porn lover or at least
downloads something from some P2P network, so makeing an IRC worm compatible with a P2P network
is an excellent way to get it spread very fast. Just leaving connected one pc with the internet
and put some infected files into the shared folder with "interesting names".
Nowadays there are several of IRC.Backdoor or P2P.Worm (as always the name differs from one
Av company to another AV company) and several versions of many backdoor / P2P worms. For sure one
of the bigger families in this kind of malware is Spybot.Worm. To give you an idea how much
Spybot worms are common: Counting the generic detection (McAfee and KAV for example have the
generic detection), it's about 1200 / 1500 variants, maybe some 100 more.
It's right the moment that what is called IRC.Worm is a "pure" code that spreads through IRC and
what is made compatible to spread using both IRC and P2P is called IRC.Backdoor usually, but this
is AV world and as you know, names in AV world are like pussy when you don't have a woman,
something that is very hard to understand why / when and so on.
One of the first IRC backdoors is what NAV calls W32.Kwbot.Worm and Backdoor.Sdbot. Just to give
you an idea how fast the spreading of some versions of both was, AV companies discovered some
IRC channels containing more than 20K infected users in one week.
If you are interested in reading good descriptions of them, at the end of this article you will
find some links to AV descriptions.
In other words the "pure irc worms" evolved to IRC-backdoors with the abilities to spread through
P2P clients to make it faster and easier.
What is an IRC-Backdoor? Before to know this, we need to know what a backdoor is, of course.
Backdoor is a malicious program that has an automatic payload to spread plus additional abilities
that are not automatic but are performed only by request of its Master (coder).
Here is an example of the way of infecting of a normal IRC-Backdoor. Some files are put into a
shared folder of a common P2P client, one or more ppl download one of those files, thinking it is
exactly the crack, key-generator or the porn movie or porn-download they are looking for and
they execute it immediately (or later). When executed the IRC-backdoor tries to locate one or
more p2p clients and copies itself with different file names (the hard coded list some times
counts 100 or more file names) into the shared folder, registers itself in the registry
and modifies the ini (configuration files or not) of the existing IRC client, establishes a TCP
connection to a specific port of an IRC-Server and channel where the master is waiting for
connection (infected user). When the infection is succefully done, it's Master time. Now,
using his interface software, the master is able to do a long list of operations to every infected
user like upload a new version of his code, download, execute, steal information and so on.
Some links about the malwares I talked in this article:
Spybot:
http://www.viruslist.com/eng/viruslist.html?id=60639
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
W32.Kwbot:
http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.c.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.p.worm.html
Backdoor.Sdbot:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.p.html
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.n.html
http://www.viruslist.com/eng/viruslist.html?id=51544
Some Thankx goes to:
- They guys who permitted me to publish this article.
- Everyone who reads it (I think I will be the only one).
- Pamela Anderson: thankx to exist, I like blond girls with big tits !!
- Blaster Author: Hey bro, I need some money so if you decide to disclose your real
name, pls share to me, we can make 50% and 50% of the 250k bucks offered by MS.
(hehehe don't be offended it's just a joke)
Any comment, suggestion and stuff, send me a mail.
Thank you!