Vulnerability Development mailing list archives
Re: mIRC backdoors - an advanced overview
From: "Alex Lambert" <alambert () webmaster com>
Date: Fri, 22 Feb 2002 17:45:14 -0600
These attacks are in no way new. However, recently, several mIRC worms using $decode have been spreading. One of the more popular ones uses the promise of "giving the user op status" if he or she types the command. It also writes its own script to the user's remote file further propagating the message, usually either named "Ä" or "god.dll". These can be easily removed by /unload-ing the script and removing the affected file. The allowed size of an IRC message can put certain restrictions as to how much "payload" a $encoded string can have. Although I have not seen such, it would be trivially easy to create a more powerful worm that persuades a user to install a backdoor with one command, and then exploits such to propagate itself via additional script lines sent via the now intsalled backdoor. Common sense is your best weapon in dealing with these type of things. Server-side filtering of $decode is also a feasible option on some IRC server software. apl ----- Original Message ----- From: "ReDeeMeR" <g0tr00t () usa net> To: <bugtraq () securityfocus com> Cc: <vuln-dev () securityfocus com> Sent: Friday, February 22, 2002 10:21 AM Subject: mIRC backdoors - an advanced overview Find below a paper written on the topic of mIRC backdoors. Alternatively, find a real world URL at http://packetstormsecurity.nl/irc/mIRC.txt or http://shells.cyberarmy.com/~johnr/docs/misc/backdoormircupdated.txt Thanks, -ReDeeMeR- redeemer () g0tr00t net http://www.g0tr00t.net -----------------------------------------------------------------------
Current thread:
- mIRC backdoors - an advanced overview ReDeeMeR (Feb 22)
- Re: mIRC backdoors - an advanced overview Alex Lambert (Feb 23)