IRC bot floods...

["PARKIN, MICHAEL M (PBI)" <mparkin () PBI NET>]

Morning, folks,

I administer a server on a small IRC network (11 servers, US, Australia,
Europe) that is currently undergoing a flood of connections from what appear
to be compromised windows boxes.  At the moment, they are not doing anything
destructive, but I wonder if anyone else has encountered this recently.

The hosts are all Windows based, either NT or 9x.  Cursory scans show open
shares on a few (very few) and the open ports, when we find open ports,
don't match any of the Trojans our admins or opers are familiar with.  i.e.
Sub7, BO, Hack'A'Tack, Netbus, etc.

The connections all appear to be coming from legitimate hosts, none found so
far are proxies.  At least as far as we can tell.  The userid is always
random, containing alphabetic characters only.  All lower case, no numerics
or non-alpha characters.  IRC Nick = userid in all cases.  They do not
appear to be altering their userid and reconnecting when we punt them off,
and they're not connecting rapidly enough to cause any real threat to our
Net.

If anyone knows of a new Trojan with this capability, I'd appreciate some
input.  There are literally hundreds of these things connecting, and the
'paranoid' in me says they're the first stage of a DDoS against our net.

Thanks,

Mike Parkin
Network Reliability Center
SBC Internet Services
415.442.5108