Re: IRC-bots: what are they for ?

[sinster () BALLTECH NET (Jon Paul, Nollmann)]

Sprach Jens Hektor <hektor () RZ RWTH-AACHEN DE>:
> is anybody out there who could explain to me why on nearly
> every cracked machine I get in touch with the crackers
> have installed IRC-bots, most of the time "eggdrop" ?

I'm not speaking directly about eggdrop here, but more about the
general case of IRC-bots.

In my experience, the most common use for a cracked machine is as a
staging area for cracking further machines.  As all of us who have
dealt with the law enforcement side of this issue can attest, the
chances of anything happening to an attacker (whether or not he was
successful) is very slim unless we can point to their dialup account.
The attackers know this, and by launching new attacks from 3rd party
machines, they insulate themselves from a lot of risk.

That aside, there are a lot of exploits against IRC clients (see
BUGTRAQ and NT BUGTRAQ for a smattering), and a number of these
exploits are implemented in bots that listen for properly formatted
messages in particular IRC channels on particular IRC servers.  So
someone who wants to "safely" attack someone's IRC client merely has
to send the right message into the correct IRC channel in order to
trigger an effectively anonymous attack.  Sometimes attackers do it
to install BO2K on a victim's windoze box, and sometimes its just to
knock someone off of IRC temporarily because of some petty offense or
slight.

Whatever the reasons, IRC apparently occupies a very central role in
the world-view and status gathering of script kiddies.

--
Jon Paul Nollmann ne' Darren Senn                      sinster () balltech net
Unsolicited commercial email will be archived at $1/byte/day.
You can go a long way with a smile.  You can go a lot further with a smile
and a gun.                                                        Al Capone