DDoS IRC bots are becoming popular Distributed Denial Of Service attack method. No *nix machine is reguired to operate a DDoS packet attack anymore (you may know TFN, Trin00 etc. tools what were used to packet various big domains down by an 15 year old individual). But system reguirements of those programs filters off possiable "packeters" good (I don't mean hardware reguirements but using them under Win9x is not possible). Now, there is a solution for every packeter, easy-to-use IRC bots runs good under Windows boxes and using them is more than easy. Attacks are controlled from IRC channel where the bots are set to join. When joined to a specified channel they sits and waits for further commands. Usually those channels are secret and key-protected so only the person who distributed these bots can join to the channel and control the attacks. But this IRC bot DDoS method has a fairly huge disadvantage, someone who discovered your bot may be able to figure out the IRC server, channel and channel key. That means he may stole your whole "bot army". Well, there is a some sort of solution for that, setting your bots to join many different servers makes tracing all the bots extremely hard (imagine if some one discovers your bot what is set to join irc.icq.net channel #bawts with key a1253b, but let's say you configured only 10 different bots to join that server/channel, so all your other bots are still hiding other servers/channels and you can be using them as normal). How can those bots attack the victim? The difference between a classic DoS and DDoS is huge, when a DoS attack exploits a known vulnerability on target system, a DDoS attack coming from multiple hosts floods the target system with meaningles packets and slows it's capability to receive data (normal traffic can't get throught). The DDoS IRC bots running on Win9x hosts sends UDP and ICMP (Ping) packets as much as the host's maximum outbound bandwidth allows. I have heard there are already bots able to generate MORE dangerous TCP Syn(half open TCP connection [this is some sort of TCP protocol vulnerability I assume])/Ack packet attacks, but this is not possible from Win9x hosts. Instead those bots are targeted to be installed on Win2k/XP (due to their ability to use raw sockets, spoofed TCP packet attacks can be made). The ability to use TCP Syn/Ack packets makes the packet attack against a web server VERY powerful, UDP and possiable ICMP packets can be filtered off on the ISP's end without tragical loss on normal services the server can offer, but TCP packets can't be disabled without it affecting to the normal traffic. Actually if TCP packets are disabled it means the server can't offer normal services such as Web and FTP. There are (at least) two IRC DDoS bots targeted to run on Win9x hosts on public distribute and more bots is for sure coming, plus many private DDoS bot projects are going on. Individuals are creating bots for their own needs and when Windows XP comes officially out, more bots will be made to take advange of it's raw socket support. Evilbot is another of those public distributed bots (Slackbot 1.0 is the other one) and I say couble bit more detailed words about it (Evilbot happens to be the bot what was used to packet down grc.com, as you may know). it's a 16k long executable (can be compressed under 10k long). Let's take a closer look of it. When a victim executes the bot file it copies itselfs to Windows directory as a specified name (for ex. \Windows\WinRun2.exe). Now that WinRun2.exe file must be run every time the computer is rebooted, so it adds itselfs to registry's autostart as follow: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (for ex. like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinRun) and that WinRun key points to WinRun2.exe what was copied to Windows directory. If there is already a WinRun2.exe named file on Windows directory the Evilbot won't overwrite that file, instead it adds a samekind of reg key as above but points it to load the file from the current directory where the bot is saved and where it was run. Next the bot tries to connect to a specified IRC server (personal firewalls such as ZoneAlarm would detect this outbound connection attempt and would notify about it). When in channel it sits and waits for commands. At the same time the bot connects to an IRC server I believe the following line on the Evilbot's code stands for a URL where the bot downloads a trojan server (or whatever there is behind the URL) and executes it when downloaded "update.ur.address./thepath.exe". (NOTE the dots surrounding "ur" are dots but the dot sign between "address" and "/" stands for a null). If the Evilbot is first who joins a non-registered channel it sets defaultly following channel modes: +nstk. Evilbot accepts commands from anyone who is on the same channel with it (whereas Slackbot 1.0 reguires a password before listening to commands from anyone). Following command on same IRC channel where Evilbot is would cause a UDP packet flood attack against a certain host "!udp 101.105.201.212 1000 0", 1000 on the line stands for amount of packets what will be sent and 0 on the end of line stands for the delay between each packet. Evilbot can attack by pinging a target host too, it supports four different kind of ping attacks: !p4 Sends 10000 64 kbyte ping packets to specified ip !p3 Sends 1000 64 kbyte ping packets to specified ip !p2 Sends 100 64 kbyte ping packets to specified ip !p1 Sends 10 64 kbyte ping packets to specified ip The amount of pings and the ping size can be configured (for ex. !p4 command could have been set to send 15000 32 byte ICMP packets to a specified host, but defaultly it uses the above values). Evilbot understands other commands such as part/join a channel too. How do I know is my computer a part of a DDoS bot army? My Antivirus scanner didn't pick up the Evilbot, but you can manually check is there an active IRC connection on you computer. When online make sure you are not running any IRC clients and open your MS-DOS prompt, there type following command: netstat -an | find ":6667". If it shows you are having an active connection to port 6667 it's very possiable that you are infected (you should check other default ports where AN IRC server can be listening on too). Now you should start to looking for a suspicious registry enrties on HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (the reg key may be under RunServices as well). If found the key pointing to a bot, remove it, reboot your computer and delete the bot. Regards, hypnosis@mbnet.fi