No one could have anticipated all the ways that Internet Relay Chat (IRC) would eventually be used when it was 'created' in Finland during the late 1980s. People really started picking up on IRC in the early 1990s, and as with virtually all popular technologies, it started to get abused.

IRC enables a single user to communicate with many other users in the same "chat room" (known as a channel). Miscreants quickly realized that this architecture is very well suited for controlling multiple compromised machines at once, as instead of having to send instructions to each host (as was the case with traditional trojans)- they could simply send instructions to the channel. The fact that many underground channels exist where people discuss the various intricacies of these malicious applications caused IRC-related threats to become increasingly prevalent.

These IRC based threats grew enormously in popularity until around 2005-2006, where they started to peak out. These threats are still with us today, but their numbers are not increasing as rapidly as they once did—so although they're not exactly going away, they're definitely slowing down. Unfortunately there are a variety of new methods to command and control compromised hosts which don't involve IRC, but we'll leave those for another day.

People often ask what miscreants do with compromised computers. Below is a short list, but we will be describing threats and their exact behavior in more detail in the weeks and months ahead…

  • Saved passwords may be stolen
  • Keystrokes may be recorded
  • Credit card data may be stolen
  • Software licenses and serial numbers may be stolen and pirated
  • Identity may be stolen
  • Email accounts may be compromised
  • Spam messages may be transmitted
  • Denial of service attacks may be initiated against other servers on the internet
  • Pirated software, music, and pornography may be hosted and distributed

Those are some of the worst-case scenarios that we've seen happen to people who got infected with these malware families.

For all these reasons, it should come as no surprise that we've included IRC bot families in MSRT since our very first release. Here's a list of just some of the IRC-related threats that we've covered:

MSRT has cleaned 9.1 million distinct machines since 2005, 1.4 million distinct machines in 1H08. You can find a full list of malware families cleaned by MSRT here.

 

MSRT Telemetry – all time

Family

Distinct Machines Cleaned

Win32/Rbot

5,974,075

Win32/Sdbot

2,035,420

Win32/IRCbot

1,162,927

Win32/Gaobot

370,456

Win32/Spybot

309,662

Win32/Wootbot

193,239

Win32/Codbot

108,640

Win32/Esbot

68,667

Win32/Spyboter

47,888

 

MSRT Telemetry – 1H08

Family

Distinct machines cleaned

Win32/Rbot

950,013

Win32/Sdbot

270,153

Win32/IRCbot

234,704

Win32/Spybot

21,723

Win32/Wootbot

21,541

Win32/Gaobot

11,923

Win32/Codbot

1,746

Win32/Spyboter

564

Win32/Esbot

221

That's over 10 million distinct removals of these malware families alone! Perhaps this graph will put things into a little more context:

MSRT IRC Bot Graph

Win32/Rbot, Win32/Sdbot, and Win32/IRCbot remain to be amongst the top threats over the past 12 months. The trend is generally downward, but it's clear that these threats aren't going away. For more telemetry, please take a look at our Security Intelligence Report.

We plan on continuing our assault on IRC-based threats, so keep your eyes on this space for more information.

-Scott Wu & Tareq Saade