Monday, September 08, 2008 5:00 PM
by
mmpc
Cleaning Over 10 Million IRC Bots
No one could have anticipated all the ways that Internet Relay Chat (IRC) would eventually be used when it was 'created' in Finland during the late 1980s. People really started picking up on IRC in the early 1990s, and as with virtually all popular technologies, it started to get abused.
IRC enables a single user to communicate with many other users in the same "chat room" (known as a channel). Miscreants quickly realized that this architecture is very well suited for controlling multiple compromised machines at once, as instead of having to send instructions to each host (as was the case with traditional trojans)- they could simply send instructions to the channel. The fact that many underground channels exist where people discuss the various intricacies of these malicious applications caused IRC-related threats to become increasingly prevalent.
These IRC based threats grew enormously in popularity until around 2005-2006, where they started to peak out. These threats are still with us today, but their numbers are not increasing as rapidly as they once did—so although they're not exactly going away, they're definitely slowing down. Unfortunately there are a variety of new methods to command and control compromised hosts which don't involve IRC, but we'll leave those for another day.
People often ask what miscreants do with compromised computers. Below is a short list, but we will be describing threats and their exact behavior in more detail in the weeks and months ahead…
- Saved passwords may be stolen
- Keystrokes may be recorded
- Credit card data may be stolen
- Software licenses and serial numbers may be stolen and pirated
- Identity may be stolen
- Email accounts may be compromised
- Spam messages may be transmitted
- Denial of service attacks may be initiated against other servers on the internet
- Pirated software, music, and pornography may be hosted and distributed
Those are some of the worst-case scenarios that we've seen happen to people who got infected with these malware families.
For all these reasons, it should come as no surprise that we've included IRC bot families in MSRT since our very first release. Here's a list of just some of the IRC-related threats that we've covered:
MSRT has cleaned 9.1 million distinct machines since 2005, 1.4 million distinct machines in 1H08. You can find a full list of malware families cleaned by MSRT here.
MSRT Telemetry – all time
|
Family |
Distinct Machines Cleaned |
|
Win32/Rbot |
5,974,075 |
|
Win32/Sdbot |
2,035,420 |
|
Win32/IRCbot |
1,162,927 |
|
Win32/Gaobot |
370,456 |
|
Win32/Spybot |
309,662 |
|
Win32/Wootbot |
193,239 |
|
Win32/Codbot |
108,640 |
|
Win32/Esbot |
68,667 |
|
Win32/Spyboter |
47,888 |
MSRT Telemetry – 1H08
|
Family |
Distinct machines cleaned |
|
Win32/Rbot |
950,013 |
|
Win32/Sdbot |
270,153 |
|
Win32/IRCbot |
234,704 |
|
Win32/Spybot |
21,723 |
|
Win32/Wootbot |
21,541 |
|
Win32/Gaobot |
11,923 |
|
Win32/Codbot |
1,746 |
|
Win32/Spyboter |
564 |
|
Win32/Esbot |
221 |
That's over 10 million distinct removals of these malware families alone! Perhaps this graph will put things into a little more context:
Win32/Rbot, Win32/Sdbot, and Win32/IRCbot remain to be amongst the top threats over the past 12 months. The trend is generally downward, but it's clear that these threats aren't going away. For more telemetry, please take a look at our Security Intelligence Report.
We plan on continuing our assault on IRC-based threats, so keep your eyes on this space for more information.
-Scott Wu & Tareq Saade
