Rootkits Connect to IRC Directly
Rootkits for Windows are the ‘hot’ thing among certain groups of people who like to keep their practices hidden on the computers of unknowing others.
Rootkits work in such ways that they can hide their processes from the user, making it hard to detect the rootkit, let alone remove it from the system. Although a rootkit in itself can be hidden form the user, often a rootkit is not enough to perform the tasks the malicious user wants accomplished. Providing a FTP server, connecting to IRC to receive commands and sort like features are still provided by separate software which can be detected and show a possible rootkit installed.
An European student has now written a proof of concept that shows that a rootkit can include functionality to join an IRC channel. IRC channels are often used to control botnets. Commands usually include ways to update the bot software, perform DDoS attacks, infect new machines and email spamming.
One of the effects of including this type of functionality at the level a rootkit runs at is its stealth. Not only is the process itself hard to detect, also certain types of firewalls will not be able to detect the traffic. A popular firewall which can be bypassed is for example Norton’s firewall.
Related posts:
- Honeynet Project Releases Paper on Botnets As you can see in the sidebar for IRC news...
- Drones, a Continuous Problem for Small Networks In February 2006 IRC-Junkie featured an article titled “Help! My...
- Beat Them at Their Own Game As a recent post also indicated, botnets are considered one...
- IRC Still Most Used Platform for Botnets Although botnet masters increasingly use platforms other then IRC to...
- Australian ISP’s Hunt Down Zombies The Australian government took an interesting path to battle the...
