|Last article||Table of contents||Next article|
Strange Article - P2P and IRC, what is the connection ? by Slage Hammer
Let me do a little bit of history, the first P2P (peer to peer) network was Napster, and after some legal problems, almost everyone in the world, knew, even if not related to PC stuff, what P2P software and its purpose is. Nowadays the number of P2P networks is > 30 bigger or smaller, known, or not very known, it seems this is one of the families of software that will never die for now. About IRC (Internet Relay Chat), to he honest I don't know the history of IRC clients (is not my area of working) but for sure Mirc is one (maybe the one) more common in the IRC world of users but there are other clients like Trillian and others. IRC are virtual rooms organized trough IRC servers and channels were ppl discuss in real time about common interests. Now getting to the topic of this article, what is the connection (in what way are related) IRC and P2P networks ? For now does not exist any virus that is able to spread using P2P protocols but a large number of worms exist (they are identified in AV bases as Worm.P2P.XXXXXX or similar) that are able to spread through one or more P2P clients. The first P2P worms were able to spread only using Kazaa client, nowaday it's common to see one P2P worm that "supports" 8 or 10 different P2P clients. About Irc-Worms (they are identified in AV bases as Irc-Worm; Irc.Worm and similar ways) are worms that spread mainly using Mirc , Pirc, IRC clients. You, poor reader of this article, you will be pissed off because for now you don't see yet where or what the connection between IRC and P2P is, don't worry you are not stupid, I am getting to this point, pls wait.... P2P networks were to share MP3 audio files but after some times, were used more and more to share what is called in slang "Warez" that means Pirate software and every kind of crack, key-gen, and what is supposed to be porn and or illegal stuff. At this point P2P worm coders have only to write a smart names list with this kind of words as the file name of their P2P worms and the normal user will download, and execute a crack that in real has nothing to with a crack except the name. IRC worms spread through DCC, that means by file transfer from one user to another. As P2P worms were getting very common, irc worm coders discovered how to make an IRC worm / backdoor that is able to spread through one or more P2P clients, which makes an easy job spreading fast even because who doesn't have installed an IRC client for sure is a music or porn lover or at least downloads something from some P2P network, so makeing an IRC worm compatible with a P2P network is an excellent way to get it spread very fast. Just leaving connected one pc with the internet and put some infected files into the shared folder with "interesting names". Nowadays there are several of IRC.Backdoor or P2P.Worm (as always the name differs from one Av company to another AV company) and several versions of many backdoor / P2P worms. For sure one of the bigger families in this kind of malware is Spybot.Worm. To give you an idea how much Spybot worms are common: Counting the generic detection (McAfee and KAV for example have the generic detection), it's about 1200 / 1500 variants, maybe some 100 more. It's right the moment that what is called IRC.Worm is a "pure" code that spreads through IRC and what is made compatible to spread using both IRC and P2P is called IRC.Backdoor usually, but this is AV world and as you know, names in AV world are like pussy when you don't have a woman, something that is very hard to understand why / when and so on. One of the first IRC backdoors is what NAV calls W32.Kwbot.Worm and Backdoor.Sdbot. Just to give you an idea how fast the spreading of some versions of both was, AV companies discovered some IRC channels containing more than 20K infected users in one week. If you are interested in reading good descriptions of them, at the end of this article you will find some links to AV descriptions. In other words the "pure irc worms" evolved to IRC-backdoors with the abilities to spread through P2P clients to make it faster and easier. What is an IRC-Backdoor? Before to know this, we need to know what a backdoor is, of course. Backdoor is a malicious program that has an automatic payload to spread plus additional abilities that are not automatic but are performed only by request of its Master (coder). Here is an example of the way of infecting of a normal IRC-Backdoor. Some files are put into a shared folder of a common P2P client, one or more ppl download one of those files, thinking it is exactly the crack, key-generator or the porn movie or porn-download they are looking for and they execute it immediately (or later). When executed the IRC-backdoor tries to locate one or more p2p clients and copies itself with different file names (the hard coded list some times counts 100 or more file names) into the shared folder, registers itself in the registry and modifies the ini (configuration files or not) of the existing IRC client, establishes a TCP connection to a specific port of an IRC-Server and channel where the master is waiting for connection (infected user). When the infection is succefully done, it's Master time. Now, using his interface software, the master is able to do a long list of operations to every infected user like upload a new version of his code, download, execute, steal information and so on. Some links about the malwares I talked in this article: Spybot: http://www.viruslist.com/eng/viruslist.html?id=60639 http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html W32.Kwbot: http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.worm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.c.worm.html http://securityresponse.symantec.com/avcenter/venc/data/w32.kwbot.p.worm.html Backdoor.Sdbot: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.p.html http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.n.html http://www.viruslist.com/eng/viruslist.html?id=51544 Some Thankx goes to: - They guys who permitted me to publish this article. - Everyone who reads it (I think I will be the only one). - Pamela Anderson: thankx to exist, I like blond girls with big tits !! - Blaster Author: Hey bro, I need some money so if you decide to disclose your real name, pls share to me, we can make 50% and 50% of the 250k bucks offered by MS. (hehehe don't be offended it's just a joke) Any comment, suggestion and stuff, send me a mail. Thank you!