IRC Botnets Are Not Quite Dead Yet

Far from going the way of the dodo as many had surmised, Internet Relay Chat (IRC) botnets are alive and thriving.

A new study by security vendor Zscaler shows that IRC botnets, while not growing at a particularly rapid rate, continue to be active and have incorporated several new features over the years that make them as a potent a threat as ever.

The focus of Zscaler’s analysis was on four new IRC botnet families that hit the company’s cloud sandboxes worldwide in 2015. The company identified the four botnets as DorkBot, IRCBot.HI, RageBot and Phorpiex. Of this, the most prevalent IRC botnet is DorkBot, according to the company.

Though the payloads from such botnets represented only a very small proportion of the new payloads for all known botnet families, they still represented a threat, said Zscaler researcher director Deepen Desai. The top five locations currently getting hit by IRC botnet payloads include the USA, Germany and India.

“In this era of sophisticated botnets with multiple C&C communication channels, custom protocols, and encrypted communication, we continue to see a steady number of new IRC based botnet payloads being pushed out into the wild [regularly],” he said in an emailed comment to Dark Reading.

IRC botnets were especially prevalent in the 1990s and early to mid 2000’s but have been gradually dwindling in numbers since then. Such botnets basically are comprised of a collection of infected systems that are controlled remotely via a preconfigured IRC server and channel. While such botnets can be effective, they are also susceptible to a single point of failure if someone were to take down the IRC server or channel of block IRC communications, he said.

Back in 2007, when there were still thousands of IRC botnets operating in the world, researchers found that most had a life span of just two months because of how easy they were to take down. That’s the reason why cybercriminals have moved to different web-based C&C communication channels over the years, he said. But what Zscaler’s analysis showed is that IRC botnets have evolved as well, Desai said.

While the core C&C communication protocol that is used remains IRC, several new features have been added that make them comparable to some of the more sophisticated web-based botnets out there, he said. For example, IRC botnet operators these days use multiple servers and channels for command and control purposes, so they no longer have a single point of failure like before.

Many use encryption to protect all IRC communication between an infected host and C&C server. New payloads, including new C&C information, are downloaded periodically from preconfigured URLS to infected systems and many use anti-analysis techniques to deter automated sandboxing, Desai said.

The enhancements don’t stop there. IRC botnets use the same kind of propagation methods that other botnets do including file injection, P2P applications, instant messaging, and via compromised removable drives. IRC botnets are also used for many of the same applications including for launching denial of service attacks, for installing or uninstalling other malware payloads for a fee and for stealing user credentials and other sensitive information.