These attacks are in no way new. However, recently, several mIRC worms using
$decode have been spreading. One of the more popular ones uses the promise
of "giving the user op status" if he or she types the command. It also
writes its own script to the user's remote file further propagating the
message, usually either named "Ä" or "god.dll". These can be easily removed
by /unload-ing the script and removing the affected file.

The allowed size of an IRC message can put certain restrictions as to how
much "payload" a $encoded string can have. Although I have not seen such, it
would be trivially easy to create a more powerful worm that persuades a user
to install a backdoor with one command, and then exploits such to propagate
itself via additional script lines sent via the now intsalled backdoor.

Common sense is your best weapon in dealing with these type of things.
Server-side filtering of $decode is also a feasible option on some IRC
server software.

apl
----- Original Message -----
From: "ReDeeMeR" <g0tr00tusa.net>
To: <bugtraqsecurityfocus.com>
Cc: <vuln-devsecurityfocus.com>
Sent: Friday, February 22, 2002 10:21 AM
Subject: mIRC backdoors - an advanced overview

Find below a paper written on the topic of mIRC backdoors.

Alternatively, find a real world URL at

http://packetstormsecurity.nl/irc/mIRC.txt

or

http://shells.cyberarmy.com/~johnr/docs/misc/backdoormircupdated.txt

Thanks,
-ReDeeMeR-

redeemerg0tr00t.net
http://www.g0tr00t.net

-----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]