Am I the only one that thinks this kind of thing would be cool to see? I've seen logs of attacks, but I've never watched a botnet irc live. that would be crazy for me. Not really moving the conversation forward, but is this so commonplace that I'm the odd man for marveling?
I read that shortly after it was originally published. And I thought to myself: COOL!
I was seventeen. I had a spare Windows 95c (or was it 98se?) box laying around, and some experience with inctrl5, a linux box which could operate as a router, and some basic knowledge of tcpdump(1). Importantly, I could also script the behavior of an IRC client.
At the time I was a channel operator in a relatively popular IRC channel on EFnet... "Don't ask to ask!" :) Users would come in and request assistance with malware all the time, so I was already roughly familiar with the mechanisms of infection and CnC.
This is a long story that I must cut short: I ended up in the same CnC room as Gibson did. Not the same type--the same one. I met some of the people in the story. :D
I used to do that for fun. It was a lot easier back when SDBot and AgoBot was the shit.
The trick I used was to go on some xdcc network, change nickname to one similar to the bots and just wait. Sooner or later one of the botnet owners tried to authenticate and soon after I would exit with a ping-timeout.
Then you could just log into one of them, get a list of processes and download the one with a random name. It was pretty easy and you could get your hands on a few thousand bots in a weekend.
Oh the joy of running "!uninstall" while the owners was in the chatroom...
You might find this paper about stealing a botnet interesting [0]. Even though its five years old, the crazy stuff these researchers found is still amazing.
To be honest, it's not that interesting. If it's a well configured irc host then you will not be seeing any of the other bots, and all you will occasionally see is a command coming by from a generically named operator. Some botnet irc's are lazily configured, and will let you see all of the other bots as part of the channel, but generally will not let you speak. The bots usually have nicknames built from the host's computer name, username, country, etc.
It's interesting, but in itself is not that exciting in my opinion.
It was interesting the first few times watching them. Sometimes the commands are not even authenticated so you could do fun things like write a text file saying their computer was infected and then open it with notepad... or other things.[0] You aren't going to find many large scale botnets that still use IRC though. It is really amateur hour CnC.
[0] It probably is not really advisable to do even 'helpful' actions such as that, but when you are young you do careless things.
Expose a vulnerable linux VM to the raw internet. Wait for it to get infected. Find the process thats connected to the cnc server using lsof. use gcore to dump its memory to a file. cat that into strings and look for the irc channel and server. Or just watch it all in wireshark but thats kinda boring. Have fun and stay safe.
