These attacks are in no way new. However, recently, several mIRC worms using $decode have been spreading. One of the more popular ones uses the promise of "giving the user op status" if he or she types the command. It also writes its own script to the user's remote file further propagating the message, usually either named "Ä" or "god.dll". These can be easily removed by /unload-ing the script and removing the affected file. The allowed size of an IRC message can put certain restrictions as to how much "payload" a $encoded string can have. Although I have not seen such, it would be trivially easy to create a more powerful worm that persuades a user to install a backdoor with one command, and then exploits such to propagate itself via additional script lines sent via the now intsalled backdoor. Common sense is your best weapon in dealing with these type of things. Server-side filtering of $decode is also a feasible option on some IRC server software. apl ----- Original Message ----- From: "ReDeeMeR" <g0tr00tat_private> To: <bugtraqat_private> Cc: <vuln-devat_private> Sent: Friday, February 22, 2002 10:21 AM Subject: mIRC backdoors - an advanced overview Find below a paper written on the topic of mIRC backdoors. Alternatively, find a real world URL at http://packetstormsecurity.nl/irc/mIRC.txt or http://shells.cyberarmy.com/~johnr/docs/misc/backdoormircupdated.txt Thanks, -ReDeeMeR- redeemerat_private http://www.g0tr00t.net -----------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 05:50:51 PST