John Canavan Symantec Security Response
Over the last year, we have seen an explosive growth of IRC bots. New variants are emerging at the rate of over 600 a month making IRC bots the most prevalent Win32 threat. Their modular design and open source nature has allowed them to thrive, outwitting many signature based anti-virus products simply due to the vast numbers of variants being produced.
This paper will examine the core features of popular IRC bots and track their evolution from a single code base. This analysis will demonstrate how many of the common IRC bots such as Agobot, Randex, Spybot, and Phatbot actually share common source code. In addition, interesting techniques utilized by specific variants will also be presented.
Finally, the paper will discuss the reasons for the recent proliferation of IRC bots and the motivation behind distributing one including revenue generation, spam relays, adware installation, DoS attacks, and distributed computing.
