mIRC Home    About    Download    Register    News    Help

Print Thread
#10817 13/02/03 01:04 AM
Joined: Jan 2003
Posts: 31
T
Ameglian cow
OP Offline
Ameglian cow
T
Joined: Jan 2003
Posts: 31
I have observed that a relatively growing number of connections that look like infected IRC zombie drones reply to CTCP VERSION with:
mIRC 6.03 Khlade
mIRC v6.04 Khaled Mardam-Bey
mIRC v6.05 Khaled Mardam-Bey
mIRC v6.09 Khaled Mardam-Bey

These are not custom CTCP replies, just a clever ploy to mascarade as mIRC.

Khaled if you read this, it may pay to skip .04 and .05 and go straight to 6.1 or something distinctly different.

Last edited by theAncinetOne; 13/02/03 01:30 AM.
Joined: Dec 2002
Posts: 212
V
Fjord artisan
Offline
Fjord artisan
V
Joined: Dec 2002
Posts: 212
this won't make them stop smile
althought Ibeleive .1 will be the next version (if we live long enough to see it!:( )


And all I need now is intellectual intercourse, a soul to dig the hole much deeper
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
I reckon the next version will be out in the next 7 days.

Joined: Dec 2002
Posts: 2,962
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Dec 2002
Posts: 2,962
The trouble with that is if Khaled just goes to 6.1 what's to stop the CTCP replies changing to 'mIRC v6.1 Khaled Mardam-Bey'?


Spelling mistakes, grammatical errors, and stupid comments are intentional.
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
Not a thing. However, it allows people to, for a while, differentiate between a fairdinkum copy of mIRC and a modified copy or falsified version for a trojan.

Joined: Dec 2002
Posts: 2,962
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Dec 2002
Posts: 2,962
For about 10 seconds. Or if the trojaner chooses they could return a reply of an already existing version. In other words, adjusting mIRC (albeit only in a tiny way) is somehow *wrong* and ultimately pointless. theAncinetOne has pointed out that some IRC bots return these replies, but there are 1000x more bots that return replies the same as mIRC - using CTCP version as any kind of trojan detector will be ineffective.


Spelling mistakes, grammatical errors, and stupid comments are intentional.
Joined: Dec 2002
Posts: 2,985
Hoopy frood
Offline
Hoopy frood
Joined: Dec 2002
Posts: 2,985
Just because someone decides, "Okay, I see this discussion on mIRC forum so I will release a new bot with a different version reply or no version reply" doesn't mean that someone will not use the older botnets to maximise the potential for a heavy attack. As per the example given, half of the people who make warbots can't even spell 'Khaled' let alone think for themselves on the version reply issue overall.

I think we can all agree that DDoS will remain a part of IRC life. Though it's not in anyone's interest to say "Ahhh well, they are going to think of something else so why bother". There has to be a continual, energetic and systematic approach to nailing 'em. This of course means that there will be more than one way of doing it.

Take one look at Dalnet. They fought against massive odds to remain in existance and have changed their policies, obviously to respond to what seems to some like a deal between Dalnet and certain influencial parties to end the attacks. Yes it says on their AUP that the decision was made by Dalnet with no influence from other parties - they would have to say this in order to protect the integrity of their commercial-in-confidence arrangements. Of course the reason Dalnet was attacked might not apply to any other network but that is beside the point. The point is they covered just about every angle possible to avoid extinction. Having dealt with DDoS attacks myself I know for a fact that one simple change to one thing that lasts for 24 hours is a big step and buys opers alot of time.


Link Copied to Clipboard