Home > Articles

  • Print
  • + Share This
From the author of

THR34T Krew: Day 2, Night

After a nice evening with my wife and daughter, I was ready to attack the dump file. Using Ethereal, I loaded up the file using a filter to show only the traffic going to and from the hacked server's IP address. Once the file was loaded, which took a few minutes, I quickly spotted the IRC traffic. Sure enough, just as I had guessed, there was a session open between the hacked server and an IRC server. As illustrated in Figure 3, it was easy to spot the room name and the general type of activity the Trojan IRC daemon seemed to be passing back and forth.

Figure 3Figure 3 Captured IRC packets.

While I was hoping for some more information, such as the username/password used to access the back doors on the server, my dump provided nothing else of value. So, I downloaded mIRC and configured it to connect to the IRC server in question. Once I was connected, it became apparent that this was no typical mainstream chat server. In fact, my first thought was that this was an IRC warez server, which is typically used as Internet-based software swap rooms. Using the /list command, I pulled up the public channels. The room listing confirmed my idea. But as with many things in life, you can't judge a book by its cover.

Thanks to my data capture, I knew what room I was looking for (#tkworld). So, I typed /join #tkworld and was told I needed a password. Stumped! I tried a few obvious passwords, but to no avail. Next I tried to connect to #tkworld1, which also showed up in the dump file. This worked. I was in! As I excitedly chortled to myself while the member list loaded, my laugh quickly turned to a sharp breath of air as I discovered there were hundreds and hundreds of other "people" in the room with me.

It slowly dawned on me that my client's server was only one of hundreds, if not thousands, of infected computers that connected to this chat room. I was in shock! Page after page after page of usernames scrolled by, each with a name starting with "TK" but ending in a systematically increasing number/character combination. It slowly dawned on me that my client's hacked server was probably one of the first victims of a new worm.

While I was in the room, I started looking at user information to see if it would tell me anything new. As you can see in Figure 4, the user information basically confirmed that everyone was infected with the same IRC Trojan going by the name of Tkbot (or THR34T Krew's bot, depending on how you looked at it).

Figure 4Figure 4 IRC client information.

  • + Share This
  • 🔖 Save To Your Account