[Snort-users] mirkforce IRC attack

Brian Caswell bmc at ...312...
Fri Mar 9 08:41:13 EST 2001


Max Vision wrote:
> 
> If anyone has a copy of the source code for this please let me know or
> forward a copy.  All I have is an ELF binary called "mIRKfORCE-2"  and
> stripped version called "mIRKfORCE-glibc-hardcorde-rel-2" that was
> apparently compiled from "mIRKfORCE.c" which I don't have.  I obtained the
> binaries October 2000, but they seem to have been compiled March 2000
> (old!)
> 
> I didn't look at them until now because I thought they were Just Another
> Bot.  Thanks for the heads up Andrew!

I took a look at the binary when it hit SANS GIAC in October.  It is
Just Another Bot that has IRC attacks built into it.  I built snort
signatures for it in our attack lab, but after running them for 2 months
on 2 /16s all I got was false possitives for normal IRC traffic. 
(Usually MY irc traffic :P)

None of the attacks are new.  Just easier for script idjits to break
things with.  If you have IRC signatures, then this thing will set them
off.



More information about the Snort-users mailing list