Eggheads: RE: Strange questions from a N00B
Jima
jima at beer.tclug.org
Mon Aug 28 08:58:28 CDT 2006
On Mon, 28 Aug 2006, Jeeves Moss wrote:
> I was wondering how well egg drop worked with Norton and routers. I can see
> that Norton and other AV scanners would LOVE to sink their teeth into this
> piece of software.
While at first glance most people wouldn't think AV software and routers
wouldn't be particularly bothered by a simple IRC bot, there are a couple
of odd bugs to consider.
1. Norton and "startkeylogger." Norton's firewall software (by default)
used to look for the phrases "startkeylogger" and "stopkeylogger" on port
6667. This was because of trojans using IRC-based "command and control"
networks to get orders from the botnets' "owners." Norton figured
whenever these phrases were used, it'd be a really good time to kill off
the TCP stream, to prevent the trojan from receiving the command. The
downside is, once this "feature" was discovered, anyone saying
"startkeylogger" in a crowded IRC channel could kill off anyone running
the affected software. (This behavior could be disabled, I believe, and
has since been fixed.) Google for Norton and startkeylogger for more
details.
2. Linksys/Netgear routers and 'DCC SEND "string" 0 0 0'. Same response.
I suspect it's some sort of parsing code to attempt to direct DCC
connections to the right host behind the router (I could be wrong). Also
apparently triggers if "string" is 15+ characters long. Googling "linksys
irc dcc 0" found some of the details I'd forgotten.
Not directly related to Eggdrop, of course, but they're worth noting for
academic purposes.
Jima
More information about the Eggheads
mailing list