An IRC backdoor is usually a standalone file that copies its file
to Windows or Windows System folder and creates a Registry key to
start that file during every Windows session. Also some IRC
backdoors modify WIN.INI and SYSTEM.INI files or copy themselves
to startup folders for different users. Some IRC backdoors
replace INI scripts of an IRC client (mostly mIRC).
When an IRC backdoor is run, it established connection to an IRC
server or waits until a user connects to IRC (mIRC script-based
backdoor). A backdoor then creates a bot in a specific channel on
a specific IRC server. An IRC bot acts as a backdoor server
interface. An IRC client in this case acts as a backdoor client.
A hacker can give commands to an IRC bot using IRC interface.
Most of advanced IRC backdoors allow to get a limited access to
an infected system and to modify, upload, download and run files.
Some IRC backdoors have additional functionalities that allow a
hacker to perform malicious actions in IRC channels and in some
cases can allow an attacker to completely take over an IRC
channel.
Most famous IRC backdoors: SDBot, Roron, Nymph.
Writeup:
Alexey Podrezov, July 14th, 2003;
Description Updated:
Alexey Podrezov, May 24th, 2004;