IRC Bot/Script Wars

Introduction

Well, this is my contribution to reverser's bots reversing section. Until now I haven't contributed at all to reverser's excellent site, thinking that it would simply be a waste of time. That is, until I came across the Reality Cracking section. Reading through this, I discovered that there was not much there that I had not already "reversed". The discovery that I might actually have something to contribute that you +masters don't already know came as a bit of a wake-up call. Shortly afterwards I landed at the entrance to the bot wars section and then decided to have a go at "earning" access to the bot wars section. Perhaps you know everything I will discuss here, but what the hell, at least I tried :-). I plan to contribute an essay to the "Reality Cracking" section if this essay doesn't qualify me as worthy of entrance to the "Bot Wars" pages. (Hell, I'll probably send it in even if I do :-) )

Overview

Ok, basically this essay will be a compilation of the type of Bots/Scripts I have encountered on IRC, and methods of tricking, nuking, and combatting them. (BTW, Reality Cracking skills can be quite useful on IRC, as with a bit of psychology you can get your average clueless "w4r3z k1dd1e" to unknowingly give you the information you seek.) Some of these tricks will probably be old hat for some of you, but I hope most of you will find something new or interesting in here. Some of the methods I will teach in this essay will wander slightly off the topic of "Bot Wars", but with good reason. Anyway, you want to learn about IRC Bots, not read my blabbering, so onward to the battlefield! :-)

Advertisement Bots

The first type of bot that I will explain is the simple, annoying, and widespread "advertisement bot". This type of bot will be encountered on joining any large chat or warez channel on any of the large IRC networks (ie. EFNet, Undernet, DALNet, etc.) This bot works by sending a private message to every person joining the channel it is active on, thus (depending on your IRC client) flooding your screen, popping up numerous windows, or causing annoying beeps. Mostly these are worthless and dumb, eg. "f0r 4ll y0ur w4r3z/pr0n/cr4ck1ng n33ds cum 2 http://lamer.site.org/lamer/page.htm". Once in a while you will find something actually interesting in one of these messages or on one of these "k-k3wl w4r3z s1t3z" but on the whole you are wasting your time reading these messages and going to the sites.

The Passive Defences

The simplest way to combat the annoying effects of these bots is to setup your IRC client to ignore all private messages/notices for about 5 seconds after joining a channel. While being quite easy to implement, this has the nasty side effect of filtering out all of your genuine messages during that time. You can avoid that by setting your client not to ignore message from people with whom you have a chat window open to. However this is not possible in some IRC clients. Another approach is to have everyone ignored by default, and then to un-ignore anyone you send a message to. This also filters the "1 n33D h3Lp w1Th mY W4r3Z" message you get from time to time, but once again is not possible in some IRC clients. Finally, you can simply ignore all private messages/notices completely, and when you find it necessary to start a private chat, use DCC or start a new channel and make it +i (invite only).

The Active Defences

Ok, so you don't want to just ignore the bots, you want to get rid of them completely? Then this is where you need to look. The easiest way to get rid of one of these bots is to set up some clonebots yourself (see the tools section near the end of this essay) and set them to rapidly join and re-join the channel. The advertisment bot will attempt to advertise to each bot every time they join, and this will cause the IRC server to disconnect them for flooding. The more bots you use for this technique, the easier it is to disconnect the advert bot. However the problem with this technique is that it causes extreme annoyance for anyone else in the channel, and may get you banned. So do a /whois <bot name> to find out what channels the bot is in, then pick one of the worthless ones to perform this trick in. Please note, however, that using clonebots may get you banned from some IRC networks.

Another way of doing it is to create your own channel, then do a /invite <bot name> #channel to invite the bot to that channel. Depending on the bot's setup, it may automatically join the channel, or simply pop up a message to the owner of the bot. If the bot joins the channel, simply use the technique described above to kill the bot. Depending on how the bot is setup, you may have gotten rid of the bot until its owner notices. However, some bots are programmed to automatically reconnect and rejoin the channels they were in. If this is the case, then some more advanced techniques must be used. Typing /dns <bot name> will get you their IP address, which may then be used with a variety of "nuking" tools (see the tools section) to disconnect and/or crash the computer the bot is running on.

On some IRC networks/servers this kind of bot is banned, so getting rid of it will be as simple as reporting it to a Server Operater or IRCOp (the people responsible for administering the IRC network) who will usually kill them (force the server to disconnect them) with a warning, and then k-line them (ban them from the server) if they continue advertising. In fact, on many IRC networks/servers bots of any kind are totally banned.

Protection / Administration Bots

The purpose of these bots is to control an IRC network/channel(s) eg. automatically opping people, banning abusers, keeping the channel topic, keeping the channel open, passing on messages, etc. There are basically two kinds of these bots: the IRC server/network-run bots, and the privately run bots. The IRC server/network-run bots are the ones like W, X, and Y on Undernet, and the Nickserv, Chanserv, and Memoserv bots on DALNet and many other networks. Nickserv bots are the ones that allow you to register your nickname with a password that must be entered within a certain period of time after connecting otherwise you are killed. This stops people from taking over channels ie. deopping all the legitimate users by pretending to be a channel "reg" (regular, someone who has been in the channel for some time, and thus usually gets ops). Chanserv is also to prevent takeovers, by allowing one to de-op, kick, and ban people with the use of a channel password. Memoserv allows you to send a message to someone with a registered nickname even if they are not currently connected to the IRC network. The W, X, and Y bots on Undernet are basically Chanserv-type bots. Depending on the IRC network, these bots may actually be programs, or a part of the IRC server software.

The Passive Defences

Well, the purpose of these bots is usually to control a channel, and there's not much you can do to stop the owner of the bot setting it to ban you whenever you join. Just be nice to the people who run the channel/bots and you won't have too many troubles, unless they are assholes, which they unfortunately often are. (Hint: employ some "reality cracking" techniques)

The Active Defences

Now why on earth would you want to "nuke" one of these bots? To kick all the clueless warez kiddies from their warez channels and piss them off? You evil person! :-) Actually, these kind of bots are often used by the aforementioned warez kiddies to keep you out of your own channels after they have taken them over. You careless person you, how could you let them take your channels over? Serves you right. Well, I'm not going to help you. :-) Oh, ok, if you insist. Maybe I will teach you a trick or two after all. But only if you promise never to use them on someone else's channel. Of course, that thought would never cross your mind would it? Especially when you join one of the many "k1dd13 pr0n" channels on IRC and disgust yourselves at the content being exchanged, now would it? :-)

The simplest method is to change your nickname, and flatter the "k-k3wl d00d" with statements like "boy, are you 313373/3l33t/l33t or what!" or whatever other nonsense seems to be appropriate. Since you are probably the first, and last person to say things like that to him, he'll op you on the condition that "iF y3w d0 4nYtH1nG b4d 3y3 w1lL h4x0r y3w". Being the clueless lamer he is, he probably won't be able to do anything about it, especially if you are running some form of firewall eg. Conseal PC Firewall, NukeNabber (not so good tho), or something else. (You do know how to search the web, don't you?) Now that you have ops, de-op and kick the loser and his bot, and you are done. Make sure you de-op them simultaneously, and before you kick them otherwise the bot will protect the loser, and vice-versa. However, if he is slightly more clever he will have more bots than you can simultaneously de-op and then you are screwed. Bummer. (On some IRC networks the limit is 4 de-ops at a time, on others it is 6)

Well, not really. If these bots are advert bots as well, for example, you can use the techniques described in my advert bots section above. Or you can use the bogus ban technique. But what the hell is a bogus ban, you ask. There are two types of bogus ban. The first is when you set a ban with weird characters that the bot can't handle, and so it crashes. The other technique is to ban a whole bunch of people and then unban them, and then ban them, and then unban them, etc. Some bots will not be able to handle this, and will run out of memory and crash. Now that you have eleminated at least some of the bots, you can proceed to de-op and kick the remaining bots. For best results, of course, these steps should be performed in rapid succession.

Clone / Flood / War Bots

The Clone/Flood/War bot has the potential to be the most powerful, and the most annoying, and the most stupid kind of bot you'll ever meet. These bots range from the clone bots, which simply join and re-join the channel, flooding everyone with join and part messages, to the kind that spam you with thousands of messages, to the kind that spam you with CTCP PINGs, VERSIONs or other messages that are replied to by your IRC client, and thus cause you to be ejected from your server due to flood protection.

Passive / Active Defenses

The join/part bots are easy to protect against, simply program your client/script to ban anyone who joins a channel more than say 4 times in 10 seconds. If the bot is changing nicks, and also joning and rejoining continuously, then simply examine the hostname/IP address insted of the nickname. Also set your client to kick/ban anyone changing nicks more than say 5 times in 10 seconds. This will prevent annoying nick change floods. For text/CTCP flooding, most clients can also be set to ignore anyone who sends you multiple messages in a short period of time. Finally, annoying bots like these are banned on most IRC servers/networks, so report the bots to one of the Server Ops, or IRCOps and they will be killed and/or banned from the IRC network/server.

Tools

Ok, so you don't know how to program your IRC client to do the tricks described above, or you can't find programs to do it for you, so you want me to tell you how to do it? You lazy bastard! Go program it yourself :-). But I will give you some starting points and hints.

Firstly, a good IRC client is imperative. On the whole, I would say that mIRC (http://www.mirc.com/) is the most powerful, but pIRCh is also a popular favorite. One feature it has over mIRC is the ability to connect to multiple IRC servers at the same time. Both of these clients are available from TUCOWS, (http://www.tucows.com/), a valuable source of Internet Tools.

Next you should look for a good script. A little searching never hurt, but one of the best places to go for mIRC scripts is http://www.mircx.com/. One of the best mIRC scripts is 7thSphere v3.0, although you should ameliorate and change it to suit your own needs. It also comes with some useful utilities.

For nuking utilities, look for the following:

Do some research on TCP/IP and all of the numerous exploits available, and then write your own utilities. Linux source-code is available for almost all of these exploits. And get a good virus scanner (I recommend ThunderByte Antivirus), as many people think embedding viruses/trojans in nukers etc. is smart and "3l33t".

Taking it further

With the use of the /dns <nick> command you can find out the IP address of the bots/losers, obviously useful for stalkign purposes. Another command some people will not know of is /whois <nick> <nick>. This will give you not only the usual whois info, but also the length of time they have been idle, useful for establishing their time zone etc. You should also log every IRC session, to leave a record of what you have done/found out. Also, searching large archives of IRC logs may find you some interesting info :-). Use your imagination! Be creative! And most importantly, keep on learning and researching.

Well, that's it folks!

If you want to comment on this essay, you can e-mail me at sorceror_ts(at)hotmail(dot)com. English is my native language, but while I tried to keep spelling and grammar errors to a minimum in this essay, please don't e-mail me complaining about the few that I didn't find.

To reverser+: Well, what do you think? Am I just a clueless newbie rambling on about junk, or was this essay of a high enough quality to go on your bot wars page? <flattery-mode>Your site is one of the best sites dedicated to Reverse Engineering, and it is of the highest quality.</flattery-mode> (Hey you can't blame me for trying :-) )

Sorceror (And yes, I know that's the wrong spelling of "sorcerer")