ZScaler security labs shares an informative analysis on IRC based attacks which have diminished since their peak back in 2007. However, these attacks are still present and have grown in sophistication even though attacks today are more likely in other vectors.


Far from going the way of the dodo as many had surmised, Internet Relay Chat (IRC) botnets are alive and thriving.  A new study by security vendor Zscaler shows that IRC botnets, while not growing at a particularly rapid rate, continue to be active and have incorporated several new features over the years that make them as a potent a threat as ever.

While the core C&C communication protocol that is used remains IRC, several new features have been added that make them comparable to some of the more sophisticated web-based botnets out there, he said. For example, IRC botnet operators these days use multiple servers and channels for command and control purposes, so they no longer have a single point of failure like before.

The link to ZScaler security labs more in-depth report is as follows:


An IRC Botnet is a collection of machines infected with malware that can be controlled remotely via an IRC channel. It usually involves a Botnet operator controlling the IRC bots through a previously configured IRC server & channel. The Botnet operator, after appropriate checks, periodically moves the IRC bot to a new IRC channel to thwart researchers & automated sandboxes from monitoring the commands.  In this blog, we will look at one of the most prevalent IRC based malware families – DorkBot, followed by three additional IRC Botnet families – RageBot, Phorpiex, and IRCBot.HI.