Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Wetware Hacking :: Others :: in200203.htm

Social Engineering Attacks via IRC and IM IMC:
CERT Incident Note IN-2002-03: Social Engineering Attacks via IRC and Instant Messaging
CERT Coordination Center
HomeSite IndexSearchContactFrequently Asked Questions
Vulnerabilities, Incidents, and FixesSecurity Practices 
and EvaluationsSurvivability Research and AnalysisTraining and Education


Vulnerability Notes Database

Incident Notes

Current Activity


Tech Tips


Employment Opportunities

 more links
CERT Statistics

Vulnerability Disclosure Policy

CERT Knowledgebase

System Administrator courses

CSIRT courses

Other Sources of Security Information


Welcome to the new Incidents, Quick Fixes, and Vulnerabilities area of the CERT/CC web site.

Related Sites
Internet Security Alliance

CERT® Incident Note IN-2002-03

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Social Engineering Attacks via IRC and Instant Messaging

Release Date: March 19, 2002

A complete revision history can be found at the end of this file.

Systems Affected

Systems running Internet Relay Chat (IRC) or Instant Messaging (IM) clients


The CERT/CC has received reports of social engineering attacks on users of Internet Relay Chat (IRC) and Instant Messaging (IM) services. Intruders trick unsuspecting users into downloading and executing malicious software, which allows the intruders to use the systems as attack platforms for launching distributed denial-of-service (DDoS) attacks. The reports to the CERT/CC indicate that tens of thousands of systems have recently been compromised in this manner.

I. Description

Reports received by the CERT/CC indicate that intruders are using automated tools to post messages to unsuspecting users of IRC or IM services. These messages typically offer the opportunity to download software of some value to the user, including improved music downloads, anti-virus protection, or pornography. Once the user downloads and executes the software, though, their system is co-opted by the attacker for use as an agent in a distributed denial-of-service (DDoS) network. Other reports indicate that Trojan horse and backdoor programs are being propagated via similar techniques.

Here is an example of one such message:
You are infected with a virus that lets hackers get into your machine and read ur files, etc. I suggest you to download [malicious url] and clean ur infected machine. Otherwise you will be banned from [IRC network].

This is purely a social engineering attack since the user's decision to download and run the software is the deciding factor in whether or not the attack is successful. Although this activity is not novel, the technique is still effective, as evidenced by reports of tens of thousands of systems being compromised in this manner. See IN-2000-08: Chat Clients and Network Security for additional information.

II. Impact

As with any DDoS tool installation, the impact is twofold. First, on systems that are compromised by users running untrusted software, intruders may

  • exercise remote control
  • expose confidential data
  • install other malicious software
  • change files
  • delete files
These risks are not limited to the installation of DDoS agents. In fact, any time a user runs untrusted software these same dangers are present.

The secondary impact is to the sites targeted by the DDoS agents. Sites undergoing a DDoS attack may experience unusually heavy traffic volumes or high packet rates, resulting in degradation of services or loss of connectivity altogether.

III. Solutions

Home users

Run and maintain an anti-virus product

The malicious code being distributed in these attacks is under continuous development by intruders, but most anti-virus software vendors release frequently updated information, tools, or virus databases to help detect and recover from the malicious code involved in this activity. Therefore, it is important that users keep their their anti-virus software up to date. The CERT/CC maintains a partial list of anti-virus vendors at

Many anti-virus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.

Do not run programs of unknown origin

Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Users of IRC and IM services should be particularly wary of following links or running software sent to them by other users, as this is a commonly used method among intruders attempting to build networks of DDoS agents.

Understand the risks

Users are encouraged to review our "Home Network Security" tech tip, which provides an overview of risks and mitigation strategies for home users.


Site administrators are encouraged to review our report on denial of service attack technology trends, as well as our recommendations for managing the threat of denial-of-service attacks.

Trends in Denial of Service Attack Technology

Managing the Threat of Denial-of-Service Attacks

Author(s): Allen D. Householder

This document is available from:

CERT/CC Contact Information

Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to Please include in the body of your message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 2002 Carnegie Mellon University.

Revision History

March 19, 2002: Initial release

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH