Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: h00d IRC bot, localhost port 80 traffic - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
h00d IRC bot, localhost port 80 traffic
mirc based irc bot "h00d.exe"

A user reported an mirc based irc bot. McAfee identified the trojan as 'IRC/'. The filename
of the listener was 'h00d.exe' and the trojan was found in C:\winnt\system32\have\h00d.exe .

A number of other files where found in the same directory.

As typical for this class of malware, the trojan connected to an IRC channel for remote control. The IRC server involved does no longer appear to be active.
'localhost' Port 80 Traffic

Brian Coyle suggested on our 'Intrusions' list, that the port 80 traffic from 'localhost' is a side effect of the Blaster worm and counter measures.

Some ISPs still resolve '' to ''. Blaster infected systems will attempt to participate in the DDOS against this side. This DDOS uses spoofed packets. The host will send a spoofed packet to (=itself). This packet will generate a RST/ACK packet to the spoofed address.

The host whose address was spoofed will receive this packet if it is not dropped by egress/ingress filters.

It is recommended to remove the domain, and in addition, respective egress/ingress filters should be applied to avoid traffic from 'localhost' to leave or enter your network.
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4472 Posts
ISC Handler
Dec 18th 2003

Sign Up for Free or Log In to start participating in the conversation!