What is so special about IRC that hackers use it to do online meetings, ignoring every other option, like messengers or social media?
It seems to be very secure that it gets used to send commands to victim's computers instead of just sending them directly (called a "botnet", right?)
In addition to Rory's points...
I don't think IRC is in any way secure by default. Almost all servers utilize communication through plaintext. Your ISP can snoop on the contents easily. All of your messages, in general, are unencrypted. You have to install addons to enable encrypted communications, if they're even done right.
Even if the server itself encrypted the messages/uses SSL, it's a moot point: everyone can connect and read what you're saying unless you encrypted it on your end. IRC admins can read your private messages as well.
The vast majority of servers I've visited also expose your IP Address to everyone unless you're behind a proxy or VPN, so there's no real anonymity. Even the ones that partially mask your IP will show part of where you are. For example: Random432342.hsd1.ca.comcast.net. While other servers will block everything, all IRCops/admins know the real IP you're connecting from. What's to stop them from cooperating with law enforcement?
Your IRC client could also be vulnerable to buffer overflow attacks / string formatting vulnerabilities / etc. Or maybe you'll just click on a drive-by-download link...
Some people have a different definition of anonymity than me. Rory's definition is correct in the context of being anonymous to most people, but that's not the definition I subscribe to. For me, anonymity is being anonymous to everyone, no matter what.
How do you think people keep getting busted even though they're "behind 7 proxies"? If you're behind a proxy/vpn, you're still communicating with the IRC server. Your proxy/VPN is connected to that IRC server, and you are connected to that proxy/vpn server at a specific time.
Once you send text, whether it's encrypted or not, all law enforcement really needs to do is line up timestamps, even if it's encrypted. Lag delay? Yeah, that's very easy to account for. Soon, a very clear pattern will emerge, and your entire proxy/VPN chain will be quickly unraveled to the source.
How can they do that? XKeyscore, Prism.
Right now, true anonymity doesn't really exist on IRC.
They either don't care about you because you're a small fry who doesn't matter, or they're slowly building up a case to get you on maximum charges. Or you're simply out of their jurisdiction, but they're still ready to pounce.
I think part of the confusion here is jurisdiction. Jurisdiction can offer tremendous security if there's a refusal to co-operate. This is why many criminals may still be around after "getting caught."
If you're in another country which refuses to cooperate with the law enforcement of another country, you might be safe from prosecution, but you'll probably still be indicted on charges. So as long as you never enter that country...
Anonymity is the main one:
And for ease of use, it is entirely text based - so commands can be easily sent and received.
Additionally - it has been around longer than most of the other messenger tools, so it is well understood, there are free clients for every platform, and there are millions of IRC instances on the Internet.
Rory did a good job of answering the IRC part, but to answer the second part about botnets, it's not that IRC is or isn't secure.
A botnet is a collection of devices, usually computers (but can also be cellphones and pretty much any other internet-connected device, like a refrigerator), that are connected to a C&C server to receive commands. Botnets can actually be used for good, but what makes the news of course is the botnets that aren't used for good.
C&C, sometimes seen as CnC, CNC, or CC, is Command and Control. As Rory mentioned, IRC has been around for a very long time, is text-based so it is easy to write clients for it, and is easy to setup. C&C services exist on Twitter, GitHub, SMS, and other technologies, IRC is a go-to because of its simplicity. It also allows for an enormous amount of bots to be controlled with relative ease.
Commands are executed by the bots on behalf of the bot owner. Using the C&C service, the owner sends commands to one or more bots at a time. These commands can be sending spam, denial of service attacks, updating the client, looking for new devices to infect, and more.
IRC is not centralized like Twitter, Facebook, Discord, Slack, ICQ, which makes it harder to track, especially if a closed group runs their own IRC server. A server can be set up in 5 minutes, from open source projects On the other hand, as the other comments say, it is an insecure protocol. A lot of chatters turn logging on and keep old chat logs forever. You can never know how many or who is logging. The logs can be used for legal action years later A huge number of Anon/lulzsec prosecutions back in 2011 were able to use IRC chat logs as evidence against hackers and DoS participants As for using IRC to control a botnet, that's not because IRC is secure, it's because IRC is the simplest way to assemble thousands of bots/drones in one place and send them commands. Also, there are hundreds of IRC servers open to the public. The botnet operators set up a channel on some medium-size IRC server and try not to get noticed by the IRC server operators, but their own connections are stored in the server logs, so if they connect to IRC using their own IP addresses, they're easy for law enforcement to track, even years later
"very easy to unravel most proxy/VPN chains" Not really, Mark Buffalo has no clue what XKeyscore and PRISM really are. XKeyscore is nothing more than a search tool for various data collections, which do not have the capacity to trace network hops. PRISM is a limited data collection which doesn't record any network links except source IP addresses. Also, these are NSA tools, for USA espionage, not for law enforcement against botnets and similar
Yes, the NSA does bulk data collection, but "very easy to unravel most proxy/VPN chains" is not enabled by this. Some time-based link correlation is possible, but in a general sense, a VPN gateway looks like a mess of TCP connections coming in and going out again, with no correlation between in links and out links, and no plaintext data
Anyway, for most of the activity discussed here, the perpetrators expose their home IP addresses to the IRC server's connection log (or in the chat channel, logged by other users) at least once. See Parmy Olson's book We Are Anonymous for how the IRC servers leaked the perpetrator's details. Those guys could have escaped detection by renting a cheap VPS anonymously, installing an IRC server for their own use, disabling the server logs, only connecting to IRC with VPN, and not using a snitching VPN service - HideMyAss exposed their arses
I connected two IRC clients to server over ssl and then tried to send plain text file using dcc. I captured packets and looked into them and definitely no plaintext has been send. The text file could not been extracted from packets. Revolution IRC
