OK, I've set up a honeypot, and first thing that went in was one SDbot...

So, I tryed sniffing it to see if I can enter his botnet and remove all bots, but I failed..
With sniffing, I got information to which server and channel it went..
I went there, and it said something like 50 users invisible, so I assumed that those 50 users were bots, since only me and OP were visible on channel..
I thought I should have gotten Login command or something through sniffer but I didn't get anything.. What exactly should I be looking for now, and with what program..
I tryed 30 different sniffers, and none of them was very good.. Famous Iris for ex. doesn't even see my VMware network adapter...

Iris dos work on VMware, tested it on several versions.
It seems pretty obvious what you have to look for. And Iris can highlight it even.
Removing the bots usually doesn't work, because you need admin privileges on the IRC server so you can adjust your hostname.

Do know that what you are doing is illegal two. Most likely that IRC server is located on a compromised host. And you are trespassing.

To take out the net:
Try contacting the owner/ISP of the irc server.
Usually the bot connects to an IRCD through a DNS name. (DynDNS, no-ip etc.) Contact the service provider. Taking out the DNS will take out the net (the part that the admin dos not save on time.

Idle in the chan and wait for someone to login, they will enter something like "login <password>" in the chan or via private msg. Then log into all the bots with the same command and liberate(uninstall) all the bots. That will show that kiddie. You really dont need a sniffer you can just use any irc client, just be sure to change your nick to smothing that looks like a bot name and cange your ver reply to what ever the bots respond as.


***EDIT
The default sdbot command to login is ".login <password>", and to uninstall the bot it's ".remove"

well he still needs to set the auth on the irc server
/sethost , and what ever the host was in the bot config which i think he dosent know
so no you cant login unless you have oper on the network to set the host auth which you dont have as aswell

Correct me if im wrong, but cant he just sniff that and then use that info to log into the irc server thru any irc client?

Some irc bots (ago/for/phat) have sniffers built in and they grep out needed irc bot net traffic.

Peace

From what I peeked, it seems to me that Ago and sim. bots, are effective only if installed on OPs mashine..
Many SDbots I came accross don't need /sethost to control them.. You just have to know Login pass..
ANd now back to most important question... I couldn't get Iris to recognise VMware network adapter.. Etheral did recognise for ex. but not Iris.. I have WinXp Pro default installation on VMware with NAT option.. Who knows where error is?

hmmm, getting the password depends on how frequently the owner uses it. The more number of bots this guy has the more difficult to get the password and liberate the bots. You can make a program which connects to the server just as if it were another sdbot but if someone logs in then send the password to your email. Ask your friends to help but running the prog on thier PC, but also include a system by which you could uninstall them easily from thier PCs. If at a time there are 20 bots logged in to the server, of which 5 of them are your friends, the owner logs in you have 25% chance you get the password. So this is the method one would be using if one wants to hijack the botnet. If you simply want to liberate the bots, do what finalbeta says.

well what you could do is get carnivore from any phat/rxbot. and i don't know if its possible for you but then redo it a little to write into the command line instead of the irc sock. that should work since psniff (carnivore) is used by bot runners to sniff other botnets so they can steal them. ill try to do this actually myself since most packet monitors suck at the moment. OR the problem could be he hasn't logged in or dosen't require a login (host authentication). so what you could try is to get as close to his host as possible by using a proxy... i don't know bot running has evolved beyond packet snifffers abilities.

If you wanna sniff VMware traffic using Iris....

Setup your VMbox to used "bridged networking" and have it connect to your LAN adapter (you will have to change the TCP/IP settings in windows to a static IP & DNS server.

then just fire up Iris to sniff LAN, you may use filters to just sniff traffic from the VMbox. hope this helps, I do it all the time lol..

From what I have seen before, IRC bots sniffers are normally of a very poor, and buggy quality. As other people said, you'd be better setting up a script that looks for someone typing into the channel "login", rather than sitting to read every line of text in the channel.

Alot of people will rename the remove command so enless you can unpack/decrypt their .exe and look at the .exe in a hex editor. You wont be able to remove the bots and you will need the same hostname as the bot owner to login to the bots. Once he/she see's a bot with the same hostname ( you faking to be a bot ) you will more than likely be banned.