Which sniffer would you recommend if I for ex. wish to analyse Botnet executable file, in order to get login passes etc.

Hey extreme

i think u have to crack the exe but its difficult.

but u can try different methods like...
running the exe with firewall etc and type netstat now u see the irc server.
connect and type /list now when u are lucky u see the chan.

but everything is useless when its a private server and auth host is on...

but good luck

/greetz KuerbY

But what if it is Spybot, public, detectable, and I know server and channel+key..

hum sit in the chan and wait for the botnet owners typing commands.
remember the prefix and then type (prefix)uninstall
but when he changed the commands -> no success
set auth host on -> no success

The best sniffer for such a thing must be iris (eye digital security), but it's not free.

Just download ethereal for windows and watch the outgoing traffic. It will show you the hex and ascii values of the traffic going out. hxxp://www.ethereal.com. IRC is typically 6667, but anything around that range is going to be what you are looking for.

use a combination of honeypot / sniffer
if you let the program connect itself, and watch him authenticate, you have everything you need to mimic it, then uninstall it.
Unless thier is actually a botnet owner with half a brain and uses hostname specific authentication or even encryption of queries.

ive recently catched one, and traced him to this irc server, but there arnt any
clear clues of what channel it is

most stupid asses compiles the bot in debug and didnt disable C:\debug.txt
look there

Yeah, stupid kids

No seriously, usually WinCap/Ethereal does the trick with simple botnet w/o advanced auth. Don't understand why so many idiots still run their botnets on regular IRCd w/o SSL

how aboue snort (http://www.snort.org/) ?