symlink > writings > startkeylogger

What is "DCC SEND startkeylogger"?

Sometimes, when idling on IRC, you may receive a DCC (file transfer) request that looks like this, with no address nor port:

-!- DCC SEND from jrandom [ port 0]: startkeylogger [0 bytes] requested in channel #freenode

Or, occassionally, a half-assed attempt at one:


Sometimes bots spam these requests across entire channels, to affect as many people as possible. They do so because this command triggers two exploits, both of which can temporarily disconnect you from IRC:

The “startkeylogger” bug

This attempts to abuse an overzealous firewall in Norton Internet Security.

Back in 2003, the Spybot worm used startkeylogger as the command to start the keylogger on the victim's machine. If you were using Norton Internet Security, and you received this word over IRC, Norton's firewall would helpfully terminate the IRC connection, even if you weren't actually infected with Spybot.

This misfeature has been fixed in newer releases of Norton Internet Security. If you are still affected, upgrade your firewall – or better yet, upgrade to a non-Norton product.

Linksys/Netgear NAT bug

Some old Netgear and Linksys routers (Netgear 614/624, Linksys WRT54G) would crash when receiving a malformed DCC request. (The router firmware is trying to set up automatic port forwarding, to allow the DCC connection to happen.)

There appear to be two versions of this bug:

  1. a DCC request with a single long argument (no source address/port):
    DCC SEND this-is-a-very-long-name
  2. a DCC request with its source address and port (and size) set to zero:
    DCC SEND foo 0 0 0
    Some say this is just a form of the above version.

Both bugs have been reported in 2006, so the best workaround would be to upgrade your router to something from the current decade. Another 'fix' is to use a SSL connection when connecting to IRC (typically on port 6697). Some networks have alternate ports for plain connections as well.