
Thr34t Security Krew and the TK Worm ◾ 27
member, but then DiSice would connect from random IP addresses when connect-
ing to victim machines that were infected with the TK IRC bot.
Looking at the registration information for the IP address that DiSice had used
to connect on several occasions, I observed the IP address was in the 12.xxx.xxx.xxx
n
etblock and belonged to AT&T DSL services. I tried to connect to the IP address
via FTP and was greeted with the FTP log-in prompt shown in Figure 2.19.
A WHOIS lookup of the domain name that was presented in the FTP greeting
banner showed it was registered to an individual in Chicago, Illinois. I found ...