Re: IRC, IM Proxy Implementations

[Brian Eckman <eckman () UMN EDU>]

H. Morrow Long wrote:

> Note that we believe that we have also recently seen
> another expected evolutionary trend in IRC DDoS "bots"
> -- not just a use of ports outside the range 6666-7000 --
> but the use of encrypted IRC traffic, possibly IRC over SSL
> (which was going to TCP port 7000 in these cases btw),
> so as to escape detection by IDSes and human analysis.

Phatbot (aka Polybot) versions were seen using stunnel to encrypt
traffic this past spring (March and April). The servers I found were
apparently running stunnel on port 1331/tcp which is what the bots
talked to. stunnel then presumedly decrypted the traffic and passed it
up to port 6667/tcp on the same host, which was the C&C IRCd. Detection
was possible when the bots tried to spread to other hosts (then looking
for 1331/tcp traffic to the controller once it was discovered).

I regularly see the IRCd on a non-standard port. I'm currently tracking
botnets using 5555/tcp, 61637,tcp, 19899/tcp, 18067/tcp, 4356/tcp,
13001/tcp, and 65535/tcp. And these are only the non-standard ones I've
seen used in the past 4 days; I've seen many, many more ports used in
the past. Put simply, if you solely are counting on your port filtering
to prevent these worm-bots, you are failing already.

Brian

--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.