Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Brian Eckman <eckman () UMN EDU>
Date: Fri, 3 Sep 2004 09:30:09 -0500
H. Morrow Long wrote:
Note that we believe that we have also recently seen another expected evolutionary trend in IRC DDoS "bots" -- not just a use of ports outside the range 6666-7000 -- but the use of encrypted IRC traffic, possibly IRC over SSL (which was going to TCP port 7000 in these cases btw), so as to escape detection by IDSes and human analysis.
Phatbot (aka Polybot) versions were seen using stunnel to encrypt traffic this past spring (March and April). The servers I found were apparently running stunnel on port 1331/tcp which is what the bots talked to. stunnel then presumedly decrypted the traffic and passed it up to port 6667/tcp on the same host, which was the C&C IRCd. Detection was possible when the bots tried to spread to other hosts (then looking for 1331/tcp traffic to the controller once it was discovered). I regularly see the IRCd on a non-standard port. I'm currently tracking botnets using 5555/tcp, 61637,tcp, 19899/tcp, 18067/tcp, 4356/tcp, 13001/tcp, and 65535/tcp. And these are only the non-standard ones I've seen used in the past 4 days; I've seen many, many more ports used in the past. Put simply, if you solely are counting on your port filtering to prevent these worm-bots, you are failing already. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
(Thread continues...)