Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Richard Gadsden <gadsden () MUSC EDU>
Date: Fri, 3 Sep 2004 10:48:42 -0400
On Fri, 3 Sep 2004, Dave Monnier, IT Security Office, Indiana University wrote:
Richard Gadsden wrote:Granted, that is true. But what about the "stealthier" bot species that have since, in order to evade the port block countermeasure, moved their IRC traffic flows to non-standard ports? Are you able to detect those IRC traffic flows?Obviously it's not possible to identify bots by their encrypted IRCD traffic. They're undetectable regardless of what blocks are in place though. In our experience, detection of these hosts is generally done when they misbehave (scanning the rest of the subnet, bruteforcing accounts, or DDoS'ing other hosts) rather than by just communicating. Unfortunately this means that the host has to cause other trouble on the network before they can be identified as malicious.
Same experience here. In fact, what clued us into the fact that bots were starting to use non-standard IRC channels was retrospective analysis of the flow data logged at the network border for specific hosts that were observed to be misbehaving. We started seeing "IRC-like" traffic patterns that matched up with the pattern of communication seen from a traditional bot-compromised host to a remote IRC server, only using different ports. This kind of retrospective analysis is useful enough for forensic/recovery purposes to make it a routine part of incident response, and it can even be used to reveal other compromised machines before they start overtly misbehaving (if they are found to be engaging in "IRC-like" communication with the same remote "IRC-like" server that a known-compromised host was observed to communicate with shortly before it began misbehaving). -Richard ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
(Thread continues...)