Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: John Kristoff <jtk () NORTHWESTERN EDU>
Date: Fri, 3 Sep 2004 13:58:10 -0500
On Fri, 3 Sep 2004 12:22:17 +0000 Justin Azoff <JAzoff () UAMAIL ALBANY EDU> wrote:
I've found the easiest way to find them is to scan for 113: the virus is dumb enough to start an ident server on the hacked machine.
Many bots do not install an ident process. While you may find a high ratio of bots to non-bots by looking for open TCP 113 ports (and UNIX looking responses from Windows hosts on an IDENT port), you should expect to miss a large class of potential bots. Finding bots by associating them with TCP ports is unreliable as others have already mentioned. While you can potentially find a number of them looking for well known ports (e.g. TCP 6667), it is not a very effective mitigation technique in the long run. I'd echo and expand on what Dave Monnier and others have said in finding them. You look for other anomalies such as large flow count to a set number of ports indicating scanning, use IDS boxes like Snort for content matches (e.g. IRC bots often have very common content if in plain text or at least flow behavior patterns) and examine historical data based on reports you get from others about your hosts. In addition to network traffic probing, capture or flow analysis, bots often use some type of common control signal, such as a DNS name that the miscreant can point bots at. Knowing the control channel or how to watch for them is very useful in mitigation efforts. Finally, if you find a controller, please help get it shut down. John ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
(Thread continues...)