Re: IRC, IM Proxy Implementations

[Richard Gadsden <gadsden () MUSC EDU>]

On Fri, 3 Sep 2004, Dave Monnier, IT Security Office, Indiana University wrote:

> Richard Gadsden wrote:
>
> > Granted, that is true. But what about the "stealthier" bot species that
> > have since, in order to evade the port block countermeasure, moved their
> > IRC traffic flows to non-standard ports? Are you able to detect those IRC
> > traffic flows?
>
> Obviously it's not possible to identify bots by their encrypted IRCD
> traffic.  They're undetectable regardless of what blocks are in place
> though. In our experience, detection of these hosts is generally done
> when they misbehave (scanning the rest of the subnet, bruteforcing
> accounts, or DDoS'ing other hosts)  rather than by just communicating.
> Unfortunately this means that the host has to cause other trouble on the
> network before they can be identified as malicious.

Same experience here. In fact, what clued us into the fact that bots were
starting to use non-standard IRC channels was retrospective analysis of
the flow data logged at the network border for specific hosts that were
observed to be misbehaving. We started seeing "IRC-like" traffic patterns
that matched up with the pattern of communication seen from a traditional
bot-compromised host to a remote IRC server, only using different ports.

This kind of retrospective analysis is useful enough for forensic/recovery
purposes to make it a routine part of incident response, and it can even
be used to reveal other compromised machines before they start overtly
misbehaving (if they are found to be engaging in "IRC-like" communication
with the same remote "IRC-like" server that a known-compromised host was
observed to communicate with shortly before it began misbehaving).

-Richard

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.