Re: IRC, IM Proxy Implementations

[Justin Azoff <JAzoff () UAMAIL ALBANY EDU>]

Brian Eckman wrote:

> Phatbot (aka Polybot) versions were seen using stunnel to encrypt
> traffic this past spring (March and April). The servers I found were
> apparently running stunnel on port 1331/tcp which is what the bots
> talked to. stunnel then presumedly decrypted the traffic and passed it
> up to port 6667/tcp on the same host, which was the C&C IRCd. Detection
> was possible when the bots tried to spread to other hosts (then looking
> for 1331/tcp traffic to the controller once it was discovered).


I've found the easiest way to find them is to scan for 113: the virus is
dumb enough to start an ident server on the hacked machine.
a:
# nmap -p 113 --min_parallelism 100 --max_rtt_timeout 25 xx.xx.1.1/16

runs extremely fast and finds every irc "user".  Then all you have to do
is verify that that user has no idea what irc is.

I did a scan for 1331, and nothing is currently running on that port
here.  I wouldn't be surprised if that is an easily configurable port in
a script.


--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.