Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Fri, 3 Sep 2004 15:31:36 +0000
John Kristoff wrote:
On Fri, 3 Sep 2004 12:22:17 +0000 Justin Azoff <JAzoff () UAMAIL ALBANY EDU> wrote:I've found the easiest way to find them is to scan for 113: the virus is dumb enough to start an ident server on the hacked machine.Many bots do not install an ident process. While you may find a high ratio of bots to non-bots by looking for open TCP 113 ports (and UNIX looking responses from Windows hosts on an IDENT port), you should expect to miss a large class of potential bots.
Ah well, I guess your right... of the 410 with *bot viruses, 106 of them also had port 113 open, and from the total 727, 225 had 113 open.
Finding bots by associating them with TCP ports is unreliable as others have already mentioned. While you can potentially find a number of them looking for well known ports (e.g. TCP 6667), it is not a very effective mitigation technique in the long run. I'd echo and expand on what Dave Monnier and others have said in finding them. You look for other anomalies such as large flow count to a set number of ports indicating scanning, use IDS boxes like Snort for content matches (e.g. IRC bots often have very common content if in plain text or at least flow behavior patterns) and examine historical data based on reports you get from others about your hosts.
Indeed, I have a number of scripts that mine data from a packetshaper into a database to pick out problem hosts, and a scanner to verify if a machine is compromised or not.
In addition to network traffic probing, capture or flow analysis, bots often use some type of common control signal, such as a DNS name that the miscreant can point bots at. Knowing the control channel or how to watch for them is very useful in mitigation efforts. Finally, if you find a controller, please help get it shut down.
Has anyone ever had much luck getting non-US countries to respond to complaints? I tend to only send complaints to other universities, and only rarely is the machine taking offline and I get a response back.
John
-- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 02)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 02)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 02)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 03)
- Re: IRC, IM Proxy Implementations Brian Eckman (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Iglesias (Sep 03)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 03)
- Re: IRC, IM Proxy Implementations Dave Monnier, IT Security Office, Indiana University (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
(Thread continues...)