Snort mailing list archives
IRC - BOT networks: RULES ?
From: Brian Ertel <bsertel () amherst edu>
Date: Tue, 7 May 2002 08:52:46 -0400
Hi, Has anyone come up with effective rules for detecting roguefile swapping traffic over IRC? Read below for a full description. If you have any rules for such detection I would love to see them. Thanks, Brian -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert May 3, 2002 Increased Hacking Activity Associated with Underground File-Sharing Networks Synopsis: ISS X-Force has been tracking several large file-sharing networks that are being used to trade terabytes of pirated software and movies. These networks consist of hundreds of compromised machines which are remotely controlled by software and movie pirates to distribute files. These pirates are actively attempting to compromise high-bandwidth servers at universities and web-hosting providers in order to expand the reach and distribution capabilities of their existing file-sharing networks. Impact: Computers infected with the rogue file-sharing software may be unknowingly participating in a massive underground file-sharing network. These large "bot" networks are extremely popular and may be responsible for enormous bandwidth utilization. This bot software may also install Trojan horse software that allows a remote attacker to gain access to the system. The remote attacker does not need further access to the infected target in order to utilize its resources. Description: IRC, or Internet Relay Chat, is perhaps the oldest worldwide Internet chat network in existence. The original IRC was brought online in 1988. Historically, IRC has been favored by the computer underground over other chat networks. Hackers continue to use IRC to congregate, discuss tactics and techniques, and trade hacking tools. Recently, IRC has been used to control large numbers of IRC-aware distributed denial of service (DDoS) zombie programs and "warez" distribution bots. These tools are typically modified backdoor or Trojan horse programs that are designed to connect to IRC where they can be controlled from IRC channels. IRC bots have become much more sophisticated in recent years as their authors find new applications for their use. The first IRC bots were simple scripts designed to maintain IRC channel rules and to distribute information to IRC users. They have evolved into remote controlled backdoor programs, DDoS zombies, and warez distribution programs. There is increasing overlap between the hacking and warez communities as software pirates are now borrowing techniques and tools from the hacking community. Backdoors are installed on computers in order to connect them to IRC-based file-sharing networks. These attackers attempt to compromise low risk/high reward systems, such as servers in .edu domains, home broadband users, web hosting companies, and Internet Service Providers. All of these targets are similar because they are not heavily protected and have a large amount of available bandwidth. Pirates needed to increase their storage and bandwidth capabilities due to the size of modern software packages and the popularity of downloading pirated movie files. These files are several hundred megabytes in size, so it is cost-prohibitive for warez pirates to use their own servers to distribute this material. The largest file-sharing IRC bot networks have 300-400 bots, all logged into the same IRC network and listening on the same IRC channel. The larger channels can have several hundred to thousands of individuals downloading files from these bots. Some bot networks are restricted so that normal IRC users cannot download files. However, most of these networks are public, allowing normal IRC users to download pirated files without restrictions. IRC bots like "iroffer" are especially user friendly and provide instructions to novice pirates on how to download files. Iroffer is a standalone executable written specifically for file-sharing over IRC. This bot is a fileserver/file-sharing server. It allows users to forward requests to the server through IRC channel commands and initiate downloads via DCC (Direct Client Connection). Iroffer is updated frequently to enhance network performance and to optimize download times. Iroffer's features include the ability to limit the amount of bandwidth used in general and by time and date, remote administration via DCC chat, virtual host support, high performance CPU/memory and network code, logging features, and DCC resume support. Iroffer is available for a variety of Unix platforms as well as Windows binary format. Currently, iroffer is very popular in IRC channels which deal with pirated movies, video game console software, computer software, mp3 music, and pornography. Typical iroffer bot advertisement: <generic_bot> ** 1 pack ** 0 of 5 slots open, Queue: 15/20, Record: 1670.9KB/s <generic_bot> ** Bandwidth Usage ** Current: 138.6KB/s, Record: 2298.5KB/s <generic_bot> ** To request a file type: "/msg generic_bot xdcc send #x" ** <generic_bot > #1 811x [927M] DVDmoviefile.iso.TS-FTF <generic_bot > ** Brought to you by #IRC_CHAN, Why BuY When We Supply !! ** <generic_bot > Total Offered: 1926.8 MB Total Transferred: 96.34 GB Iroffer IRC bots periodically broadcast to an IRC channel which files are available, instructions on how to download them, and statistics to help software pirates determine how fast the bot's network connection is. Pirates install rogue FTP servers on bot servers to facilitate uploading and downloading as well as for transferring pirated files to other bot networks. Some of these back-end file distribution functions are automated while others are executed manually by the bot owners. These rogue FTP servers are frequently hard to detect and are typically run on high ports. Common FTP servers used for this purpose are "raidenftpd" and "bulletproof FTP server" (formerly Gene6) available for Windows, and "glftpd" available for Unix. These FTP servers are used more often because they are easier to control remotely, have advanced administration capabilities, and allow for some automation of their functionality through third party plug-in scripts. Recommendations: RealSecure Network Sensor with X-Press Update version 4.2 has a signature to detect IRC file transfers. To detect this type of activity, enable IRC_DCC_Request in your policy. IRC_DCC_Request can be configured in your policy to kill DCC requests upon detection of this event. To enable RSKill events for IRC_DCC_Request: 1. Ensure that the IRC_DCC_Request is enabled by opening the policy you wish to apply to the network sensor under the Policy Editor. 2. Select the X-Press updates tab and expand the X-Press Updates tree, followed by Micro-Update 4.2. 3. Expand the IRC subsection and check the IRC_DCC_Request decode to enable it. 4. To enable RSKill when this decode is triggered, select RSKill under the Response options on the right side of the editor. BlackICE Server Protection and BlackICE PC Protection version 3.5 features Application Protection, which is effective at blocking the execution of unauthorized programs, hostile executables, Trojan horse programs, and many mass-emailing worms. The upcoming Internet Scanner XPU 6.10 will contain assessment support for components of popular IRC bot software. Additional Information: X-Force would like to thank Dave Dittrich of the University of Washington for publishing his research on file-sharing IRC bots. Please refer to the Incidents mailing list for more information. Incidents is archived at http://www.neohapsis.com, and http://www.securityfocus.com. ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce () iss net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce () iss net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- ---------------------------------- Brian Ertel Systems & Networking Network Administrator Amherst College Voice: 413-542-8320 Fax: 413-542-2626 bsertel () amherst edu ---------------------------------- _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IRC - BOT networks: RULES ? Brian Ertel (May 07)