[Intrusions] IRC Bot traffic?
Earnhart, Benjamin J
benjamin-earnhart at uiowa.edu
Fri Mar 25 01:37:54 GMT 2005
Wipe anyway. Once owned, always owned until a wipe. I've known of
several others who saw a similar phenomenon (that removing MSN Messenger
from a compromised machine seemed to help), but a few weeks later, the
box was mis-behaving again. And during that dormant period, who knows
what they're doing -- key-loggers would be one of the most likely (and
potentially deadly) things. Unless you can say to yourself for 100%
certain that you know when they got in, how they got in, and exactly
everything they did while they were in (which is pretty much never) --
wipe.
Any decent custom toolkit or bot is going to be invisible to
signature-based AV scanners (though AV with strong heuristics may have
*some* chance), and the same goes for spyware detection programs, so I'm
not surprised you didn't find anything. By the time a given toolkit or
bot becomes popular enough to show up in your signature-based file
scanners, it's already obsolete and they're using something else.
Careful forensics (both by observing it in action and by booting to a CD
and disecting it dead) may be able to find much of what they put into
place, but you can never be sure. So wipe.
*==========================================;
*Ben Earnhart
*Computer Consultant and
*ICPSR Representative
*Department of Sociology and
*College of Liberal Arts
*University of Iowa
*(319) 335-2887
*benjamin-earnhart at uiowa.edu
*==========================================;
> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of eltra1n
> Sent: Thursday, March 24, 2005 10:47 AM
> To: Intrusions List (GCIA Practicals)
> Subject: Re: [Intrusions] IRC Bot traffic?
>
> this is interesting. We ran our AV and a few different
> spyware catchers against it and nothing was picked up. We
> stopped seeing the traffic once MSN Messaenger was removed
> from the machine.
>
>
> On Wed, 23 Mar 2005 13:18:14 -0600, Scott Mcintyre
> <security at isnnetworks.net> wrote:
> > XDCC bots is what they are called.
> >
> > Its a program called IRoffer. What they do is the attacker uploads
> > files to serve to irc users who just download using your bandwidth.
> > They are commonly use for warez, ie the latest movies,applications
> > etc. So check over your system.
> >
> > -Scott Mcintyre
> >
> > > I found some IRC traffic on port 4500 with my IDS. I grabbed some
> > > pcaps and it looks like an IRC bot...(?) Has anyone seen
> something
> > > like this before?
> > >
> > > Spoilare!Spoilare at 101Freedom-1737844C.cinci.rr.com JOIN :#101-
> > FREEDOMXDCC
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :[CrooK]!killrbeats at 101Freedom-34DC74B3.sympatico.ca QUIT :Ping
> > > timeout - Oxygen.101-Freedom
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :loek!pol at 324EC007.42B23495.1CF33FDF.IP JOIN :#101-FREEDOMXDCC
> > >
> > > :LastMetalWarrior!LastMetalWar at 101Freedom-
> > 3A40D27A.sunsh1.vic.optusnet.com.au
> > > JOIN :#101-FREEDOMXDCC
> > >
> > > :pipi!pipi at 101Freedom-2FCDBB21.adsl.highway.telekom.at QUIT
> > > :Connection reset by peer
> > >
> > > NICK [101]14667
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > >
> :Clone_Kicker!gulf-vet at 101Freedom-3C80D61C.dsl.mindspring.com QUIT
> > > :Ping timeout - Oxygen.101-Freedom
> > >
> > > :loek!pol at 324EC007.42B23495.1CF33FDF.IP QUIT :loek
> > >
> > >
> :chillbleezy!chillbleez at 101Freedom-15192390.client.comcast.net JOIN
> > > :#101-FREEDOMXDCC
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :nojonesde!nojonesde at 101Freedom-30B85776.dip.t-dialin.net
> QUIT :Ping
> > > timeout - Switch.Bladez.101-Freedom
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > NICK [101]14667
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :MR_G!MR_G at 101Freedom-34194265.ipt.aol.com QUIT :Ping timeout -
> > > Oxygen.101-Freedom
> > >
> > > :saalbr!kev at 101Freedom-237F4E58.dyn.optonline.net QUIT :Ping
> > timeout -
> > > Oxygen.101-Freedom
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.**. ..15...14::: .8XDCC Bot Online .14:::.15.. .**.
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.**. 1 pack .**. 0 of 2 slots open, Queue: 6/30,
> Record: 81.9KB/s
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.**. Bandwidth Usage .**. Current: 77.4KB/s, Record: 89.0KB/s
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.**. To request a file, type "/msg [101]00111 xdcc send #x" .**.
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.**. To request details, type "/msg [101]00111 xdcc info #x" .**.
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.#1 . 7x [1.1G] ..4,8 MoViE .1,1 .12,11 Hostage.TS-LRC
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :.**. ..15...14::: .4Rooted By The Best - Leeched By The Rest
> > > .14:::.15.. .**.
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :[101]00111!XDCC at 115363F.214B3254.64201F1F.IP PRIVMSG #101-
> > FREEDOMXDCC
> > > :Total Offered: 1076.0 MB Total Transferred: 12.45 GB
> > >
> > > :Corleonne!rockwilder4e at 1BDEB49F.E95925FE.7B1EBDD6.IP JOIN :#101-
> > FREEDOMXDCC
> > >
> > > PING XDCC.101-Freedom
> > > :XDCC.101-Freedom PONG XDCC.101-Freedom :[101]14667
> > >
> > > :jackieee!jackie at 101Freedom-1403D636.danbry01.ct.comcast.net JOIN
> > > :#101-FREEDOMXDCC
> > >
> > > :u3!u3 at 101Freedom-1DC8D13C.dip.t-dialin.net QUIT :Ping timeout -
> > > Switch.Bladez.101-Freedom
> > >
> > > :Thirion!Thirion at 101Freedom-1595BE35.dip0.t-ipconnect.de
> JOIN :#101-
> > FREEDOMXDCC
> > >
> > > NICK [101]14667
> > > PING XDCC.101-Freedom
> > >
> > >
> > > --
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > >
> > >
> >
> > _______________________________________________
> > Intrusions mailing list
> > Intrusions at lists.sans.org
> > http://www.dshield.org/mailman/listinfo/intrusions
> >
>
>
> --
> Lawerence A. Wichman
> 2719 W Thomas Apt 2
> Chicago, Il 60622
> 773-807-7606
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list