[Dshield] IRC BOT opportunity
cef at optus.net
Thu Oct 13 05:02:36 GMT 2005
On Thursday 13 October 2005 05:48, Halsall, Mike wrote:
> Question of the day:
> Recently I've been playing with an IRC BOT virus (a Randex variant) that
> has come onto my college's campus. These viruses have become
> increasingly sophisticated in their capabilities and have the ability
> to, of course, receive a download command from their Op and go grab a
> file and run it silently - hence introducing (yet) another ingress path
> for more malware/viruses.
> Being curious, and taking the appropriate precautions (anonymous proxies
> through Tor), I hopped onto the IRC server these Bots were joining and
> made myself look like one of them. This server, in Hungary, controls
> ~17000 Bots.
Something that I have always wondered is wether anyone has written a
transparent proxy for these IRCBot's, that intercepts the connections to
known bot networks, automatically takes the files that go past (it may be
DCC, but that's still set up via the IRC session, so you can intercept and
change that), and then does things like:
1. Locks the machine down after a set period of time and notifies people.
This way the bot client appears to have worked, and you determine how much
risk you want to put yourself at. Basically just spawning some external
process which would do it for you seems the best way (eg: fiddle with the
switch they are on and VLAN them away, revoke/change 802.1x privileges,
assign the machine a different IP to a locked down subnet, etc).
2. Develops immediate signatures for things like snort, anti-virus, etc, if
it's not already known.
3. If the files aren't already detected by current anti-virus solutions,
submit them to something like virustotal for analysis.
To me, this makes sense. I know snort sort of does this, but it really
requires you to have detection rules that will catch it for you, whereas this
will effectively learn some of it as it goes.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list