[Dshield] IRC BOT opportunity

Cefiar cef at optus.net
Thu Oct 13 05:02:36 GMT 2005


On Thursday 13 October 2005 05:48, Halsall, Mike wrote:
> Question of the day:
>
> Recently I've been playing with an IRC BOT virus (a Randex variant) that
> has come onto my college's campus.  These viruses have become
> increasingly sophisticated in their capabilities and have the ability
> to, of course, receive a download command from their Op and go grab a
> file and run it silently - hence introducing (yet) another ingress path
> for more malware/viruses.
>
> Being curious, and taking the appropriate precautions (anonymous proxies
> through Tor), I hopped onto the IRC server these Bots were joining and
> made myself look like one of them.  This server, in Hungary, controls
> ~17000 Bots.

Something that I have always wondered is wether anyone has written a 
transparent proxy for these IRCBot's, that intercepts the connections to 
known bot networks, automatically takes the files that go past (it may be 
DCC, but that's still set up via the IRC session, so you can intercept and 
change that), and then does things like:
 1. Locks the machine down after a set period of time and notifies people. 
This way the bot client appears to have worked, and you determine how much 
risk you want to put yourself at. Basically just spawning some external 
process which would do it for you seems the best way (eg: fiddle with the 
switch they are on and VLAN them away, revoke/change 802.1x privileges, 
assign the machine a different IP to a locked down subnet, etc).
 2. Develops immediate signatures for things like snort, anti-virus, etc, if 
it's not already known.
 3. If the files aren't already detected by current anti-virus solutions, 
submit them to something like virustotal for analysis.

To me, this makes sense. I know snort sort of does this, but it really 
requires you to have detection rules that will catch it for you, whereas this 
will effectively learn some of it as it goes.

-- 
 Stuart Young - aka Cefiar - cef at optus.net


More information about the list mailing list