[Dshield] IRC BOT opportunity

Halsall, Mike mike at middlebury.edu
Thu Oct 13 12:03:12 GMT 2005

Ah, the remediation end of things.

Indeed.  Without going into too many details (yet), this past summer a colleague and I worked on a project to do exactly this: through a centralized parsing and reporting tool we wrote, we're able to take in data from multiple input vectors (say a snort box, firewall log, honeynet, darknet sensor) and corrolate it all into a response that we can make sense of.  By combining the efforts of our campus network registration system and an IPS (two completely disparate technologies) we can respond much more quickly to a threat, pinpoint it automatically, find out who the user is, all of their information, and shut it down before anyone (even us) could know it's a problem.  The thing is 100% automated.  The beauty is, we flip the user into a "penalty box" vlan and, when they open a browser, they're black-hole dns'd to the web server that looks at its arp table, finds them in the "actions" database via their MAC address (which we got from the network registration system) and tells them exactly why they're there...  the helpdesk has an interface into this database (for the actions that we want them to see) and, when the user calls, they can be patched up and sent back into the wild, by the helpdesk themselves, just by them clicking the radio button on the webpage next to their name.

And, when we find something nasty going on, the rules for this program can be modified in a few minutes.  The pattern we've seen: anyone talking on IRC over port 7500 is Botnet-ish behavior (I know others' mileage may vary) and at this time action is being taken on that kind of a trigger.  If we're turning up too many false positives (say, more than 2 people), we can easily tune that in a sec.  And then go get ready for work.


(I'm going to go have to register for that free IPod)

-----Original Message-----
From:	list-bounces at lists.dshield.org on behalf of Cefiar
Sent:	Thu 10/13/2005 1:02 AM
To:	list at lists.dshield.org
Subject:	Re: [Dshield] IRC BOT opportunity
On Thursday 13 October 2005 05:48, Halsall, Mike wrote:
> Question of the day:
> Recently I've been playing with an IRC BOT virus (a Randex variant) that
> has come onto my college's campus.  These viruses have become
> increasingly sophisticated in their capabilities and have the ability
> to, of course, receive a download command from their Op and go grab a
> file and run it silently - hence introducing (yet) another ingress path
> for more malware/viruses.
> Being curious, and taking the appropriate precautions (anonymous proxies
> through Tor), I hopped onto the IRC server these Bots were joining and
> made myself look like one of them.  This server, in Hungary, controls
> ~17000 Bots.

Something that I have always wondered is wether anyone has written a 
transparent proxy for these IRCBot's, that intercepts the connections to 
known bot networks, automatically takes the files that go past (it may be 
DCC, but that's still set up via the IRC session, so you can intercept and 
change that), and then does things like:
 1. Locks the machine down after a set period of time and notifies people. 
This way the bot client appears to have worked, and you determine how much 
risk you want to put yourself at. Basically just spawning some external 
process which would do it for you seems the best way (eg: fiddle with the 
switch they are on and VLAN them away, revoke/change 802.1x privileges, 
assign the machine a different IP to a locked down subnet, etc).
 2. Develops immediate signatures for things like snort, anti-virus, etc, if 
it's not already known.
 3. If the files aren't already detected by current anti-virus solutions, 
submit them to something like virustotal for analysis.

To me, this makes sense. I know snort sort of does this, but it really 
requires you to have detection rules that will catch it for you, whereas this 
will effectively learn some of it as it goes.

 Stuart Young - aka Cefiar - cef at optus.net
Using .Net? Need to know more about .Net Security?

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

More information about the list mailing list