[unisog] IRC bot outbreaks

Gerry Sneeringer sneeri at umd.edu
Thu Jul 25 12:19:20 GMT 2002

On Wed, 24 Jul 2002, Anderson Johnston wrote:
> We're crawling with them.  I use the daily reports from the NIDS and
> Netflow to pick out the worst offenders bandwidth-wise, hunt them down (we
> have a lot of address pools), and verify the compromise.

We too see more than our fair share of these Bots.  All of the ones that
we have seen use XDCC to distribute files and broadcast instructions on
obtaining those files to the IRC channel on a regular basis.  So, we added
a rule to our Snort box to match on packets containing the string "xdcc
send \#x" destined for port 6667.  It isn't perfect, but now we usually
get alerted to the presence of a Bot before it sets off the excessive
bandwidth alarms.  Implementing a ban on inbound NetBIOS traffic before
the start of the Fall is a very high priority.


Gerry Sneeringer
IT Security Officer
University of Maryland, College Park

More information about the unisog mailing list