Summary of IRC/DCC Activity

Phil.Rodrigues at uconn.edu Phil.Rodrigues at uconn.edu
Fri Sep 6 20:48:37 GMT 2002


6 weeks ago a student here, Aliza Bailey, started to keep track of all of 
the IRC/DCC bots we could find in all of the XDCC rooms that we ever had a 
computer here communicate with.  We targeted servers to monitor based on 
config files that we found on compromised computers, as well as network 
audit logs that had the IP of the server the bot started to communicate 
with.

In the last 4 weeks we have found about 2750 (mostly unique) total bots in 
those channels, 1200 of which were on an .edu network at the time.  We 
contacted their network admins whenever we found 3 or more bots from the 
same school on the same day, and sent 125 emails out about 450 bots.  We 
are trying to keep better track of these numbers for the next few weeks to 
see if we can spot some meaningful trends.

We are now to the point where there are more servers with large bot 
populations than we can regularly monitor, so we have to spend our time in 
only the biggest ones.  If anyone has a few hours per week of student 
labor they wish to throw at this problem let me know and I can give them 
something constructive to do. :-)

I have been keeping records of which .edu network have had the worst 
problems with bot activity, but I wonder what to do with it.  There are 
well-known Universities that have had dozens of bots pop up over the last 
few weeks, and the problem seems pretty consistent.  We send polite emails 
to their ARIN registrant, and abuse at school.edu and security at school.edu, 
but there are some places that never reply back.

The fact that there are *thousands* of compromised University computers at 
the core of these warez distribution channels disturbs me.  I wonder how 
long it has been going on and how large the problem has to grow until we 
make a concerted effort to combat it.

I am interested in people's thoughts about what else I can do to help 
measure the scope of this problem, and how to effectively assist other 
large educational networks in fixing their bot problems (which are 
probably symptomatic of larger network security issues at those schools). 
Should I take the effort to call those that do not respond to us?  Are 
there others servers we can monitor to find more .edu bots in more 
channels?  Is knowing the scope and growth of this problem useful to the 
community?

Phil

PS - We have had great success in spotting these as they appear on our 
network with a combo of SNORT rules looking for ftp traffic over 
nonstandard ports and "xdcc" phrases over IRC, as well as network audit 
log reports that look for persistent connections to IRC servers and large 
spikes in traffic over odd ports (65535, etc).  Blocking Windows 
Networking from the Internet to our ResNet has helped that problem there - 
with 0 complaints - as do periodic scans for blank administrator 
passwords.

PPS - Last week we got hit with scans from Brussels that were smart enough 
to enumerate the administrative accounts on the Windows boxes, then try a 
few standard passwords for each.  So they broke into non-"Administrator" 
accounts with passwords that weren't just blank.

=======================================
Philip A. Rodrigues
Network Analyst, UITS
University of Connecticut

email: phil.rodrigues at uconn.edu
phone: 860.486.3743
fax: 860.486.6580
web: http://www.security.uconn.edu
=======================================



More information about the unisog mailing list