427 Botnet fm qxd

Understanding the IRC Protocol

Download 6,98 Mb.

Pdf ko'rish

bet	229/387
Sana	03.12.2022
Hajmi	6,98 Mb.
	#878307

1 ... 225 226 227 228 229 230 231 232 ... 387

Bog'liq
Botnets - The killer web applications

Understanding the IRC Protocol
Assume that the local enterprise security officer has been informed that a
botnet client exists on the local IP address 192.168.2.3. How might that
happen? One way is that some other security engineer or network engineer
might send e-mail to a locally registered abuse e-mail that says something like:
To: abuse@enornousstateuniversity.edu
Subject: scanning client on your IP address
Greetings. You have a host scanning from IP address 192.168.2.3 and it is
scanning hosts on our campus at ports 445 and 139. Please fix this problem
and advise us when the problem has been solved.
Yours truly, Joe Network Person,
Joe Network Inc.
So now you use a network monitoring device of some sort, possibly a
sniffer like tcpdump (www.tcpdump.org), which is free, or possibly a commer-
cial tool. In our case we might reach for a free tool that is ASCII oriented (due
to previous experience) called
ngrep
(network grep) and invoke it as follows:
# ngrep –i
em0
tcp and host 192.168.2.3
The tool
ngrep
can take patterns (regular expressions) and Berkeley Packet
Filter (BPF) expressions that are used with sniffers like tcpdump or WireShark
(www.wireshark.org).The incantation means “Run ngrep on the Ethernet
interface called em0” (FreeBSD Intel driver). In this case we are not using a
regular expression.The BPF expression is “tcp and host 192.168.2.3.”That
www.syngress.com
286
Chapter 8 • IRC and Botnets
427_Botnet_08.qxd 1/8/07 4:10 PM Page 286

means “Give me only TCP packets sent to and from host 192.168.2.3.” So
after waiting patiently for some period of time, we might see the following:
T 10.1.2.3:8641 -> 192.168.2.3:3103 [AP]
:notsocool!notsocool@just.smoke.it PRIVMSG #zz :.advscan asn445 330 5 0
65.
78.174.x -r -s..
So what does this mean, and is it bad news? It means you have a botnet
with one or more hosts, and yes, it is bad news. Ngrep has extracted a mes-
sage in IRC format sent from the bot server to the bot client, telling the
latter to do scanning using a particular exploit (presumably for an ASN.1 vul-
nerability on port 445). Later on you might see a message roughly like the
following one, which unfortunately means that a new host (192.168.2.4) has
been infected and has finished a download of something called
“msutil64.exe.” We suspect that msutil64.exe has some sort of malware pay-
load in it.These are both examples of the IRC protocol that might be used
by botnets.
T 192.168.2.4:2345 -> 10.1.2.3:8641 [AP]
:notsocool!notsocool@just.smoke.it PRIVMSG #zz :^B.DOWN.^B File download:
19. 0KB to: c:\msutil64.exe @ 19.0KB/sec.]
Internet Relay Chat (IRC) is an Internet Engineering Task Force speci-
fied protocol. Its original version was RFC 1459, which was written in 1993.
Later on, RFC 1459 was updated (but not replaced) by RFCs 2810-2813.
(See www.irchelp.org/irchelp/rfc for more information.) Internet Relay Chat
has a strange history. It is not the only chat protocol (there are many such
protocols, and one might include Internet messaging protocols as well). But it
is popular with botnet software authors as well as with ordinary users who
just seek to chat. It has been popular with hackers because there is no need to
register accounts or handles, and it is easy to set up your own channels and
servers. It has also been popular with hackers for discussing the distribution of
illegal files (warez) and attack methodologies.
The basic idea is that you have a network of one or more servers and
IRC clients. A user must connect to an IRC server with an IRC client at a
certain port (traditionally port 6667, although any port can be used), select a
nickname (a nick or handle), and join one or more channels with a possibly
optional password. Joe Hacker might call himself l33tguy in the channel.The

Download 6,98 Mb.

Do'stlaringiz bilan baham:

1 ... 225 226 227 228 229 230 231 232 ... 387