Cyber Security Awareness Month - Day 7 - Port 6667/8/9/7000 - IRC: is it evil?
IRC. Internet Relay Chat, commonly found on ports 6667,6668,6669, and 7000, but really, found on most any port.
My question is, is it evil? Now, I've worked at some places in the past where IRC was generally forbidden, viewing that it was pretty much an evil thing, only "hackers" used it, and was a bad place to download "warez". (Yes, these words are put in quotes because they were actual words spoken to me, when I asked the question "Uh, Why?")
IRC is a very well documented (RFC here) "chat" protocol allowing for any of hundreds upon hundreds of pieces of client software to interact with IRC servers (or networks of servers such as freenode, efnet, or dalnet) in order to enter "rooms" or "channels" in order to talk with other members of the channel or room. Most of you know this.
However, there became another use for them several years ago, one of a Command and Control or "C&C" type of technology, where malware that was placed (or downloaded and ran) on a machine on your local network connecting outbound, "beaconing" back to the C&C server (generally just an IRC channel with a password) so that the Master of the malware could control the other computers.
This became known as a botnet. You may have heard of them.
(Now, I am sure the term "botnet" was used long before IRC was being used as a C&C, but you get my point, in fact, I know it was, but you get my point.)
Of course over the years, botnets have become more sophisticated, by using things like SSL and http instead of IRC, but there are still a lot of botnets out there that use IRC for C&C.
Where I used to work, and also in my present job (Sourcefire, makers of Snort) we used to find these botnets by using the IRC rules that are found in the chat.rules file. The rules that are in the chat.rules files are bound to the standard IRC ports, however, and as I previously stated, IRC, especially C&C "covert" channels of IRC traffic, goes out over any port.
I've seen C&C on port 80, port 53, you name it, 23, 21.. you get the point. So the easiest way I found to track these IRC network connections is by removing the port restrictions on the IRC rules in the chat.rules file, and replacing the ports with an "any" statement. (Of course, I am referring to Snort syntax here.) Allowing the rules to trigger on IRC on any port.
Things to keep in mind about this very simple method of finding IRC on the network, if you allow IRC on your network, you are going to get tons and tons of alerts...
... however, if you do NOT allow IRC on your network, and you find it, you are either finding someone who is violating policy (generally something you'd want to do), or, something worse. Hopefully not one of these simplistic C&C "covert" channels, if you find these examples (usually easily identifiable by reviewing the Snort logs and NOT seeing a conversation, but seeing commands and passwords being issued), start noting the IPs that are in the alerts on your network, and start cleaning!
I generally don't feel that IRC is a bad thing, if used responsibly. If IRC is allowed on the network, then finding those botnets can be tricky (I would start by suppressing freenode, dalnet, etc servers in your threshold.conf file), and it might take more work, but the benefits of it will show themselves in the end.
UPDATE: Reading some of the comments, I think people are believing that I am trying to say that IRC is evil. No, it's not. I use it all day, every day. I am saying that it is used for C&C. Sometimes. But so are http and https, so...
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
Comments
joeblow
Oct 7th 2009
1 decade ago
The technology is agnostic; it is the *users* who decide toward what purpose it is employed.
Jason
Oct 7th 2009
1 decade ago
It's all about the people using it, IRC has been given a very bad name and most ISPs can't even tell you why.
It's true that botnets have found homes on IRC networks and with a few creative means they could be eradicated. However nothing would stop the bad guys from having their own IRC servers.
If you really wanna get rid of all the bad, let's just get rid of computers and stop punishing law-abiding users of protocols.
James Woods
Oct 7th 2009
1 decade ago
Let's assume for a second that we follow this idea along a bit and also let's assume we are a bit technically impaired also. Let's say we 'forbid' IRC in the whole of the internet. (Let's also assume that this would be possible) How long until we will see that *insert_random_protocol_name_here* is being used to do C&C action? Hell, there have been botnets controlled via Twitter already.
kaner
Oct 7th 2009
1 decade ago
Let's assume for a second that we follow this idea along a bit and also let's assume we are a bit technically impaired also. Let's say we 'forbid' IRC in the whole of the internet. (Let's also assume that this would be possible) How long until we will see that *insert_random_protocol_name_here* is being used to do C&C action? Hell, there have been botnets controlled via Twitter already.
kaner
Oct 7th 2009
1 decade ago
Give a lockpick set to a good guy, and he'll get you into your car when you've locked your keys inside... give it to a bad guy, and he'll steal your car with it.
Anything can be abused, however I feel that boards such as this ISC forum are a place for like minds to share concepts for dealing with malicous character.
GuenTech
Oct 7th 2009
1 decade ago
Joel
Oct 7th 2009
1 decade ago