Bot C&C Servers on Port 80

Published: 2006-11-16
Last Updated: 2006-11-16 16:22:48 UTC
by Johannes Ullrich (Version: 2)
0 comment(s)
We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic.

Couple tricks that may help:

  • Implement a proxy server to filter outbound port 80 traffic. This is a good idea anyway as it may help you to implement additional filtering for web traffic as well.
  • If you suspect an IRC server on port 80 in your own network, a quick scan with nmap (version 4 and later) can help:

nmap -A -p 80 10.0.0.0/24 (The '-A' option will look for service banners)

Interesting ports on 10.0.0.a:
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped <--- expect this from devices
using web admin interfaces.

Interesting ports on 10.0.0.b:
PORT STATE SERVICE VERSION
80/tcp open http? <--- this server is running apache
with customized headers.

Interesting ports on 10.0.0.c:
PORT STATE SERVICE VERSION
80/tcp open irc ircu ircd <--- this server is running IRC!
Service Info: Host: megaserver



  • implement a snort rule to look for IRC traffic on port 80. Snorts 'chat.rules' has a number of rules to detect IRC, but they are limited to port 6666:7000 by default. Make sure you get the latest version. You need to use the "registration required but free" rules.

If you don't want to deal with the legal issues of Sourcefire's "VRT" rules, use the  Bleedingthreats rules: IRC Policy Rules, Trojan/Bot IRC rules.

Keywords:
0 comment(s)
Diary Archives