IRC traffic on non standard ports

Published: 2011-08-04
Last Updated: 2011-08-04 21:36:06 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

I am always quite fond of IDS signatures that look for results of compromise, versus attack attempts. This may sound a bit fatalistic, as these signatures are only triggered after the attack succeeded, but on the other hand, these alerts are actionable and can be tuned better then some of the attack attempts (most of which don't succeed and don't provide a lot of actionable information).

Today, a reader wrote in with a nice detect of "NICK traffic on a non standard port".

Lets explain IRC a bit: IRC is a simple, text based online chat protocol [1], and it is used frequently to control botnets. To prevent simple port based detection, many malicious IRC servers run on odd ports. But the IRC traffic payload can be quite characteristic and easy to spot.

As the user connects to an IRC server, it will set a nick name. This is done via a "NICK" command. In addition, the USER command is used to set a user name. a USER and a NICK command have to be sent to connect to a server, and they are usually sent one after the other.

NICK something
USER something else 

The reader's IDS captured a single packet due to this signature. The content (slightly obfuscated) was:

NICK {USA|XPa}abcdefg
USER abcdefg

These random strings with specific prefixes are typical for bot C&C, and finding a string like this would make me almost certainly look a lot closer at this particular system. 


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: bot irc
5 comment(s)
Diary Archives