IRC traffic on non standard ports

Published: 2011-08-04
Last Updated: 2011-08-04 21:36:06 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

I am always quite fond of IDS signatures that look for results of compromise, versus attack attempts. This may sound a bit fatalistic, as these signatures are only triggered after the attack succeeded, but on the other hand, these alerts are actionable and can be tuned better then some of the attack attempts (most of which don't succeed and don't provide a lot of actionable information).

Today, a reader wrote in with a nice detect of "NICK traffic on a non standard port".

Lets explain IRC a bit: IRC is a simple, text based online chat protocol [1], and it is used frequently to control botnets. To prevent simple port based detection, many malicious IRC servers run on odd ports. But the IRC traffic payload can be quite characteristic and easy to spot.

As the user connects to an IRC server, it will set a nick name. This is done via a "NICK" command. In addition, the USER command is used to set a user name. a USER and a NICK command have to be sent to connect to a server, and they are usually sent one after the other.

NICK something
USER something else 

The reader's IDS captured a single packet due to this signature. The content (slightly obfuscated) was:

NICK {USA|XPa}abcdefg
USER abcdefg

These random strings with specific prefixes are typical for bot C&C, and finding a string like this would make me almost certainly look a lot closer at this particular system. 

[1] http://www.irchelp.org/irchelp/text/rfc1459.txt

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: bot irc
5 comment(s)

Comments

A randomized nickname is a good sign of a botnet C and C. MANY major IRC networks that are used for legitimate discussion room access run on ports other than the one registered with IANA.

For example, DALnet uses port 7000, 6660-6669, 9000, 5500, and 7325 are also some common choices.

You can't tell if an IRC server is designed to be malicious solely based on port number; but if you see an IRC server running on port a WKP such as 80, 8080, 53, 443, it's almost always going to be malicious, the only real reason for IRCD to be running on port 80 is to try to evade firewalls.

IRC servers run on high-numbered ports so the daemon doesn't have to run as root.
I've seen similar names used before as well.

Jan 27 04:46:33 myserver sshd[2346]: Bad protocol version identification 'NICK [USA]WINXP-10043' from 111.222.333.444

this was from a shell user tunnelling http traffic over a ssh connection.
joeblow, I am curious how you were able to detect the "nick" command when it was being tunneled through ssh?
He was able to look in the Log Files.
@Mysid: of course, the port number isn't evidence enough, but the NICK gave it kind of away.

@joeblow: This looks more like someone trying to connect to an SSH server using an IRC client. Does your ssh server run on an off port?

Diary Archives