Internet Relay Chat Chandrea Dungy Derek Garrett #29.
-
Upload
alyson-melton -
Category
Documents
-
view
212 -
download
0
Transcript of Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Internet Relay Chat
Chandrea DungyDerek Garrett
#29
What is it
Allows multiple users to chat with each other (chat rooms).
Beneficial for companies by avoiding fees through long distance and conference calls via telephone.
Negative since IRC consumes bandwidth, uses CPU cycles slowing down computer activity, and host incurs cost of IRC activity from rogue users.
Protocol
Client/Server model Server establishes a socket for
communications per client’s request Server maintains server-to-server
communications in an IRC network. Clients can gain information about
other servers and clients within IRC Network using queries.
How Intruders Use IRC Frequently use IRC to share compromised
passwords, warez, exploitable information, exploit tools, pornography and vulnerabilities associated with certain sites.
Favorite targets of IRC intruders are high-bandwidth Internet connections and high-speed systems with large disk space and plenty of memory.
Intruder Precautions and Techniques
Consistently check for signs they are being monitored.
Consistently check if system administrator is on-line.
Gain more privileges by exploiting a vulnerability through a previously installed backdoor.
Remove their presence from log files. Create a hidden directory just below root file
system. Download their tools to a hidden directory Install Trojan binaries or runtime modules to hide
presence and processes they are running.
Intruder Activity Almost impossible to detect intruders
once they have gone through precautions and techniques.
Sets up an invitation only channel for other intruders.
Obtain copy of password file to be cracked off-line.
Cracked passwords and logins traded in the intruder community.
Escape Plans if Detected Bailing out of the network. Trick DNS server in caching bogus hostname or
address to make it more difficult to trace activity.
Remove evidence of activity, install a network sniffer, Trojan important system binary files and leave quietly. Create a new account in case vulnerability is
removed. Trojan the login process so it will allow
intruder to login the next time.
How to Detect IRC Activity
Check for evidence of IRC activity Monitor network traffic
Evidence of IRC Activity Look for suspicious hidden directories
below root directory. Look for IRC files
Eggdrop, mIRC, Pirch, Virc for Windows Homer and Ircle for Mac’s
IRC support files that list servers, clients, and channels.
Look for tool named datapipe.c Look for pornography
Monitor Network Traffic
Analyze network traffic, searching for patterns similar to IRC traffic. IRC server is sending packers from a
particular point to all channel clients. Network analyzer must keep track of
packet header information regarding the source & destination address, port number and packet type.
Monitor Network Traffic
Look at the content of each packet to match data against set of user defined strings. NICK – client’s nicknameUSER – user namePASS – passwordJOIN – joining a channelOPER – regular user wants to become channel
operatorPRIVMSG – private message
Recent trends of IRC
Intruders using private channels. Using encryption as additional
precautions. Eliminates any hope for successful
packet content analysis strategies
The IRC Lab
Denial of Service Attack using diemIRC
Use mIRC scripting to create a backdoor
diemIRC
Listens to port 6667 (used by IRC) for incoming connections.
Crashes the victims mIRC session according to chosen exploit.
DoS Attacks
Often more annoying than technically eloquent
Most likely used by a “script kiddie” but more advanced attackers may use them as part of a large scale attack.
Close unused ports, use a firewall, and update software for protection.
IRC backdoors Remote access tool IRC client acts as the backdoor client get a limited access to an infected
system and modify, upload, download and run files
Some IRC backdoors have additional functionalities that allow a hacker to perform malicious actions in IRC channels and in some cases can allow an attacker to completely take over an IRC channel