Internet Relay Chat

Chandrea DungyDerek Garrett

#29

What is it

Allows multiple users to chat with each other (chat rooms).

Beneficial for companies by avoiding fees through long distance and conference calls via telephone.

Negative since IRC consumes bandwidth, uses CPU cycles slowing down computer activity, and host incurs cost of IRC activity from rogue users.

Protocol

Client/Server model Server establishes a socket for

communications per client’s request Server maintains server-to-server

communications in an IRC network. Clients can gain information about

other servers and clients within IRC Network using queries.

How Intruders Use IRC Frequently use IRC to share compromised

passwords, warez, exploitable information, exploit tools, pornography and vulnerabilities associated with certain sites.

Favorite targets of IRC intruders are high-bandwidth Internet connections and high-speed systems with large disk space and plenty of memory.

Intruder Precautions and Techniques

Consistently check for signs they are being monitored.

Consistently check if system administrator is on-line.

Gain more privileges by exploiting a vulnerability through a previously installed backdoor.

Remove their presence from log files. Create a hidden directory just below root file

system. Download their tools to a hidden directory Install Trojan binaries or runtime modules to hide

presence and processes they are running.

Intruder Activity Almost impossible to detect intruders

once they have gone through precautions and techniques.

Sets up an invitation only channel for other intruders.

Obtain copy of password file to be cracked off-line.

Cracked passwords and logins traded in the intruder community.

Escape Plans if Detected Bailing out of the network. Trick DNS server in caching bogus hostname or

address to make it more difficult to trace activity.

Remove evidence of activity, install a network sniffer, Trojan important system binary files and leave quietly. Create a new account in case vulnerability is

removed. Trojan the login process so it will allow

intruder to login the next time.

How to Detect IRC Activity

Check for evidence of IRC activity Monitor network traffic

Evidence of IRC Activity Look for suspicious hidden directories

below root directory. Look for IRC files

Eggdrop, mIRC, Pirch, Virc for Windows Homer and Ircle for Mac’s

IRC support files that list servers, clients, and channels.

Look for tool named datapipe.c Look for pornography

Monitor Network Traffic

Analyze network traffic, searching for patterns similar to IRC traffic. IRC server is sending packers from a

particular point to all channel clients. Network analyzer must keep track of

packet header information regarding the source & destination address, port number and packet type.

Monitor Network Traffic

Look at the content of each packet to match data against set of user defined strings. NICK – client’s nicknameUSER – user namePASS – passwordJOIN – joining a channelOPER – regular user wants to become channel

operatorPRIVMSG – private message

Recent trends of IRC

Intruders using private channels. Using encryption as additional

precautions. Eliminates any hope for successful

packet content analysis strategies

The IRC Lab

Denial of Service Attack using diemIRC

Use mIRC scripting to create a backdoor

diemIRC

Listens to port 6667 (used by IRC) for incoming connections.

Crashes the victims mIRC session according to chosen exploit.

DoS Attacks

Often more annoying than technically eloquent

Most likely used by a “script kiddie” but more advanced attackers may use them as part of a large scale attack.

Close unused ports, use a firewall, and update software for protection.

IRC backdoors Remote access tool IRC client acts as the backdoor client get a limited access to an infected

system and modify, upload, download and run files

Some IRC backdoors have additional functionalities that allow a hacker to perform malicious actions in IRC channels and in some cases can allow an attacker to completely take over an IRC channel