|
Cal Poly |
Cal Poly
|
Title V Project
IRC Bots
What is IRC
IRC stands for Internet Relay Chat. It originated in 1988 and has become an extremely popular internet service used in over 60 countries. It is a multi-user chat system, where people can connect to "channels” to chat with others or to chat privately. A user runs an IRC client such as mIRC (www.mirc.com) to connect to a server in the IRC network of their choice. Once connected to the server the user can connect to any channel or create their own to interact with other users.
What is a Bot
Bot is short for robot. It is normally a script run from the client or a separate computer, and is generally not needed on IRC. Bots can be used for valid and useful purposes such as protecting the channel form takeovers and some will even entertain you with funny or brain teasing games. IRC bots have become much more sophisticated in recent years as their authors find new applications for their use. The first IRC bots were simple scripts designed to maintain IRC channel rules and to distribute information to IRC users. They have evolved into remote controlled backdoor programs, DDoS zombies, and warez distribution programs. In this context it is good to advise you to never take bot code, .ini files or strange commands from someone and run it without exactly understanding what it does.
IRC bots come in several different flavors and for several different operating systems. For Windows, there are three specific types of bots,
§ Bots that consist of a single binary, such as AttackBot, SubSeven, EvilBot, and SlackBot.
§ Bots that use one or more binaries and open source script files normally based around mIRC and commonly referred to as GT Bot (Global Threat).
§
Bots that are a backdoor in another program such
as Socket Clone bots in mIRC which when you open mIRC makes two connections to the server instead of the
normal one connection. Scripted
How Bots
Propagate
Contrary to popular belief, email attachments are not the most popular or effective way to spread Trojans. Join any popular IRC server and you will receive a plethora of DCC file sends or advertisements for web sites with infectious downloads or even infectious HTML using the Active-X exploit for Microsoft Internet Explorer.
Malicious IRC bots are also configured to generate clones that join other IRC servers and mass spam message users with URL's for infectious downloads. These most commonly come in the form of fake warning alerting the user they have an auto-sending Worm, Trojan or Virus infection or as an advertisement for various websites and services. This can be seen from the following advertisement highlighted in black in the screenshot below.
Once the Trojan is run, it secretly
installs itself and creates a method to start in the background as Windows
boots. When installed and running the bot will
attempt to connect to an IRC server on a pre designated port. This is usually a
port ranging from 6660-6669 and 7000, but it is not limited to these. Once connected to IRC the bot
will log into the predetermined rendezvous channel to await further
instructions from its “Master” to perform such actions as DDoS
attacks or IRC floods.
How to Protect Yourself on IRC
Here are
some guidelines to practice when using IRC to keep yourself protected from IRC
bots.
§ Disable any “auto-accept” features that allow you to accept files from any source without your authorization. Any malicious file containing a virus or Trojan can be transmitted to your computer without your permission or knowledge. This feature is known as DCC auto-accept in mIRC.
§ Do not accept any files you do not fully trust and be cautious of scripts for IRC clients. Some scripts or programs may have hidden Trojans built into them, but may appear harmless.
§ Be aware of multiple file extensions that are used to hide the true file format. A file name may be COOLSCRIPT.TXT.vbs but since Windows hides known file extensions by default, the .vbs extension will not be shown. So when a user executes the file, it actually executes the visual basic script and launches a virus. To turn off this feature, open explorer, go to Tools -> Folder Options and go to the View tab. Then uncheck "hide file extensions for known file types".
§ Change the default download directory to a directory outside the IRC client directory. This way some viruses might not be able to install/overwrite critical files in your IRC client.
§ Ensure that your operating system is updated and patched with the latest fixes. Also ensure that your internet browser is patched against the latest exploits and vulnerabilities.
§ Run current anti-virus software that is updated with the latest virus definitions. Both Norton Anti Virus and McAfee VirusScan are good commercial virus scanners. A free alternative is eSafe Desktop from Aladdin Knowledge Systems (www.ealaddin.com).
§
To protect your computer form Trojans,
consider running anti-trojan software which is much
more effective at detecting Trojans than regular anti-virus software. Two
products to consider are The Tauscan (www.agnitum.com) and The Cleaner (www.moosoft.com).
Both offer free trial usage.
§
Run a firewall to
monitor network traffic and to protect against outside sources from accessing
your computer. This is imperative for anyone using a dedicated internet
connection (DSL, cable, or T1). A popular and free firewall is ZoneAlarm from Zone Labs (www.zonelabs.com).
Symptoms
Below is a list of
symptoms that might appear if you have been infected.
§ Your IRC client automatically DCC sends files to people just entering the channel.
§
Your IRC client performs commands you haven't typed in yourself,
like /msg, /nick changes, deopping,
or maybe even /quit.
§
If someone says specific words in a channel or private message
your client starts to perform commands.
§
Your computer opens the CD-ROM tray automatically, your computer
reboots, programs open by itself, etc. (Back Orifice virus).
§
Files get deleted on your system
Eradication
Below are some common tools and methods to remove an IRC bot or Trojan from your system. If you believe that you
have been infected, please contact your local system administrator as soon as
possible.
§
Msinfo32.exe: This is the System Information
Utility that can be used to display every service and process running in the
background. To access it type msinfo32
in the Run command window. Then go to
Software Environment and look for Running Tasks and Services. Look for any suspicious tasks or services that you do not
recognize. Make sure to check the file path and properties. If you are still
not sure try to disable it on startup and see if causes any problems. Also, if
you are still apprehensive about a file do a search on the internet for the
file name to determine if the file is associated with malicious code.
§
Netstat.exe: This command is used to list
all the open connections to and from your computer. To open netstat,
open the DOS prompt and type netstat -an. This
will display any IP connected to your computer so if you see a connection that
you do not recognize, investigate it and find out what process it is using. The
next tool can accomplish this.
§
TCPView: This
useful utility from Sysinternals (www.sysinternals.com) not only lists the
IP addresses communicating with your computer, it also tells you what program
is using that connection. Armed with this information you can locate which
program is sending data out of your machine and deal with it.
§
For a more detailing and comprehensive discussion on Trojan
removal, specifically on Windows 2000/XP platforms, visit the following
websites.
http://online.securityfocus.com/infocus/1627
http://online.securityfocus.com/infocus/1605
Trojans often modify the startup files of your computer, add
or change lines in the system registry and even overwrite system files to make
sure they are run every time you boot up. For that reason, removing them by
hand takes time, patience and an understanding of what you are doing. They will
generally alter the run registry keys
and win.ini or system.ini files to activate themselves each time the computer
starts. Sometimes they will replace systems files or other registry values that
are critical for the operating system to run, so be cautious before deleting
suspicious files.
Note: Parts of this document were
taken from SwatIt.org (http://swatit.org/bots/index.html)
and IRCJunkie (http://www.irc-junkie.org/content/a-protectYourself.php).