[Snort-users] IRC - BOT networks: RULES ?

Brian Ertel bsertel at ...4207...
Tue May 7 05:53:05 EDT 2002


Has anyone come up with effective rules for detecting roguefile swapping
traffic over IRC?  Read below for a full description.  If you have any rules
for such detection I would love to see them.




Internet Security Systems Security Alert
May 3, 2002

Increased Hacking Activity Associated with Underground File-Sharing


ISS X-Force has been tracking several large file-sharing networks that
are being used to trade terabytes of pirated software and movies. These
networks consist of hundreds of compromised machines which are remotely
controlled by software and movie pirates to distribute files. These
pirates are actively attempting to compromise high-bandwidth servers at
universities and web-hosting providers in order to expand the reach and
distribution capabilities of their existing file-sharing networks.


Computers infected with the rogue file-sharing software may be
unknowingly participating in a massive underground file-sharing network.
These large "bot" networks are extremely popular and may be responsible
for enormous bandwidth utilization.

This bot software may also install Trojan horse software that allows a
remote attacker to gain access to the system. The remote attacker does
not need further access to the infected target in order to utilize its


IRC, or Internet Relay Chat, is perhaps the oldest worldwide Internet
chat network in existence. The original IRC was brought online in 1988.

Historically, IRC has been favored by the computer underground over
other chat networks. Hackers continue to use IRC to congregate, discuss
tactics and techniques, and trade hacking tools. Recently, IRC has been
used to control large numbers of IRC-aware distributed denial of service
(DDoS) zombie programs and "warez" distribution bots. These tools are
typically modified backdoor or Trojan horse programs that are designed
to connect to IRC where they can be controlled from IRC channels.

IRC bots have become much more sophisticated in recent years as their
authors find new applications for their use. The first IRC bots were
simple scripts designed to maintain IRC channel rules and to distribute
information to IRC users. They have evolved into remote controlled
backdoor programs, DDoS zombies, and warez distribution programs.

There is increasing overlap between the hacking and warez communities as
software pirates are now borrowing techniques and tools from the hacking
community. Backdoors are installed on computers in order to connect them
to IRC-based file-sharing networks. These attackers attempt to
compromise low risk/high reward systems, such as servers in .edu
domains, home broadband users, web hosting companies, and Internet
Service Providers. All of these targets are similar because they are not
heavily protected and have a large amount of available bandwidth.

Pirates needed to increase their storage and bandwidth capabilities due
to the size of modern software packages and the popularity of
downloading pirated movie files. These files are several hundred 
megabytes in size, so it is cost-prohibitive for warez pirates to use
their own servers to distribute this material.

The largest file-sharing IRC bot networks have 300-400 bots, all logged
into the same IRC network and listening on the same IRC channel. The
larger channels can have several hundred to thousands of individuals
downloading files from these bots. Some bot networks are restricted so
that normal IRC users cannot download files. However, most of these
networks are public, allowing normal IRC users to download pirated files
without restrictions. IRC bots like "iroffer" are especially user
friendly and provide instructions to novice pirates on how to download

Iroffer is a standalone executable written specifically for file-sharing
over IRC. This bot is a fileserver/file-sharing server. It allows users
to forward requests to the server through IRC channel commands and
initiate downloads via DCC (Direct Client Connection). Iroffer is
updated frequently to enhance network performance and to optimize
download times.

Iroffer's features include the ability to limit the amount of bandwidth
used in general and by time and date, remote administration via DCC
chat, virtual host support, high performance CPU/memory and network
code, logging features, and DCC resume support. Iroffer is available for
a variety of Unix platforms as well as Windows binary format. Currently,
iroffer is very popular in IRC channels which deal with pirated movies,
video game console software, computer software, mp3 music, and

Typical iroffer bot advertisement:

<generic_bot> ** 1 pack **  0 of 5 slots open, Queue: 15/20, Record:
<generic_bot> ** Bandwidth Usage ** Current: 138.6KB/s, Record:
<generic_bot> ** To request a file type: "/msg generic_bot xdcc send #x"
<generic_bot > #1  811x [927M] DVDmoviefile.iso.TS-FTF
<generic_bot > ** Brought to you by #IRC_CHAN, Why BuY When We Supply !!
<generic_bot > Total Offered: 1926.8 MB  Total Transferred: 96.34 GB

Iroffer IRC bots periodically broadcast to an IRC channel which files
are available, instructions on how to download them, and statistics to
help software pirates determine how fast the bot's network connection

Pirates install rogue FTP servers on bot servers to facilitate uploading
and downloading as well as for transferring pirated files to other bot
networks. Some of these back-end file distribution functions are
automated while others are executed manually by the bot owners. These
rogue FTP servers are frequently hard to detect and are typically run on
high ports. Common FTP servers used for this purpose are "raidenftpd"
and "bulletproof FTP server" (formerly Gene6) available for Windows, and
"glftpd" available for Unix. These FTP servers are used more often
because they are easier to control remotely, have advanced
administration capabilities, and allow for some automation of their
functionality through third party plug-in scripts.


RealSecure Network Sensor with X-Press Update version 4.2 has a
signature to detect IRC file transfers. To detect this type of activity,
enable IRC_DCC_Request in your policy. IRC_DCC_Request can be configured
in your policy to kill DCC requests upon detection of this event. To
enable RSKill events for IRC_DCC_Request:

1. Ensure that the IRC_DCC_Request is enabled by opening the policy you
wish to apply to the network sensor under the Policy Editor.
2. Select the X-Press updates tab and expand the X-Press Updates tree,
followed by Micro-Update 4.2.
3. Expand the IRC subsection and check the IRC_DCC_Request decode to
enable it.
4. To enable RSKill when this decode is triggered, select RSKill under
the Response options on the right side of the editor.

BlackICE Server Protection and BlackICE PC Protection version 3.5
features Application Protection, which is effective at blocking the
execution of unauthorized programs, hostile executables, Trojan horse
programs, and many mass-emailing worms.

The upcoming Internet Scanner XPU 6.10 will contain assessment support
for components of popular IRC bot software.

Additional Information:

X-Force would like to thank Dave Dittrich of the University of Washington
for publishing his research on file-sharing IRC bots.  Please refer to
the Incidents mailing list for more information.  Incidents is archived
at http://www.neohapsis.com, and http://www.securityfocus.com.


About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.

Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce at ...4133... for

Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.

X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php

Please send suggestions, updates, and comments to: X-Force
xforce at ...4133... of Internet Security Systems, Inc.


Brian Ertel
Systems & Networking
Network Administrator
Amherst College
Voice: 413-542-8320
Fax:    413-542-2626
bsertel at ...4207...

More information about the Snort-users mailing list