Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Question
From: Rodrigo Barbosa <rodrigob () suespammers org>
Date: Sat, 22 Oct 2005 00:33:03 -0200

Hash: SHA1

On Fri, Oct 21, 2005 at 07:44:25PM -0500, Frank Knobbe wrote:
On Fri, 2005-10-21 at 18:36 -0200, Rodrigo Barbosa wrote:
The IRC protocol is very easy to identify.
I would suggest blocking the protocol itself, regardless of the port.

Right. Unless it runs over SSL, then it's a bit harder to identify,
wouldn't you agree?

PS: Yes, there are bots that are running IRC over SSL, so no "No one
does it" comments please.

You would not get one of those from me. Specially since I have once
encountered a malware that used ICMP echo as a covert channel.

Even tho you can't particularly identify IRC over SSL, you can identify
SSL. So, you can block it to any unexpected ports.

Of course, the Bot can use IRC over SSL with destination port 443/tcp.
In that case, the way to go would be to have a web proxy with authentication.

Then again, the Bot can monitor IE (Firefox etc) and get the credentials,
creating an HTTP connection (with SSL/TLS) and use it to tunnel the IRC
protocol (there are plenty of HTTP tunneling softwares around).

On that case, the way to go would be to have the proxy server only
allowing connections to known good addresses, making sure there is
no way to fool the proxy, including the possibility of an XSS vulnerability
on one of those good server, which could be exploited to redirect
the connection somewhere else.

Even with all those possibilities, it is still a good idea to check
for the IRC protocol on the border gateway/firewall, since many bots
will use a simple IRC protocol to connect to an IRC server running on
a given port. And it is much more likely to find an IRC server running on
a non-standard port than it is to find a bot that will do all those
possible tricks.

I don't mean to attack you. You are right, and very much correct on
your point. Please accept this e-mail as such. Yes, I think one
should check for the IRC protocol, but that is not enough for someone
to consider himself safe. With that, I agree with you.

- -- 
Rodrigo Barbosa <rodrigob () suespammers org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

Version: GnuPG v1.4.1 (GNU/Linux)

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]