Cyber Security Awareness Month - Day 7 - Port 6667/8/9/7000 - IRC: is it evil?

Published: 2009-10-07. Last Updated: 2009-10-07 19:42:18 UTC
by Joel Esler (Version: 3)
7 comment(s)

IRC.  Internet Relay Chat, commonly found on ports 6667,6668,6669, and 7000, but really, found on most any port.

My question is, is it evil?  Now, I've worked at some places in the past where IRC was generally forbidden, viewing that it was pretty much an evil thing, only "hackers" used it, and was a bad place to download "warez".  (Yes, these words are put in quotes because they were actual words spoken to me, when I asked the question "Uh, Why?")

IRC is a very well documented (RFC here) "chat" protocol allowing for any of hundreds upon hundreds of pieces of client software to interact with IRC servers (or networks of servers such as freenode, efnet, or dalnet) in order to enter "rooms" or "channels" in order to talk with other members of the channel or room.  Most of you know this.

However, there became another use for them several years ago, one of a Command and Control or "C&C" type of technology, where malware that was placed (or downloaded and ran) on a machine on your local network connecting outbound, "beaconing" back to the C&C server (generally just an IRC channel with a password) so that the Master of the malware could control the other computers. 

This became known as a botnet.  You may have heard of them.

(Now, I am sure the term "botnet" was used long before IRC was being used as a C&C, but you get my point, in fact, I know it was, but you get my point.) 

Of course over the years, botnets have become more sophisticated, by using things like SSL and http instead of IRC, but there are still a lot of botnets out there that use IRC for C&C.

Where I used to work, and also in my present job (Sourcefire, makers of Snort) we used to find these botnets by using the IRC rules that are found in the chat.rules file.  The rules that are in the chat.rules files are bound to the standard IRC ports, however, and as I previously stated, IRC, especially C&C "covert" channels of IRC traffic, goes out over any port.

I've seen C&C on port 80, port 53, you name it, 23, 21.. you get the point.  So the easiest way I found to track these IRC network connections is by removing the port restrictions on the IRC rules in the chat.rules file, and replacing the ports with an "any" statement.  (Of course, I am referring to Snort syntax here.)  Allowing the rules to trigger on IRC on any port.

Things to keep in mind about this very simple method of finding IRC on the network, if you allow IRC on your network, you are going to get tons and tons of alerts...

... however, if you do NOT allow IRC on your network, and you find it, you are either finding someone who is violating policy (generally something you'd want to do), or, something worse.  Hopefully not one of these simplistic C&C "covert" channels, if you find these examples (usually easily identifiable by reviewing the Snort logs and NOT seeing a conversation, but seeing commands and passwords being issued), start noting the IPs that are in the alerts on your network, and start cleaning!

I generally don't feel that IRC is a bad thing, if used responsibly.  If IRC is allowed on the network, then finding those botnets can be tricky (I would start by suppressing freenode, dalnet, etc servers in your threshold.conf file), and it might take more work, but the benefits of it will show themselves in the end.

UPDATE:  Reading some of the comments, I think people are believing that I am trying to say that IRC is evil.  No, it's not.  I use it all day, every day.  I am saying that it is used for C&C.  Sometimes.  But so are http and https, so...

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
7 comment(s)

Comments

if someone says IRC is evil, remind them that freenode is the server to be on if they ever want to get help for OSS software.
Saying IRC is "bad" is the same mentality that calls encryption "bad" because criminals can use it to hide stuff.

The technology is agnostic; it is the *users* who decide toward what purpose it is employed.
I agree with Jason. Been an IRC user myself since around 97 and I never found myself in the position of doing anything malicious with it. I also legally carry a firearm almost everywhere I go and again have found myself doing nothing malicious.

It's all about the people using it, IRC has been given a very bad name and most ISPs can't even tell you why.

It's true that botnets have found homes on IRC networks and with a few creative means they could be eradicated. However nothing would stop the bad guys from having their own IRC servers.

If you really wanna get rid of all the bad, let's just get rid of computers and stop punishing law-abiding users of protocols.
Sorry if this sounds provocative, but its kind of naive to call a protocol 'evil'. What's next? Saying HTTP(S) is evil because some people use it to download childporn? To be honest, I'm shocked to see an opinion like this at isc.sans.org. You really should know better. :-/

Let's assume for a second that we follow this idea along a bit and also let's assume we are a bit technically impaired also. Let's say we 'forbid' IRC in the whole of the internet. (Let's also assume that this would be possible) How long until we will see that *insert_random_protocol_name_here* is being used to do C&C action? Hell, there have been botnets controlled via Twitter already.
Sorry if this sounds provocative, but its kind of naive to call a protocol 'evil'. What's next? Saying HTTP(S) is evil because some people use it to download childporn? To be honest, I'm shocked to see an opinion like this at isc.sans.org. You really should know better. :-/

Let's assume for a second that we follow this idea along a bit and also let's assume we are a bit technically impaired also. Let's say we 'forbid' IRC in the whole of the internet. (Let's also assume that this would be possible) How long until we will see that *insert_random_protocol_name_here* is being used to do C&C action? Hell, there have been botnets controlled via Twitter already.
I do not believe Joe was trying to directly indicate that the IRC protocol is evil, merely that it (like any other protocol) can be used maliciously.

Give a lockpick set to a good guy, and he'll get you into your car when you've locked your keys inside... give it to a bad guy, and he'll steal your car with it.

Anything can be abused, however I feel that boards such as this ISC forum are a place for like minds to share concepts for dealing with malicous character.
It's definitely not evil. I never called it evil. I said "Is it evil?".

Diary Archives