 |
 Internet Relay Chat — IRC the Place to Be?
by Douglas Schweitzer
This article was excerpted from Chapter 7 of Douglas Schweitzer' book "Securing the Network from Malicious Code"
Originated by Jarkko Oikarinen of Finland in 1988, IRC has become a popular means for Internet communications. IRC first gained popularity during the Persian Gulf War, when Internet users around the world employed IRC to keep informed about news events. Despite the proliferation of subsequent communication programs, IRC remains one of the most popular ways to “chat” on the Internet
IRC, short for Internet Relay Chat, is a multi-user, text-based chat system that is run over a network. It gives individuals around the world the ability to “chat” with each other in real-time via typed text. Each user has a moniker (handle) and converses with other users either in a public chat forum or in a private chat room.
Numerous IRC programs, called IRC clients, are available to Internet users. They are used to connect to an IRC network. The most popular IRC client for Windows users is mIRC, and the most popular for the Macintosh platform is Ircle. With UNIX or Linux platforms, XChat is very popular. IRC is based on a client-server model, with the client program located on the user’s computer and the server located somewhere on the Internet.
Users must first download an IRC client program and then install it on their computer. While connected to the Internet, they launch the IRC client program, which connects them to a server located on the IRC network. Once connected to the IRC server, the users can communicate with other similarly connected users throughout the world.
The amount of chatting is so great that a single server cannot handle the volume, and more than one server (networked together) must be used to meet the demand. Some popular IRC networks are NewNET (www.newnet.net), DALnet (www.dal.net), and Undernet (www.undernet.org). Each network has hundreds of "channels" where people can chat with each other. For ease of use, these channels are generally named according to the predominant topic discussed by the “chatters” on that particular channel.
The Risks of IRC
While IRC may sound inviting, it also presents some serious security risks. The IRC network has been exploited by malicious code on numerous occasions. Due to the increased risk that networked computers will be infected by IRC-controlled malicious code, the NIPC (National Infrastructure Protection Agency) issued the follow advisory in October 2000:
“ADVISORY 00-055
Trinity v3/ Stacheldraht 1.666" Distributed Denial-of-Service Tool
October 13, 2000
New variants of the Trinity and Stacheldraht Distributed Denial-of-Service (DDoS) tools have been found in the wild. As was demonstrated in February of this year, DDoS attacks can bring down networks by flooding target machines with more traffic than the machines can process. This advisory provides an update to previous NIPC DDoS advisories (issued since December 1999) on similar tools such as "mstream," "Tribal Flood Network," and "trinoo." The NIPC has recently determined that masters tied to zombies have been placed on many users' systems, heightening the possibility of a DDoS attack in the future. In addition to large corporate and university systems, affected users also include those with home computers having broadband access such as DSL and cable modem. The NIPC recommends that all computer network owners and organizations examine their systems for evidence of DDoS tools, including Trinity and Stacheldraht.
The "Trinity v3" Distributed Denial-of-Service (DDoS) exploit represents a potentially serious and continuing threat to networked computers running certain versions of the Linux operating system. Trinity v3 is a DDoS tool that is controlled via IRC or ICQ. When a system has been compromised and the Trinity v3 tool installed, each compromised machine joins a specified IRC channel and waits for commands. The Trinity v3 tool enables intruders to use multiple, Internet-connected systems to launch packet-flooding denial-of-service attacks against one or more target systems. At least eight variations of Trinity have been found on the Undernet Internet Relay Chat network, each reporting to a different IRC channel. Trinity v3 responds to commands in IRC channels on lines beginning with "(trinity)," and the "Entitee" version of Trinity responds to lines beginning with "(entitee)."
System administrators should ensure their TCP Port Scanners are configured to scan port 33270, as machines found listening at this port may have the Trinity portshell installed. Trinity v3 is difficult to detect because the agent does not listen to specific ports to receive commands, but receives them over IRC. Watching for suspicious IRC traffic is useful in detecting Trinity v3. It is important to note that if Trinity v3 is found on a system, the system may have experienced root level compromise.
Stacheldraht consists of three parts — a master server, a client, and an agent program — and runs on Linux and Solaris machines. Stacheldraht performs several types of flooding attacks, and has IRC flooding options. The latest stacheldraht variants, "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps" prompt the user for a password when building the binaries.
The NIPC DDoS detection tool has been modified to detect Trinity v3 and some new variants of Stacheldraht. While the tool is designed to detect mutations of these DDoS tools, it may not detect all variants of the tools. NIPC will continue to update the detection tool as we receive new DDoS variants. Currently, the NIPC tool (find_ddos) detects the DDoS exploit in the following operating systems: Solaris on Sparc or Intel platforms, and Linux on Intel platforms. The tool currently detects mstream, tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht daemon, and trn-rush client. Please refer to this link for more information.”
In the case of Trinity, the IRC was used mainly as a covert channel for communication. This was not the first time malicious code had been applied in this way. In 1999, the PrettyPark worm also tried to connect to certain IRC servers in order to join a specific channel. The PrettyPark worm sends information to the IRC every 30 seconds to keep itself connected, as well as to retrieve commands from the IRC. Using IRC as the conduit, the distributor of the worm can acquire information about users’ systems, including computer name, system root path, version registered owner, registered organization, ICQ identification code, ICQ handle, victim e-mail address, and Dial-Up Networking password. In addition, while a user is connected to the IRC, a backdoor security hole is “opened” through which the infected computer can potentially be used to receive and execute files.
While these Trinity and PrettyPark worms have been largely eradicated, new types of malicious code are always looming on the horizon. Because IRC uses text to communicate, it is difficult to distinguish the “good guys” from the “bad guys.” The best way to defend against malicious code obtained via IRC is to use the following three-step process:
- Install and regularly update a reputable anti-virus software program (discussed later in this chapter).
- Install a port-blocking software-based firewall (such as BlackICE Defender).
- Use social engineering (educate users on the potential threats of using IRC), which is covered in the next section of this chapter.
While the need for using anti-virus software seems obvious, the use of firewalls and social engineering for additional protection should not be overlooked. Firewalls can be used to monitor and/or block the TCP/IP ports that malicious code commonly uses to communicate. Some firewalls, like BlackICE Defender by Internet Security Systems, Inc. (www.iss.net), have both intrusion detection and port-blocking features that allow them to detect unwanted intrusions and block malicious code communications via IRC channels. Following are other important steps that organizations should take to help control their sensitivity to malicious code threats:
- Make regular backups of important work and data, and check that the backups were successful.
- Sign up for e-mail alert services that warn about new viruses. Seeing that your users have access to information about the latest computer viruses by presenting them with live virus information, perhaps through an intranet or Web site, is also a good idea.
- Watch for Microsoft’s security bulletins, many of which can be found at www.microsoft.com/security. These warn of new security loopholes and issues with Microsoft's software.
- Produce a set of guidelines and policies for safe computing and distribute them amongst your personnel. Make sure that every employee has read and understood the guidelines and that if they have any questions, they know to whom to speak.
|
|
