Agenda

• Introduction • Background Damming The Flood: • History A Current Threat • Functionality • mIRC Scott Molenkamp • Bot Senior Research Engineer • Targets / Methods used Computer Associates • Problems • The Future

Overview Background

• ‘Global Threat’ bot • IRC – Internet Relay Chat • Rising trend in malware • Created in 1988 by Jarkko Oikarinen • Real time chat • Powerful scripting language • Defined by RFC1459 in 1993 • Open source • RFC2810 • Worm like ability • Architecture • Windows flaws • RFC2811 • Weak security • Channel management • RFC2812 • Client protocol • RFC2813 • Server protocol

Background (cont) Background (cont)

• IRC bot • Bot-net • Non human client • Gathered under control of a common • Programmed responses to events overseer • Recently more nefarious • IRC is the communication medium associations

© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 1 History History (cont)

• mIRC was originally unpopular • Subseven 2.1 (November 1999) • Must be running • Controlled via IRC bot • Worms exploited flaw • Rectified in 5.3 (12/1997) • Common method used today • More expansive commands • Backdoors • IRC related commands • IRC bots • Run local files • IRCII client also abused • Compromised user query • Oct 2000

mIRC Functionality mIRC Functionality (cont)

• mIRC scripting • Many other scripting capabilities • Powerful language • String manipulation • Wide ranging functionality • Regular expressions • React to IRC server events • Tokenizers (remotes) • File manipulation • Timers • Execute repeatedly with delay • Raw socket connections • timer1 0 10 /msg #chan1 hello • Version 5.5 (01/1999) • timer2 5 10 /msg #chan2 hello • TCP / UDP

mIRC Functionality (cont) mIRC Functionality (cont)

• Variables (Prefixed by %) • Access levels • /set /unset • Events • %variable • Users • /auser /ruser • Identifiers (Prefixed by $) • Return specific values • Restrict / Allow • $null • Access to events • . prefix • Forces no output display

© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 2 mIRC Functionality (cont) mIRC Functionality (cont)

• TEXT event • Other events • on : TEXT : • CONNECT : • INPUT • DNS • on *:TEXT : !hello : * : { commands } • START / LOAD • on 10:TEXT: !bye : # : { commands } • Usage • on 10 : TEXT : * : * { • On * : CONNECT : { commands } if ($1 == !exit) { commands } } • On * : START : { commands }

mIRC Functionality (cont) mIRC Functionality (cont)

• Raw sockets • Raw sockets example • sockopen sockopen httpsock www.aavar.org 80 • sockclose on * : sockopen : httpsock : • sockread { • sockwrite sockwrite –n $sockname GET / HTTP/1.0 • socklisten } • sockaccept • sockudp • udpread

mIRC Functionality (cont) Bot Functionality

• OS interaction • Bounce (BNC) • Execute local files • Not necessarily malicious • DLL and COM object calls • Protect against Denial of Service • Scripting.FileSystemObject • WScript.Shell • mIRC plugins • Cloning • Multiple connections to same IRC server • Can be used to flood

© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 3 Bot Functionality (cont) Target Systems

• Flooding • Windows based • mIRC script • Dependency on mIRC • External programs • Originally no ability to automatically spread • Port Scanning • Gather information • Used in immediate or later attacks

Methods Methods (cont)

• Social Engineering • Server Message Block (SMB) • Private messages via IRC • Sharing • Deceptive web pages • Files • Downloader • Printers • Installer package • Serial Ports

• Example protocols • TCP/IP • NetBIOS

Methods (cont) Methods (cont)

• Prevalence of Windows XP • Exploit • PsExec.exe • IIS Web Server Folder Traversal • www.sysinternals.com (MS00-78) • Weak Passwords • Trojan protocols • Fuelling the rise • SubSeven • NetDevil

© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 4 Components Components (cont)

• Minimal set • More expansive set • Copy of mIRC • Many scripts • Potentially modified packed or renamed • 3rd party programs • Other malicious programs • At least one malicious script • Servers • Probably named mirc.ini • ftp • http • Program to hide mIRC GUI • xdcc • HideWindow

Components (cont) Elements & Goals

• Single install file • Resources • Setup Factory • Diskspace • Instyler • Anonymity • Install Wizard • Illegal software / pornography • PaquetBuilder* distribution networks • GSFx Wizard* • Bandwidth • NSIS • SFXMaker • RARSFx

Elements & Goals (cont) Problems

• Serv-U ftp server • Many components • Vulnerability scanners • Some innocuous • Precompiled flooders • Clean software • mIRC client • Other non-malicious programs • Renaming • Sanity check (mirc.exe, mirc32.exe) • Packing • Modification

© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 5 Problems (cont) Problems (cont)

• Modified mIRC client • Categorising • Default loaded script name • Naming scheme • mirc.ini found in non-standard • Open source directories may indicate compromise • Reused • Removal of resources • Modified • Rearranged • Registry key modification • Varied platform prefix • Win32, BAT, VBS, IRC

The Future Conclusion

• Prevalence is increasing • Rise in soft targets • Obfuscation • Bandwidth to burn • Other spreading methods • Immeasurable number of bot-nets • SMTP • Securing administrator accounts • New exploits • Coupled with • root kits • Firewall bypass / removal

© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 6