Agenda
• Introduction • Background Damming The Flood: • History A Current Threat • Functionality • mIRC Scott Molenkamp • Bot Senior Research Engineer • Targets / Methods used Computer Associates • Problems • The Future
Overview Background
• ‘Global Threat’ bot • IRC – Internet Relay Chat • Rising trend in malware • Created in 1988 by Jarkko Oikarinen • Real time chat • Powerful scripting language • Defined by RFC1459 in 1993 • Open source • RFC2810 • Worm like ability • Architecture • Windows flaws • RFC2811 • Weak security • Channel management • RFC2812 • Client protocol • RFC2813 • Server protocol
Background (cont) Background (cont)
• IRC bot • Bot-net • Non human client • Gathered under control of a common • Programmed responses to events overseer • Recently more nefarious • IRC is the communication medium associations
© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 1 History History (cont)
• mIRC was originally unpopular • Subseven 2.1 (November 1999) • Must be running • Controlled via IRC bot • Worms exploited flaw • Rectified in 5.3 (12/1997) • Common method used today • More expansive commands • Backdoors • IRC related commands • IRC bots • Run local files • IRCII client also abused • Compromised user query • Oct 2000
mIRC Functionality mIRC Functionality (cont)
• mIRC scripting • Many other scripting capabilities • Powerful language • String manipulation • Wide ranging functionality • Regular expressions • React to IRC server events • Tokenizers (remotes) • File manipulation • Timers • Execute repeatedly with delay • Raw socket connections • timer1 0 10 /msg #chan1 hello • Version 5.5 (01/1999) • timer2 5 10 /msg #chan2 hello • TCP / UDP
mIRC Functionality (cont) mIRC Functionality (cont)
• Variables (Prefixed by %) • Access levels • /set /unset • Events • %variable • Users • /auser /ruser • Identifiers (Prefixed by $) • Return specific values • Restrict / Allow • $null • Access to events • . prefix • Forces no output display
© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 2 mIRC Functionality (cont) mIRC Functionality (cont)
• TEXT event • Other events • on
mIRC Functionality (cont) mIRC Functionality (cont)
• Raw sockets • Raw sockets example • sockopen sockopen httpsock www.aavar.org 80 • sockclose on * : sockopen : httpsock : • sockread { • sockwrite sockwrite –n $sockname GET / HTTP/1.0 • socklisten } • sockaccept • sockudp • udpread
mIRC Functionality (cont) Bot Functionality
• OS interaction • Bounce (BNC) • Execute local files • Not necessarily malicious • DLL and COM object calls • Protect against Denial of Service • Scripting.FileSystemObject • WScript.Shell • mIRC plugins • Cloning • Multiple connections to same IRC server • Can be used to flood
© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 3 Bot Functionality (cont) Target Systems
• Flooding • Windows based • mIRC script • Dependency on mIRC • External programs • Originally no ability to automatically spread • Port Scanning • Gather information • Used in immediate or later attacks
Methods Methods (cont)
• Social Engineering • Server Message Block (SMB) • Private messages via IRC • Sharing • Deceptive web pages • Files • Downloader • Printers • Installer package • Serial Ports
• Example protocols • TCP/IP • NetBIOS
Methods (cont) Methods (cont)
• Prevalence of Windows XP • Exploit • PsExec.exe • IIS Web Server Folder Traversal • www.sysinternals.com (MS00-78) • Weak Passwords • Trojan protocols • Fuelling the rise • SubSeven • NetDevil
© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 4 Components Components (cont)
• Minimal set • More expansive set • Copy of mIRC • Many scripts • Potentially modified packed or renamed • 3rd party programs • Other malicious programs • At least one malicious script • Servers • Probably named mirc.ini • ftp • http • Program to hide mIRC GUI • xdcc • HideWindow
Components (cont) Elements & Goals
• Single install file • Resources • Setup Factory • Diskspace • Instyler • Anonymity • Install Wizard • Illegal software / pornography • PaquetBuilder* distribution networks • GSFx Wizard* • Bandwidth • NSIS • SFXMaker • RARSFx
Elements & Goals (cont) Problems
• Serv-U ftp server • Many components • Vulnerability scanners • Some innocuous • Precompiled flooders • Clean software • mIRC client • Other non-malicious programs • Renaming • Sanity check (mirc.exe, mirc32.exe) • Packing • Modification
© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 5 Problems (cont) Problems (cont)
• Modified mIRC client • Categorising • Default loaded script name • Naming scheme • mirc.ini found in non-standard • Open source directories may indicate compromise • Reused • Removal of resources • Modified • Rearranged • Registry key modification • Varied platform prefix • Win32, BAT, VBS, IRC
The Future Conclusion
• Prevalence is increasing • Rise in soft targets • Obfuscation • Bandwidth to burn • Other spreading methods • Immeasurable number of bot-nets • SMTP • Securing administrator accounts • New exploits • Coupled with • root kits • Firewall bypass / removal
© 2003 Computer Associates International, Inc. (CA). All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. 6