Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: What about botnets?

  1. #1
    Join Date
    Dec 2005
    Posts
    9,056

    Default What about botnets?

    "Invasion of the Computer Snatchers"
    http://www.washingtonpost.com/wp-dyn...021401342.html

    "ISP Seen Breaking Internet Protocol to Fight Zombie Computers"
    http://blog.wired.com/27bstroke6/200...en-breaki.html

    "Bringing Botnets Out of the Shadows"
    http://www.washingtonpost.com/wp-dyn...032100279.html

    "ISP Telenor cripples zombie PC network"
    http://www.infoworld.com/article/04/...network_1.html

    "Botnets and How to Avoid Them"
    http://www.ucalgary.ca/it/help/artic...reness/botnets

    "The botnet business"
    http://www.viruslist.com/en/analysis?pubid=204792003

    "Five Steps To Guard Against Botnets"
    http://forum.zonealarm.com/zonelabs/...ssage.id=18778
    Best regards.
    oldsod

  2. #2
    za_avastfan Guest

    Default Re: What about botnets?

    For a botnet which operates via IRC, does one have to have an IRC client (eg. MIRC) installed for a computer infected with such a trojan or other program to function in the botnet?

    Can a computer become infected with an 'IRC-botnet' trojan or progran if one doesn't have an IRC client installed?

    My question relates to this link in the above post: http://www.infoworld.com/article/04/...network_1.html

    Thanks,

    ZA_Avaastfan

  3. #3
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: What about botnets?

    The IRC bots troyans are usually installed by the usual methods - media, web sites, payloads in downloads, suspicious software installs, driveby installs, etc.

    Once installed these particular set of troyans will use the regular IRC and mIRC ports to connect to the botnet "master" and receive further orders/instructions from the botnet master. Orders or instructions are such as perform DDoS attacks on specifc IPs, or send spam out to certain lists or even perhaps even to reports what these troyans have discovered in terms of valuable information (such as passwords, bank accounts, credit card Nos., SSN, email address lists, etc).

    Why troyans use the IRC network?
    Because it is difficult to trace or track the malicious IRC servers involved and the users of those servers (the botnet masters). It makes the operation sort of invisible or stealthed to the authorities and the victims. Plus IRC networks are spread through the internet for easy connections.

    The basic "contact" ports for the establishing the IRC and mIRC are
    194 (TCP and UDP and both directions)
    113 incoming (UDP) also is known as the IDENT Port used and for other applications such as for a VPN
    6667 incoming (TCP) but the entire range is not just 6667 but actually 6660-6669 range is used . Some irc will instead use 6668 and 6669 and also the 6660-6669 port range is used for the outgoing to the remote IP of the IRC server.

    By default the ZA is blocking the 6667-6669 ports - this block rule is built in the firewall driver.

    These extra ports can be added to be blocked in the Expert of the Firewall of the ZA or in the router. I use both methods, just in case I did something stupid and got infected.


    Users of IRC and mIRC clients are experienced or know about with the special assortment of worms and troyans and malware that comes from using IRC and MIRC clients. They use the same approach for security as regular messenger client users practise - check the downloads, allow only downloads from certain users/servers and use a friends lists of sorts for extra precautions. But a few years ago, there IRC networks were rampant with network worms and many people got infected.

    Oldsod.

    Message Edited by Oldsod on 08-05-2008 09:59 AM
    Best regards.
    oldsod

  4. #4
    za_avastfan Guest

    Default Re: What about botnets?

    Hi Oldsod,

    Thank you for the informative and detailed reply. As ever the contribution you make to this forum is invaluable.

    In the expert section of ZA Pro, when you click on Add - which box do you select to set the expert rule - Source, Destination, Protocol or Time?

    And when you click on 'modify' under each box, then 'add protocol', which do you select - My Computer, Trusted Zone, Internet Zone, Any, Host/Site, IP Address, IP Range, Subnet, Gateway, New Group, Existing Group?

    Or under Protocol or Time - Day/Time Range, New Group, Existing Group?

    I did try myself to look for an expert rule to close those ports you mentioned, however my lack of PC knowledge resulted in an unsuccessful attempt.

    I would be very grateful if you could guide me and also tell me YOUR exact configuration. I would also like to add this layer of protection into ZA Pro on my PC.

    Even though I don't have MIRC or any other IRC client installed, I agree 100% with your approach of setting up this rule.

    Thanks in advance for all your help!

    ZA_Avaastfan

  5. #5
    weebit Guest

    Default Re: What about botnets?

    If you never have downloaded and installed mirc then the option to be able to go to a chat server is blocked. ZoneAlarm blocks this option by default and you have to unblock it in order to use mirc. You will be able to start up mirc, but you wont be able to connect to any of the chat servers.

    I have been a Admin to two chat servers in the past. Many of the decent chat servers block bots now days. The ones that don't block you can still tell if it is a bot or not on that server. They have their own way of communicating on a server. It's not totally the same as if it was a person on the other end. Very rarely did we see a bot slip in. They tend to show or um show off their info if you do a /whois or /info all on them. I have even seen a few announce in text that it was a bot. Sometimes even the bot nick gives it away.

    Not all bots are bad though. Some do a service such as trivia bots, or info bots, or search bots. Most of these type are permitted, but just a few because on most servers they ask you what bot you are using. They have a blacklist which is never public. And they give you the "OK" to use, or they deny you from using it. This is done when you start the bot and try to join the server. Or they create a channel, then they ask for permission to bring the bot on the server in their channel. But most don't ask.

    I am just pointing this out because from my end not ALL bots are bad. Just like anything else secure wise that you use on your computer, if IRC is your thing, there is no need to be paranoid just because their might be a bot on the server. Plus a added note is the botnets use lots of bandwidth on days they are very active. They can have 50 of these bots sitting in a channel. They constantly move from server to server because they get kicked out of the nice chat servers on a regular basis. They are not interested in whom is on the chat server. They are only interested in the commands coming from it's creator that has them all parked in a channel waiting to do their dirty deed online.

  6. #6
    weebit Guest

    Default Re: What about botnets?

    "Your computer may be part of a botnet if:

    1. Your computer suddenly starts operating slowly or erratically
    2. You receive emails accusing you of sending spam
    3. You have email messages in your outbox that you didn t send"


    Number one I agree with.
    Number two you will get a excessive amount of email accusing you of sending spam, and you may even get a warning from your ISP because of the excessive amount.
    Number 3 you might see a excessive amount of emails in your outbox, or in your sent folder. But then again you may not. It depends on how advanced the botnet program writer is.


    Remember folks a virus, Trojan, worm etc is as good as it's creator. Many of these software (which is what it is) never get anywhere, or even popular because the one programming the code doesn't do a good job writing the code. Several of these duds are in the wild, and many of the security software vendors spot them all the time. Doesn't mean that you can be less vigilant, just means to be sure your security software is up to date, along with your Operating System, and even the non security software. You would be totally surprised to learn many of the botnets are running on computers that are not up to date with patches, and are running older versions of software for their security APPs and their regular everyday APPs they use.

  7. #7
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: What about botnets?

    The concern would not be the "bot slipping in" - all servers usually see a bot from time to time. These bots are harmless as they are simple checking changes of the web pages, indexing pages and sites and collecting email addresses and what ever else they are capable of doing.

    The issue or the topic is "bot nets" as controlled by a rogue IRC server and it it's users.
    Or usually a network of rogue IRC servers and the criminal users.

    I think I already said the basic IRC ports are closed by default in the ZA.

    Oldsod.
    Best regards.
    oldsod

  8. #8
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: What about botnets?


    <blockquote><hr>weebit wrote:
    "Your computer may be part of a botnet if:

    1. Your computer suddenly starts operating slowly or erratically
    2. You receive emails accusing you of sending spam
    3. You have email messages in your outbox that you didn t send"


    Number one I agree with.
    Number two you will get a excessive amount of email accusing you of sending spam, and you may even get a warning from your ISP because of the excessive amount.
    Number 3 you might see a excessive amount of emails in your outbox, or in your sent folder. But then again you may not. It depends on how advanced the botnet program writer is.


    Remember folks a virus, Trojan, worm etc is as good as it's creator. Many of these software (which is what it is) never get anywhere, or even popular because the one programming the code doesn't do a good job writing the code. Several of these duds are in the wild, and many of the security software vendors spot them all the time. Doesn't mean that you can be less vigilant, just means to be sure your security software is up to date, along with your Operating System, and even the non security software. You would be totally surprised to learn many of the botnets are running on computers that are not up to date with patches, and are running older versions of software for their security APPs and their regular everyday APPs they use.
    <hr></blockquote>


    Or they do not have firewalls.
    Best regards.
    oldsod

  9. #9
    weebit Guest

    Default Re: What about botnets?

    Sorry Oldsod I did not mean to step out of bounds here. But I did want the reader to know the difference. Many people wont use IRC because they heard it was a bad place. Please accept my apologies.

  10. #10
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: What about botnets?

    No problem and apology accepted.

    Yes there are many respectable professionals that use the IRC channels for contacting colleagues and having chat and sharing professional information - engineers and scientists included.

    But those are proper or official channels used properly with proper conduct.
    Sorry I did not mean to imply the entire ICR network is part of the underworld.

    Just certain areas of the IRC are shady or in a mist - the associated server' s network of the misused servers cannot be properly traced - and these areas are in question.
    But yes, most of the IRC servers are very legitimate and honest.

    Bad servers are not just limited to the IRC, but also with the usual official internet - certain rogues providers and rogue IP with servers are frequently used by criminals. These are the very worse servers to be found - they never provide any references to their previous connections or offical clients, hence their clients are in isolation and have protection from authorities ( found in certain areas of central america and eastern europe, russia and asia servers ). These of course the usual http and email ports and protocols, not by IRC.
    This is not limited to the international scene either - there are several U.S providers and many servers with scumware - and all legal unfortunately.

    I suppose most do not use IRC because first they have no idea how to use it properly and secondly it has had a past reputation of hacked IPs and network worms and malware. Both confuisng and scary to many.
    On the other hand, any new windows operating system comes with an IM and the provider tries to get the users to install their own IM - the commercial aspects of the IMs and communications are easy to use for the people and more profitable for the corporations.

    I would imagine as providers start to limit P2P, then perhaps the IRC will become the next major network for sharing files? There is file sharing on the IRC now, but it may get even more popular.
    Plus none of the "offical" IM (yahoo, aol, msn, etc) are encrypted or secured - the contents are exposed to anyone and any authority. Whereas the IRC connections can be encrypted or properly secured and cannot be snooped on. Correct?
    And the offical IMs are a conduit for advertising/sponsors - any serious advertising on the IRC channels?

    I tried to show there is a difference between the usual internet robots and the malware
    "botnets" (bot nets controlled by bot masters can happen also on the regular http traffic, but the specific irc troyans use just the IRC channels for obtaining and sending commands and information).

    Usually the robots that check servers can be avoided by special scripts added to the web files - the servers do not then get ennumerated and avoid the unwanted constant connections. These types of network robots are common place.

    Oldsod.
    Best regards.
    oldsod

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •