Internet Relay Chat and the Effect of Botnets on Security

Wednesday, August 25, 2010

Jon Stout

98180f2c2934cab169b73cb01b6d7587
Many internet chat participants have enjoyed the benefits of the Internet Relay Chat capability (IRC). This functionality has added fast and convenient communication, universal access and valuable functionality throughout the entire world.

But there is a downside to the IRC in the world of botnets and Cyber security attacks.

What is the IRC?

Internet Relay Chat (IRC) is a form of real-time Internet text that is mainly designed for group communication in discussion forums.

The IRC is powerful and universal. It supports all major computer operating systems and is easily accessible. With up to 600,000 users, the potential for cyber penetration becmes a world wide problem.

In addition to a vast numer of server arrays IRC client software is available fo ralmost every computer operating system that supports TCP/IP networking.

What are Botnets?

A botnet isa destructive tool that takes many forms.Among the most destructive uses are distributed denial of service (DDOS) attacks, spamming and fiinancial data theft/fraud.·

Network Penetration and Control

There are many ways to penetrate a network with malicious code. For example a simple, but risky way to compromise a network is to offer a special USB drive with innocuous but attractive code that carries hidden Trojan horses or other malicious code. This exposes the perpetrator to risk of discovery however.

Allowing unlimited netsurfing on the web that includes unsafe or infected websites is another way of penetration but is random and can be stopped through vigilant network administration.

By far the most dangerous tool of anonymous network penetration and control however is through the use of the IRC. The IRC exposes very large networks worldwide and, when attacked by a knowledgeable perpetrator, can cause tremendous and often anonymous damage.

One of the easiest and most efficient ways to establish a Botnet is through the IRC.

Botnet Creation, Control and the IRC

The steps in the botnet creation illustrate the ease of creation and the fact that botnet creators usually distribute their bots to malicious third parties for a fee:

1. The botnet operator infects targeted pcs with malicious code (Trojan Horses and other destructive code) and commanding protocols that are then passed to the network server over the IRC. A command and control (C&C) server is created that allows control of the entire netwrok.

2. The botnet created by the process is often sold to a criminal or terrorist enterprise.

3. The buyer then sends instructions to trigger a Distributed Denial of Service, spamming or data theft attack.

4. The attack creates significant damage and attacks can be repeated.

A botnet's originator (aka "bot herder" or "bot master") can control the group remotely, over channels provided by the IRC, and usually for terror or criminal related purposes. Individual programs at the client level appear as"bots".

Control of the botnet usually through an IRC server that is also known as the Comand and Control server. Some of the latest botnets are self generating through the use of custom designed code. These botnets are potentially extremely destructive.

Large user networks, some as large as 20,000 users or more, are tempting targets of botnet operators and many of these offer little resistance to botnet operators.

Attribution

Given the widespread reach of the IRC public and private networks, anonymous channels, the widespread use of encrypted scripts, sale of botnets to anonymous third parties and the fact that large networks in other countries are the most productive, attribution to the actual source of the attack is often impossible.

Visitors to apparently safe or trusted sites under the hidden control of a botnet operator are easily fooled into downloading infected files and open themselves to malicious attacks. The fact that a trusted site located within the United States is no guarantee of safety because the IRC opens even safe, trusted sites to remotely controlled, anonymous attacks.

The danger of attribution is supported by recent research (Source: Sans.org ) that concluded the overwhelming target of Cyber attacks in the United States through domestic botnets that pass malicious code to the greatest number of users.

Military and large commercial sites are priority targets and the disruption to commerce and potential loss of classified data and site effectiveness often result.

Cyber Security Attacks

Botnets allow criminal or terrorist elements the ability to control large installation of networked computers. By simply anonymously penetrating one individual PC that is part of a large network through a centralized Command and Control (CAC) Server, a Cyber attack perpetrator can monitor and anonymously control networks that individuals trust.

This control often goes unnoticed at the individual pc level and can be exercised across borders with little fear of discovery.

Anonymous and efficient penetration of large scale networks is the key to success of botnets. While defensive attacks against botnets are enjoying some success, the enemy is clever and innovative and the challenge is tremendous.

by
Jon M. Stout
April 2, 2010

Since 2003 Aspiration Software LLC has provided Cyber Security services to the Intelligence Community and the Department of Defense.

 

Possibly Related Articles:
14317
Vulnerabilities
Botnets Web Application Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.