I worked for many years at Symantec in the Enterprise Security Group, where I wrote a slew of code for Symantec’s antivirus and client security products. In my time there, I talked to lots of IT Admins who were tasked (saddled?) with the responsibility of managing huge deployments of desktop security.

Their most difficult problems were always in the area of installation and deployment. Things like: How can you help me find all of the computers on my network that need AV installed on them? Can your product identify the source of an infection, so I can go find that computer and clean it up? It was all about managing and probing those dark corners of the network where desktop security wasn’t already deployed.

The solution is to use the security products that are at your gateway.

Internet Relay Chat (IRC) is the original instant messaging protocol. It’s the old school chat. The vast majority of your employee base has probably never heard of IRC — they’re using the commercial IM clients like Yahoo, Windows Live Messenger and AIM.

But bot herders use IRC. Historically, it’s been the command and control channel of choice for them. They can setup their own IRC servers, then have their bots phone home for further instructions. IRC allows them to broadcast instructions out to thousands of bots at once.

Security researchers have identified these central IRC servers as prime targets for taking down bot networks. It represents a single point of failure in any bot network; if you take down the IRC C&C server, you disable the botnet. As a result, bot herders are moving to distributed architectures using techniques like FastFlux domains.

However, IRC remains a protocol of choice: check out the fascinating data from this automated honeypot. Most phone home traffic is FTP, HTTP and IRC. It’s a challenge to sort out the malicious FTP and HTTP from the benign. But it’s trivial for IRC, because there isn’t likely to be any benign IRC on your network.

Run a report on IRC detected and/or blocked at your gateway (if your web filter supports it, which 8e6 does), and forward it to the folks in charge of desktop security. If you see IRC coming from a computer on your network, then that computer is likely to be infected with a bot.

You might ask: why do I need to look for infections on my network? I put the filter at the gateway, and that’s blocking stuff. I put AV on the computers I know about, and that’s blocking stuff, too.

There are lots of infection vectors. An infected laptop brought in by a vendor. A zero-day threat that your AV didn’t have a signature for yet. Your CFO disabled the desktop firewall on his laptop while at home because it was blocking KaZaA. We (and our competitors) add thousands of URLs to our threat categories every day. But no solution is 100%. Monitoring and quick remediation are important components of good security practice.

Using your web filter should be an important part of your regular security process — reporting on IRC is one of the ways you can use it effectively.

Tags: Bots, irc, reporting

This entry was posted on Monday, October 8th, 2007 at 5:04 pm and is filed under Bots, How To. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.