Notabilia

Computers

Hints, Tips And Tricks

Is Your Computer Being Used For Internet Attacks?

Back to where you came from. The same text in Greek.

The computer press calls them "Zombies", but they are also known as "Bots", or "IRC Bots". Whenever an IRC Bot hosting Windows PC is started, the Bot waits for the system to finish booting, then connects to a previously designated IRC server. Using a private password key, it joins a secret IRC channel that is not visible to other users of the IRC server and waits commands.

IRC servers are often configured to deliberately obscure the names and IP addresses of their clients, thus providing anonimity to all users. Since this anonymity can only be breached through physical access to the server, many Bot armies are "run" from servers located on foreign soil where access is impossible to obtain. Since IRC Bots "phone" home to the central server, the hacker does not need to know which specific machines are hosting his Bots. This allows Bots to be deployed in the wild by a variety of means. Hackers create Bot-carrying eMail viruses (frequently enabled by Microsoft's virus-friendly Outlook Express), they create infected internet "Trojan" downloads, place Bots in USENET newsgroups and do anything they can, to get their Bots into other people's computers. IRC Bots never need to be "scanned for" since all active Bots contact their home base IRC server whenever they "awaken". The various IRC Bots are just 15,904 bytes in size, so they are easily hidden as trojans within other, typically huge, Windows programs.

CAUTION

A Windows IRC client program (i.e. Microsoft Chat, Pirch, Mirc, Virc, etc.) running in the PC, will generate false-positive reports, since these are tests for IRC client programs. So be sure to completely exit from any known IRC client programs before performing the tests above.

An active connection to an IRC server, can be detected with the following command

netstat -an | find ":6667"

Open an MS-DOS Prompt window and the type the command above, then press the Enter key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this

TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED

then the only question remaining is how quickly you can disconnect your PC from the internet!

A second and equally useful test can also be performed. Since IRC server generally require the presence of an "Ident server" on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots that have been examined, does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt

netstat -an | find ":113 "

leaving a space after the 3 and before the closing double-quote. As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". If, however, you see something like this

TCP 0.0.0.0:113 0.0.0.0:0 LISTENING

then it's probably time to pull the plug on your cable-modem!

Source: Gibson Research Corporation The link opens in a new window..

11-06-2003