IRC botnets on their way to the graveyard
November 16, 2010
According to the latest research from Team Cymru, Internet-controlled botnets and virus networks operated by groups of hackers now outnumber those controlled by the traditional method of IRC (Internet relay chat) channels by a factor of about five.
In the old days, IRC channels used to be the only way to control networks of compromised personal computers but the approach has fallen out now in favor of "script-kiddie" approaches that have begun to predominate the Internet today.
According to Steve Santorelli, former Scotland Yard Detective and now director of global outreach at Team Cymru, IRC botnets today are on their way to their own graveyards, and would be dead and buried already but for weak corporate security policies that have allowed them to stick around, even today.
Santorelli says that many companies and organizations today still don't filter port 6667, which is used for IRC channels and nothing else, allowing infected PCs, laptops, critical workstations and even servers in corporate networks to receive instructions that would otherwise be blocked at the entrance to the corporate firewall.
"Infected computers that are part of IRC botnets often have persistent, continuous connections to their C&C, compared to HTTP-based botnets which have their infected PCs frequently check in at pre-determined times," Santorelli explained. "These connections can be tell-tale symptoms that your network is infected if you know exactly where to look."
On average, HTTP-controlled botnets are easier to manage than the IRC-controlled botnets from miscreants to set up and run while being harder to detect, so it's no big surprise that they have become the preferred approach for the command and control systems of zombie networks.
Internet-based botnets are doubling in number every 1 1/2 year. "HTTP based botnets often use popular ports like port 80 that are of course unblocked on most networks and also hard to filter and easy to hide in a sea of noise. There is no persistent, constant connection to spot," said Santorelli.
For some, IP blacklists and anti-virus software can help a bit to combat comparatively unsophisticated botnet agents. "But there is simply no excuse for allowing these relatively basic threats into your networks," Santorelli was very quick to point out.
"They are extremely easy to configure and deploy. You just need zero coding knowledge to run a web-based botnet."
A short video explaining the changes in botnet control technology can be found on Team Cymru's YouTube channel.
Source: Team Cymru Internet Security.
You can link to the Internet Security web site as much as you like.