# Dangers of IRC



## Aldryic C'boas (Mar 26, 2014)

> 10:45:23 <+S|nApSE> But is there really such a thing as the wrong hole?
> 
> 
> 10:45:50 <~Aldryic> zg: I see your link, and counter with https://www.youtube.ru/watch?v=ffDPTKn7HiY
> ...


One of our clients learned today why exchanging links isn't the best of ideas >_> 

On a semi-related note, I just received a text from the regional VP: _"Please stop neighing during conference calls.. you're scaring the board"_


----------



## MartinD (Mar 26, 2014)

STOP sharing that video!


----------



## Francisco (Mar 26, 2014)

GOOOOOOOOOOSH GOOOOOOOOOOOOOOSH

Francisco


----------



## Aldryic C'boas (Mar 26, 2014)

MartinD said:


> STOP sharing that video!


I figured you'd appreciate someone sharing your pain :3


----------



## wlanboy (Mar 26, 2014)

Aldryic C said:


> On a semi-related note, I just received a text from the regional VP: _"Please stop neighing during conference calls.. you're scaring the board"_


I should not ask ... but where is the recording of your ... neighing?


----------



## Aldryic C'boas (Mar 26, 2014)

wlanboy said:


> I should not ask ... but where is the recording of your ... neighing?


Hah.  If there is a recording, I don't have it, sadly (wish I'd thought to make my own recording).  I have access to the Mitel phone boxes.. but only for networking - I can't access or tell if there are any recorded conversations, sadly.


----------



## lowesthost (Mar 28, 2014)

> STOP sharing that video!


PLEASE PLEASE


----------



## Exelion (Mar 29, 2014)

IRC is harmless. If IRC was harmful, I would have depopulated half the planet by now.


----------



## Packety (Mar 29, 2014)

Exelion said:


> IRC is harmless. If IRC was harmful, I would have depopulated half the planet by now


It depends on how harmful


----------



## Enterprisevpssolutions (Mar 30, 2014)

Depending on how you secure irc as well. Some do a basic install without thinking about security and then you start having bots take over the system that will allow them to start attacking other systems. http://www.arbornetworks.com/asert/2006/11/that-new-bot-irc-bot-attacking-symantec-overflow/ just one of many ways things can go wrong if the host doesn't understand what they are doing.


----------



## Lorne (Mar 31, 2014)

No chance I am clicking that link lol.


----------



## Enterprisevpssolutions (Mar 31, 2014)

Lorne said:


> No chance I am clicking that link lol.


here is what the link says then.  B)

Back in May of this year, Symantec released an avisory entitled SYM06-010: Symantec Client Security and Symantec AntiVirus Elevation of Privilege. Those that took the time to read it beyond the title noticed that this isn’t just a local privilege elevation exploit. It’s an out and out remote stack overflow using a specific service (TCP port 2967). We started tracking possible exploit activity for this vulnerability in early June using an ATF policy to detect scans and exploits, with our thinking that someone would surely take an interest. Activity for this policy quickly dropped off our radar, buried underneath some juicy Windows and VNC holes that people focused on. We didn’t see many scanners for this service, and only a burst of a scan early last week.

That is, until now, in late November, when we see a bot using an exploit for this (and lots of peopleare curious). We had a look at the bot, and found that it’s a new exploit plugin for a garden variety SDBot. This thing’s a beast! It’s huge, not unlike a bloated bot that someone’s thrown everything into. A partial list of the capabilities this puppy appears to have:


SYMC06-010 exploit (TCP port 2967)
NetAPI (MS06-040), TCP port 445
DDoS and packet flooding (SYN, ACK, ICMP, UDP floods, for example)
Password theft and packet sniffing
It can enumerate other installed malware
The usual bunch of access capabilities
The usual bunch of brute force attacks, downloads, upload, proxy checks, etc …
And it tends to do it in the usual bot way, meaning inefficient and slow. Not surprising. This bot requires some reasonable reversing skills and tools; it will look for debuggers and tracing tools, and tries to spot a VMWare installation. If you fail to get past that, it bails, but not until it makes sure it will start on the next reboot. It doesn’t unpack fully in memory, either, and uses the Themida packer. Most sandboxes out there (Norman, CWSandbox) are blind to it. The malware starts, loads a few DLLs, notices it’s being traced, and goes away. Sandbox reports are very, very useless in this situation.



If you’re concerned you’re going to be targeted and that your network is at risk from this bot, you’ll have to block a lot of the standard bot stuff, including ports 139, 445, 2967 (for that Symantec exploit), 1434, and so on. If you haven’t updated your Windows boxes, do so; if you haven’t updated your Symantec clients, do so. Follow the link above for the patch information. Specifically for that bot, it goes to the IRC server at _www.flackware.info_ on TCP port 6667. This currently resolves to 4 IP addresses. Blocking that at the DNS level or using a firewall policy should prevent the bot from getting additional commands.


----------



## Lorne (Mar 31, 2014)

@Enterprisevpssolutions

I meant  



> zg: I see your link, and counter with https://www.youtube....h?v=ffDPTKn7HiY


Thanks though


----------



## rsk (Apr 4, 2014)

Wow .. just wow. The new rickroll?


----------

