Aldryic C'boas
The Pony
One of our clients learned today why exchanging links isn't the best of ideas >_>
On a semi-related note, I just received a text from the regional VP: "Please stop neighing during conference calls.. you're scaring the board"
Dangers of IRC
- Thread starter Aldryic C'boas
- Start date
On a semi-related note, I just received a text from the regional VP: "Please stop neighing during conference calls.. you're scaring the board"
Aldryic C'boas
The Pony
I figured you'd appreciate someone sharing your pain :3
wlanboy
Content Contributer
I should not ask ... but where is the recording of your ... neighing?
Aldryic C'boas
The Pony
Hah. If there is a recording, I don't have it, sadly (wish I'd thought to make my own recording). I have access to the Mitel phone boxes.. but only for networking - I can't access or tell if there are any recorded conversations, sadly.
PLEASE PLEASE
It depends on how harmful
Depending on how you secure irc as well. Some do a basic install without thinking about security and then you start having bots take over the system that will allow them to start attacking other systems. http://www.arbornetworks.com/asert/2006/11/that-new-bot-irc-bot-attacking-symantec-overflow/ just one of many ways things can go wrong if the host doesn't understand what they are doing.
here is what the link says then. B)
Back in May of this year, Symantec released an avisory entitled SYM06-010: Symantec Client Security and Symantec AntiVirus Elevation of Privilege. Those that took the time to read it beyond the title noticed that this isn’t just a local privilege elevation exploit. It’s an out and out remote stack overflow using a specific service (TCP port 2967). We started tracking possible exploit activity for this vulnerability in early June using an ATF policy to detect scans and exploits, with our thinking that someone would surely take an interest. Activity for this policy quickly dropped off our radar, buried underneath some juicy Windows and VNC holes that people focused on. We didn’t see many scanners for this service, and only a burst of a scan early last week.
That is, until now, in late November, when we see a bot using an exploit for this (and lots of peopleare curious). We had a look at the bot, and found that it’s a new exploit plugin for a garden variety SDBot. This thing’s a beast! It’s huge, not unlike a bloated bot that someone’s thrown everything into. A partial list of the capabilities this puppy appears to have:
- SYMC06-010 exploit (TCP port 2967)
- NetAPI (MS06-040), TCP port 445
- DDoS and packet flooding (SYN, ACK, ICMP, UDP floods, for example)
- Password theft and packet sniffing
- It can enumerate other installed malware
- The usual bunch of access capabilities
- The usual bunch of brute force attacks, downloads, upload, proxy checks, etc …
If you’re concerned you’re going to be targeted and that your network is at risk from this bot, you’ll have to block a lot of the standard bot stuff, including ports 139, 445, 2967 (for that Symantec exploit), 1434, and so on. If you haven’t updated your Windows boxes, do so; if you haven’t updated your Symantec clients, do so. Follow the link above for the patch information. Specifically for that bot, it goes to the IRC server at www.flackware.info on TCP port 6667. This currently resolves to 4 IP addresses. Blocking that at the DNS level or using a firewall policy should prevent the bot from getting additional commands.
Last edited by a moderator:
