Chase the IRC bot
My IPS has been blocking IRC rogue sessions on port 80. These blocks have been occurring in multiple offices; Chicago, New York, San Francisco, and Shanghai. I’ve found that the users on all affected machines are Chinese. A recent observation is that the blocks always occur during business ours, local office time.
Host intrusion prevention software indicates that the software making the connections is none other than the web browser (IE and Firefox both observed).
I allowed the traffic from one office for a period of time so I could run a capture of the traffic to see what is going on.
My capture caught the following conversations. Based on the ‘Sina Network’ and ’sina_test’ I’m wondering if this is associated with Sina.com…
PASS [SNIP]:58.63.234.137.80 001 ^auzwybp :Sina NetwoGMSG add ^auzwybp __sina_test
.:^auzwybp MODE ^auzwybp :+M.
:58.63.234.13ERROR :Closing Link: ^auzwybp
PASS [SNIP]:58.63.234.205.80 001
^hrUwPfo :Sina NetwoGMSG add ^hrUwPfo __sina_test
.:^hrUwPfo MODE ^hrUwPfo :+M.
:58.63.234.20ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ping 58.63.234.205
.:58.63.234.205.80 PONG 58.63.234.205.80 :5ERROR :Closing Link: ^hrUwPfo
The machines haven’t displayed any other malicious behavior; no SMTP traffic, no DDOS traffic, no file downloads, etc. So if this is malicious, the bot network might be in a building phase or might be waiting for balkanization (I love that word). I have seen encrypted conversations between the bot and server.
So, to recap;
- I only observe IRC traffic during business hours, local office time. This to me indicates the traffic is driven by user activity, which lends to it being legit
- The web browser is the IRC client, which leads me to believe it’s probably a java-based IRC client or something like that.
- Nothing is being downloaded and installed. Typically, when IE is compromised, it will download the malicious payload (usually using FTP) and steps are taken to ensure continued access (registry edits). I have not observed any of that yet, which makes me wonder if this would be classified as a ‘compromise’.
- I’ve seen no SMTP traffic outbound
My next step is to talk to one of the users.
Any comments or suggestions are certainly welcome, especially if you’ve seen this in your network as well.
The one google search result that I got seems to corroborate with your speculation that this is related to Sina. I found some copy-pasted stuff on a Chinese chat forum that makes the IRC traffic akin news update traffic. That’s a flimsy conclusion from my shallow investigation, of course. What other network traffic was going on at the time?
By ev3 on 06.20.08 8:49 am
Well, this particular session caught my eye:
GET /js/useradmin/friendList/msgCount.js
and then this one:
GET /js/vote/boke_vote.js
and this one:
GET /pg/play/relat_album.php?relatId=20
Those, to me anyway, might also indicate legitimate use.
But then I saw this one and immediately thought of the recent SQL injection attacks.
GET /v/iframe/15/2007/0927/6.js
So I’m still undecided if this is malicious IRC traffic or not.
By Michael on 06.20.08 9:05 am