Bot C&C Servers on Port 80

Bot C&C Servers on Port 80
We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic. Couple tricks that may help: Implement a proxy server to filter outbound port 80 traffic. This is a good idea anyway as it may help you to implement additional filtering for web traffic as well. If you suspect an IRC server on port 80 in your own network, a quick scan with nmap can help: nmap -A -p 10.0.0.0/24 (The '-A' option will look for service banners) Interesting ports on 10.0.0.a: PORT STATE SERVICE VERSION 80/tcp open tcpwrapped <--- expect this from devices using web admin interfaces. Interesting ports on 10.0.0.b: PORT STATE SERVICE VERSION 80/tcp open http? <--- this server is running apache with customized headers. Interesting ports on 10.0.0.c: PORT STATE SERVICE VERSION 80/tcp open irc ircu ircd <--- this server is running IRC! Service Info: Host: megaserver implement a snort rule to look for IRC traffic on port 80. Snorts 'chat.rules' has a number of rules to detect IRC, but they are limited to port 6666:7000 by default. You could try some of them to see if they work for you. But the way they are written could easily cause false positives. A slightly improved rule: alert tcp any any -> any 80 (msg:"irc traffic on port 80"; flow: established, to_server; content: "NICK "; depth: 5;) I will be teaching next: Intrusion Detection In-Depth - SANS London May 2021	Johannes 4112 Posts ISC Handler Nov 16th 2006
Thread locked Subscribe	Nov 16th 2006 1 decade ago