Threats that utilize IRC have been around for a long time and have gone through some changes over the years. In the past, such threats would require a computer with an IRC client previously installed in order to function. Later iterations bundled a hacked copy of mIRC, a popular and readily available IRC client. Today, most IRC Trojan threats contain their own IRC client embedded within the Trojan. What is IRC?
In a nutshell, Internet Relay Chat (IRC) is a computer network commonly used for communication, sharing files, and sending out distributed commands to computer networks. An IRC network is comprised of servers that contain “channels”, which are organized by topic. Threats like IRC Trojan use IRC to carry out back door functions.
For a more detailed description of IRC, see the Internet Relay Chat page
on Wikipedia.What does the Trojan do?
The primary purpose of IRC Trojan threats is to open a back door, allowing an attacker to issue commands to the compromised computer. While the functions that can be carried out are largely arbitrary (a back door generally provides full control of the computer), the following list highlights some functions that are often carried out by the back door in IRC Trojan threats:
Why would a Trojan use IRC?
- Perform distributed denial of service (DDoS) attacks
- Set up a proxy server to route traffic through the computer
- Collect information (system and personal) from the computer and any storage device attached to it
- Terminate or run tasks and processes
- Download and execute additional files
- Upload files and other content
- Report on status
- Open remote command line shells
- Change computer settings
- Shut down or restart the computer
Relaying the commands through an IRC server provides the attacker with a level of anonymity not as easily obtained by connecting directly to the threat’s back door. IRC also allows an attacker to control a large number of computers as a botnet. Since each threat compromised by a particular IRC Trojan threats logs into a predetermined IRC channel, an attacker can then send a command to the channel, and on to all the computers in the botnet.Are there any tell-tale signs?
The default port for IRC communication is 6667, and server communication may utilize ports in the 6660-6669 range. However, IRC Trojan threats often use unusual port numbers to communicate with their IRC servers. Any unexpected IRC communication that falls outside of the standard realm should be regarded as suspicious. Firewalls or network monitoring tools may show network traffic to or from unusual remote addresses. What are the risks?
The back door component of these Trojans pose a relatively high risk of damage or loss to the user if they can remain undetected and active for a significant time. On the lower end of the scale is annoyance through the loss of bandwidth or performance due to actions such as proxying traffic. On the upper end of the scale the risks include identity theft and the loss of money from online accounts due to the theft of login credentials. What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360
or Symantec Endpoint Protection
. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.How can I find out more?
Advanced users can submit a sample to Threat Expert
to obtain a detailed report of the system and file system changes caused by a threat.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":