7.3 Introduction to Internet Relay Chat

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 7.  Instant Messaging Attacks

Internet Relay Chat works using a standardized IRC protocol ( Internet RFC 1459 ) that allows almost any Internet computer to host an IRC server process. Each server can belong to a series of IRC servers to form a network. Each network has at least dozens of channels (if not, tens of thousands) that anyone can join, each pertaining to a particular topic. Channel names always begin with the # symbol. Each IRC user can easily create their own channel and invite participants . By default, channels are PUBLIC and available to anyone logging into the IRC network, but they can be made INVITE-ONLY . Every user picks a Nickname to use as their online representative, and it can be changed at anytime . A user can also choose to be Invisible and be assigned a random nickname. Nicknames must be unique within a network.

In order to use IRC, you have to install an IRC client program and be connected to the Internet. You start the client and connect to a particular IRC server. There are thousands of servers and hundreds of networks to choose from. You connect to a server and your client will usually LIST all the available channels that you can join. You can then JOIN a channel and begin to participate.

7.3.1 IRC Networks

Of the Instant Messaging types, IRC and AIM are attacked the most. AIM mostly suffers attacks against the channel itself. Malicious hackers want to disrupt private communications and create disruption within individual user's sessions. IRC has that problem and more. Many malicious mobile code programs now use IRC to report to their originators that they've infected the latest victim and installed a back door. All the information that is needed to attack the person's machine is then relayed and backdoor access is left wide open. The hacker can then concentrate his efforts on a particular victim or group of victims. It is not uncommon for a rogue hacker group to gain unauthorized access to a private company's Internet server, set up an IRC server, and then advertise their entry via IRC to other hackers. Because malicious mobile code has a special attraction to IRC, much of this chapter will be spent on IRC details and IRC exploits. IRC is especially vulnerable to IRC script viruses and worms, which we will cover shortly.

IRC networks can range in size from one server that serves a private set of users to networks with over 100 interconnected servers and tens of thousands of online users. Each network is a separate IRC community. Thus, if you join a channel called #news in one network, it does not connect to #news in another network. However, all IRC servers within the same type of network will have the #news channel and everything done to the #news channel will appear on all servers within the network. To meet and chat with a particular person, make sure you know what network and channel they will be on.

There are several popular IRC networks to choose from including EFnet , IRCnet, Undernet, Dalnet , and others (see http://windows-help.net/irc- nets -1.html for a list of hundreds of IRC networks). EFnet, or Eris Free net (http://www.irchelp.org), is the original and largest, with more than 43,000 users and 18,000 ongoing channels. It is also the most hacked IRC network. I haven't seen it stated better than the following sentences taken from an IRC new user's FAQ located at http://www.newircusers.com: "Hackers run rampant and wars are a way of life. If you want a wild and woolly ride, strap on your flack jacket and head for EFnet!" While EFnet isn't complete chaos, it is considered the more unregulated of the larger networks. IRCnet broke off EFnet and is hosted by a large number of European servers. It has about 27,000 users.

Undernet (http://www.undernet.org) with 30,000 users and Dalnet (http://www.dal.net) with 23,000 users were both formed as safe alternatives to EFnet. Although hackers still try to play tricks, several security improvements do help both networks maintain a more secure chatting environment. Some networks are dedicated to a particular subculture, like UnionLatina, FreeBSDNet, and Eqnet (dedicated to Equestrian/Horse chat). What IRC server you are trying to connect to depends on the IRC connect address you use. Most chatters try to pick a geographically close IRC server without a lot of slowness. An Undernet server might be called washington.dc.us.undernet.org .

In January 2001, Undernet suffered through a series of denial of service attacks that brought the IRC network to its knees, showing that even the safer alternatives are not risk free.

Most channels have an operator (or channel op ) that manages the channel, and an @ symbol is placed in front of their nickname to announce their status. By default, the person who creates the channel is an operator. Other operators can be assigned as the need arises and large channels have dozens of operators. Operators moderate the flow and context of the channel. If someone becomes a nuisance or goes off the topic, the operator can KICK them off the channel, sometimes forever. Channel Ops can BAN users by nickname, account name , hostname, network, or by IP address. Malicious hackers spend a considerable amount of energy wrestling control away from the legitimate operators.

7.3.2 IRC Clients

In order to use IRC, you need an IRC client. There are dozens of IRC client programs ( mIRC, Pirch , ircII , WSIRC , InteRfaCe , ChatMan , and Virc ). Some clients are text-based versions where every IRC command has to be typed in (e.g., / JOIN ), while the more popular packages are GUI-based and make everything just a mouse click away. With a GUI interface and a powerful command set, mIRC (http://www.mirc.com) and Pirch (http://www.pirch.com) are the most popular IRC clients in the Windows world by far. Rogue hackers trade off user friendliness for power with the Eggdrop and BitchX clients to exploit the IRC community. Figure 7-3 shows some example IRC channels that anyone can join, while Figure 7-4 shows some chat activity on a joined channel.

An early version of the IRCII Unix client, back in 1994, was widely used before it was discovered that a Trojan back door existed. It allowed hackers to gain unauthorized access with full rights of the user. Thus, if the user had system administrator root privileges, the hacker could gain full access to the system.

Figure 7-3. Example of some of the IRC channels

Figure 7-4. Sample IRC chat on the #Unix channel

7.3.3 IRC Commands

When using IRC a chatter needs to tell the client program to list channels and give instructions when to join and leave. Here are a few basic IRC commands (all IRC commands begin with a "/"):

/ JOIN

Joins an existing channel, or creates a new channel.

/PART

Leaves a channel.

/LIST

Lists all the available channels on a particular network.

/MSG

Sends a private message to an individual user.

/WHOIS

Shows more information about a particular person.

/INVITE

Invites a user to join a particular channel.

/NICK

Allows you to change your nickname on the fly.

/NAMES

Shows the nicknames of the non-invisible users on a particular user.

/KICK

Allows an operator to force someone off the channel.

/MODE

Allows channel operators to change administrative channel options.

7.3.4 Other IRC Features

IRC includes other features that are helpful to users and hackers alike.

7.3.4.1 DCC

The Direct Client to Client (DCC) feature of IRC allows a user to connect directly to another IRC user. The DCC SEND command allows you to send a file. The DCC GET command allows you to receive a file. And DCC CHAT allows a private conversation to be initiated between two file-transferring parties. If you know the other person's IP address, you don't even need an IRC server to accomplish the task. By default, when someone sends you a file, a dialog box will pop up prompting you to accept or deny the request. You can limit what a user sends you and where the file gets saved. In older clients, the files were saved directly into the program directory, thereby allowing numerous exploits. You can set an Ignore All option to deny all DCC requests or just ignore certain file types. You can also turn on the AUTO GET file option that will automatically download files without a user's intervention. This is not recommended practice for anyone.

You can even define what your IRC client does after downloading a file. For example, whenever you download a file with the .GIF extension, you can make your client display the graphic. Be careful with this DCC feature, as it is the most common way hackers send malicious mobile code in the IRC world. Never accept a file from an untrusted source. Never execute or install a file delivered via DCC simply because the person on the other end of the IRC channel says it's alright to do so. There is no authentication and no security mechanism to stop what a malicious program might do. Many backdoor Trojans are delivered via IRC.

7.3.4.2 CTCP

The Client-to-Client Protocol (CTCP) is a special type of communication between two IRC clients and it allows a user to expand their own IRC client's functionality. It's hard to define exactly what you can do with CTCP because it can do so many different things. It can be used to grant operator status to a friend while you are absent. It can be used to find out more information on a particular user, or find out what version of client software they are using. It is often used to remotely control an IRC client from somebody else's computer. Users can even remotely execute any command into their IRC client and PC. CTCP is often used to remotely pick up and drop off files. All in all, CTCP is a feature rogue hackers love to exploit.