7.6 Detecting Malicious IM

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1
	Table of Contents
	Chapter 7.  Instant Messaging Attacks

If computers on your network are not supposed to be using IM clients , you can search for the default TCP/IP port numbers each service uses. I've often found IM traffic on networks and file servers that network administrators and management did not know about. On a single PC or file server, you can use the NETSTAT command, and on a network you can use a firewall to discover hidden IM traffic. Table 7-1 lists common instant messaging TCP/IP port numbers.

Table 7-1. Default IM TCP/IP port numbers

Detection can be tougher if the client computer is supposed to be using Instant Messaging software. However, here are the steps you can follow to detect malicious IM programs:

1. Cut off Internet access.

   If you suspect a computer has been compromised by an IM attack, cut off Internet access to prevent hackers from causing further damage.

2. Run an antivirus scanner.

   Antivirus scanners will recognize the most popular IM hacking programs, including tools meant to compromise AIM and IRC worms.

3. In IRC, look for malicious scripts.

   Find where IRC scripts are stored. Look for script files with recent modification dates. Open each suspected script file with a text editor and look for signs of maliciousness. Pay special attention to lines with any of these commands:

   • Commands initiated with the ON JOIN parameter

   • DCC or CTCP commands

   • Loop routines

   • Words or messages that seem out of place

4. Look for signs of low security settings in the IM client.

   In order to freely manipulate a computer and upload and download files at will, malicious programs will disable relevant security settings. Especially look to see if the file sharing options enable file transfers without notification.