Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Bot C&C Servers on Port 80 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bot C&C Servers on Port 80
We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic.

Couple tricks that may help:

  • Implement a proxy server to filter outbound port 80 traffic. This is a good idea anyway as it may help you to implement additional filtering for web traffic as well.
  • If you suspect an IRC server on port 80 in your own network, a quick scan with nmap can help:

nmap -A -p 10.0.0.0/24 (The '-A' option will look for service banners)

Interesting ports on 10.0.0.a:
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped <--- expect this from devices
using web admin interfaces.

Interesting ports on 10.0.0.b:
PORT STATE SERVICE VERSION
80/tcp open http? <--- this server is running apache
with customized headers.

Interesting ports on 10.0.0.c:
PORT STATE SERVICE VERSION
80/tcp open irc ircu ircd <--- this server is running IRC!
Service Info: Host: megaserver



  • implement a snort rule to look for IRC traffic on port 80. Snorts 'chat.rules' has a number of rules to detect IRC, but they are limited to port 6666:7000 by default. You could try some of them to see if they work for you. But the way they are written could easily cause false positives. A slightly improved rule:
alert tcp any any -> any 80 (msg:"irc traffic on port 80"; 
flow: established, to_server; content: "NICK "; depth: 5;)
I will be teaching next: Intrusion Detection In-Depth - SANS London September 2019

Johannes

3609 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!