Link to home
Start Free TrialLog in
Avatar of grifd
grifd

asked on

Backdoor IRC Trojan / NAT Router/Firewall

I read that some Trojans contain an IRC client program that will call out to an IRC server and open backdoor access to the infected pc.

If the infected pc is behind a NAT router/firewall is the trojan able to "call out" to an IRC server?

I am under the impression - that in order for an IRC program to work behind a router - the router must first be configured to open certain ports.

Would this prevent the Trojan from making a successful connection to the IRC server?



SOLUTION
Avatar of srikrishnak
srikrishnak
Flag of Singapore image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of grifd
grifd

ASKER

Thank you for that explanation. :)

I read the following on Zone Labs webpage: "Win32.Execubot.B is a worm that spreads via network shares using a dictionary attack. It also contains backdoor functionality that allows for unauthorized access and control of a victim's machine. The backdoor is controlled via IRC."

If an infected pc is behind a router/firewall with ALL inbound ports closed (including port 80) - will the backdoor be able to receive commands via IRC channels?
(I understand that typically with IRC the router has to be configured to receive inbound connections to port 6667 etc.)

Can you please explain what is meant by "The backdoor is controlled via IRC"?

I understand the tradition backdoor trojan such as back orifice, sub seven etc.
Avatar of Tim Holman
Typically, the infected client will communiate with tcp/6667 on an external IRC server, and ask it for some commands to run.
The commands that come back will be part of the same stateful connection, so even if your firewall blocks ALL inbound traffic, then the requests to the IRC server can still be serviced.
You can approach this by creating an outbound firewall policy, and restricting to udp/53, tcp/80, tcp/443.  Add to this an application proxy like ISA 2004 or a network IPS, then you will be able to fully inspect the packets and work out whether or not they have malicious intent.
Avatar of grifd

ASKER

Tim thank you for the answer. It makes sense to me, however one question:

"The commands that come back will be part of the same stateful connection, so even if your firewall blocks ALL inbound traffic, then the requests to the IRC server can still be serviced."

I understand this is how a tunneling trojan would normally work. But in regards to IRC trojans I am still not sure. I am fairly certain that IRC will not work unless you open ports 6667 etc to inbound connections. I use mIRC and that is what I had to do with my router in order to get mIRC to work.

Please excuse me if I am missing something, but in regards to trojans that utilize mIRC as a client program for example - wouldn't the router have to be configured properly?

Just trying to understand if IRC trojans can be mitigated by installing a hardware firewall/router.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial