Endpoint Protection

  • Private Community
 View Only

  • 1.  Blocking IRC

    Posted Apr 28, 2010 01:11 PM
    Hello Team,
    As part of a proactive approach, I have noticed that many Trojans employ IRC ports to "phone home" as it were.

    Question: Is it recommended as part of an overall security approach to disable IRC altogether in addition with other implements, such as IDS, and Network architecture. 
    Essentially, I'm looking for and official endorsement from Symantec to recommend blocking IRC (especially if no one is using it.)

    Thank you,



  • 2.  RE: Blocking IRC

    Posted Apr 28, 2010 01:17 PM

    Xiao,

         The answer really depends on which programs you are using.  I'm not sure that you will get an official "block IRC" statment from Symantec due to the large number of legitimate uses.  The easiest method is to simply block the protocol at the external firewall.


  • 3.  RE: Blocking IRC

    Posted Apr 28, 2010 02:27 PM
    There's isn't a IPS def for IRC..however you can block Instant Message Programs.

    SEPM-policies-IPS-Exeption-ADD-Instant Message-Block


  • 4.  RE: Blocking IRC

    Posted Apr 28, 2010 09:07 PM

    Vikram - There are muliple IPS signatures for IRC contained within SEP!! How does blocking Instant Messaging have ANYTHING at all to do with the original question relating to blocking IRC backchannels?? 

    To the OP, I would definitely recommend blocking IRC unless there is a business requirement within your organisation.
    The IPS component of SEPM has multiple IRC related signatures for vulnerabilities associated with IRC malware:


    HTTP mIRC IRC URL BO
    HTTP Trojan IRCBot Activity
    NGIRCD Format String Vulnerability
    ngIRCD IRC Daemon DoS

    Then there also a range of more generic IRC signatures, however they are in the audit category and as such allow traffic.
    You can easily add them into the exceptions for your IPS policy and change the action to block.

    The generic IRC detections that you would need to change are as follows:

    IRC DCC Private Message Chat Cmd
    IRC Identification Signature
    IRC JOIN Command
    IRC mIRC Privmsg BO
    IRC NICK Command
    IRC Notice Command
    IRC Notice DCC Chat Command
    IRC Notice DCC Send Command
    IRC Private Message Command
    IRC Private Message DCC Send Cmd
    IRC Suspicious Executable File Download
    IRC USER Command
    IRC W32 Tibick Activity
    IRC Worm Rinbot Activity