| | Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes Slots : 1 | | Table of Contents | | | | Chapter 7. Instant Messaging Attacks |
7.6 Detecting Malicious IM If computers on your network are not supposed to be using IM clients , you can search for the default TCP/IP port numbers each service uses. I've often found IM traffic on networks and file servers that network administrators and management did not know about. On a single PC or file server, you can use the NETSTAT command, and on a network you can use a firewall to discover hidden IM traffic. Table 7-1 lists common instant messaging TCP/IP port numbers. Table 7-1. Default IM TCP/IP port numbers | Instant messaging network | Default IP port number | | AOL's Instant Messenger | 5190 and 6040 | | ISeekYOU Chat (ICQ) | 4000 | | Internet Relay Chat (IRC) | 6666, 6667, 7000 | Detection can be tougher if the client computer is supposed to be using Instant Messaging software. However, here are the steps you can follow to detect malicious IM programs: -
Cut off Internet access. If you suspect a computer has been compromised by an IM attack, cut off Internet access to prevent hackers from causing further damage. -
Run an antivirus scanner. Antivirus scanners will recognize the most popular IM hacking programs, including tools meant to compromise AIM and IRC worms. -
In IRC, look for malicious scripts. Find where IRC scripts are stored. Look for script files with recent modification dates. Open each suspected script file with a text editor and look for signs of maliciousness. Pay special attention to lines with any of these commands: -
Look for signs of low security settings in the IM client. In order to freely manipulate a computer and upload and download files at will, malicious programs will disable relevant security settings. Especially look to see if the file sharing options enable file transfers without notification. |