My IPS has been blocking IRC rogue sessions on port 80. These blocks have been occurring in multiple offices; Chicago, New York, San Francisco, and Shanghai. I’ve found that the users on all affected machines are Chinese. A recent observation is that the blocks always occur during business ours, local office time.

Host intrusion prevention software indicates that the software making the connections is none other than the web browser (IE and Firefox both observed).

I allowed the traffic from one office for a period of time so I could run a capture of the traffic to see what is going on.

My capture caught the following conversations. Based on the ‘Sina Network’ and ’sina_test’ I’m wondering if this is associated with Sina.com…

The machines haven’t displayed any other malicious behavior; no SMTP traffic, no DDOS traffic, no file downloads, etc. So if this is malicious, the bot network might be in a building phase or might be waiting for balkanization (I love that word). I have seen encrypted conversations between the bot and server.

So, to recap;

1. I only observe IRC traffic during business hours, local office time. This to me indicates the traffic is driven by user activity, which lends to it being legit
2. The web browser is the IRC client, which leads me to believe it’s probably a java-based IRC client or something like that.
3. Nothing is being downloaded and installed. Typically, when IE is compromised, it will download the malicious payload (usually using FTP) and steps are taken to ensure continued access (registry edits). I have not observed any of that yet, which makes me wonder if this would be classified as a ‘compromise’.
4. I’ve seen no SMTP traffic outbound

My next step is to talk to one of the users.

Any comments or suggestions are certainly welcome, especially if you’ve seen this in your network as well.

Her: You’re all alone?

Me: Well, if you count my mammoth ego, there’s two of us.

I’m no Microsoft Exchange guru, by any stretch of the imagination, but I’ve been working with our email provider for the past three weeks trying to get our spam filtering disabled on Exchange 2007 because we use a third party anti-spam service and wish to simplify the whole solution.

There seems to be some confusion for Email jockeys who are used to the 2003 IMF way of filtering emails as opposed to the 2007 CFA way. Below is a summary of what I’ve learned (more than I wanted) about Exchange’s anti-spam product.

More below the fold.

(more…)

Earlier this week I observed one of my laptops running World of Warcraft, which was accessing a *.torrent file. Today, I found another application, this time a screen saver called Electric Sheep is using it.

Electric Sheep is a similar concept to SETI@home; network several machines together to utilize processing cycles once the machine goes idle. Electric Sheep, instead of looking for ET, renders fractals which are intended to be analogous to computer dreams. Cool concept both as a screensaver and the fact that it utilizes the Bittorrent protocol for information sharing.

It’s obvious the Bittorrent protocol is gaining a foothold in mainstream computing. Now all that is needed is an authorization or identification bit in the TCP handshake that will ID the application. That way us network security apes can authorize certain Bittorrent applications to cross the gateway while blocking others.

One of my HIPS rules specifically blocks any access to a *.torrent file, for obvious reasons. Going through my HIPS logs today, I see the following event:

It’s fascinating to think that WoW uses bittorrent to manage itself, just not on one of my work machines, thank you very much.