IRC-Based Botnet Detection on IRC Server

Chen, Yi-ling

06 August 2009

Recently, Botnet has become one of the most severe threats on the Internet because it is hard to be prevented and cause huge losses. Prior intrusion detection system researches focused on traditional threats like virus, worm or Trojan. However, traditional intrusion detection system cannot detect Botnet activities before Botmasters launch final attack. In Botnet attack, in order to control a large amount of compromised hosts (bots), Botmasters use public internet service as communication and control channel (C&C Channel). IRC (Internet Relay Chat) is the most popular communication service which Botmasters use to send command to their bots. Once bots receive commands from Botmasters, they will do the corresponding abnormal action. It seems that Botnet activities could be detected by observing abnormal IRC traffic. In this paper, we will focus on IRC Server and, we will use four unique characteristics of abnormal channel, (1) the prefix of Botmaster communication in C&C channel, (2) the response messages of bots, (3) average response time from bots, and (4) average length of message, to detect abnormal Channel in IRC Server. We develop an on-line IRC IDS to detect abnormal IRC channel. In the proposed system, abnormal IRC channel can be detect and we can (1) identify the infected hosts (bots) and Botmaster in C&C Channel, (2) trackback the IP of Bots and Botmaster, (3) identify Bots before Botmasters launch final attack, and (4) find the pattern of abnormal channel. The experiments show that the proposed system can indeed detect abnormal IRC channel and find out bots and Botmaster.

IRC Sniffer

IRC-Based Botnet

Botnet