Detecting Malicious IM

If computers on your network are not supposed to be using IM clients, you can search for the default TCP/IP port numbers each service uses. I’ve often found IM traffic on networks and file servers that network administrators and management did not know about. On a single PC or file server, you can use the NETSTAT command, and on a network you can use a firewall to discover hidden IM traffic. Table 7-1 lists common instant messaging TCP/IP port numbers.

Table 7-1. Default IM TCP/IP port numbers

Instant messaging network

Default IP port number

AOL’s Instant Messenger

5190 and 6040

ISeekYOU Chat (ICQ)

4000

Internet Relay Chat (IRC)

6666, 6667, 7000

Detection can be tougher if the client computer is supposed to be using Instant Messaging software. However, here are the steps you can follow to detect malicious IM programs:

  1. Cut off Internet access.

    If you suspect a computer has been compromised by an IM attack, cut off Internet access to prevent hackers from causing further damage.

  2. Run an antivirus scanner.

    Antivirus scanners will recognize the most popular IM hacking programs, including tools meant to compromise AIM and IRC worms.

  3. In IRC, look for malicious scripts.

    Find where IRC scripts are stored. Look for script files with recent modification dates. Open each suspected script file with a text editor and look for signs of maliciousness. Pay special attention to lines with any of these commands:

    • Commands initiated with the ON JOIN parameter

    • DCC or CTCP commands ...

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.