Issue description
-------------------
It is already been known as recently, about a week ago the nasty IRC Wor, the girl claiming to be a gril with the ASL "23\f\Anover" is haunting undernet's big channels again. Due to this make sure you add a little extra security to yourself and think before you accept anything from everyone.
General description of the nicks u should be extra carefull about
-------------------------------------------------------------------------
A girlnameAge nickname, with a girlnameAge ident and a girlname realname, all three used with no capital letters.
~ ex: Marcia82 is Marcia82!natalie32@hostname.domain natalie
In most of the cases the real name matches the ident and the number present in nickname and ident is formed of 2 characters. See the example above "82 and 32"
Short Story presented bellow. READ !!!
-----------------------------------------------
Illustrating the Dangers of IRC
by Joe Stewart, Senior Security Researcher at LURHQ
Consider the following scenario. One of your users (we'll call him Harry) is on his lunch break and wants to stop in his favorite chat room and talk about his morning so far. He connects to the Undernet Internet Relay Chat (IRC) network and joins the chat room called "#channel". Today he notices a new user sitting in the chat room who goes by the nickname Marcia82. Their conversation goes as follows:
[Marcia82] hi
[Harry] Hi there
[Marcia82] how are you?
[Harry] I'm fine. How are you today?
[Marcia82] 23/f/Anover
[Harry] 29/m/NYC
[Marcia82] do u have a pic? this is mine
With that, a window pops up on Harry's screen offering a file transfer from Marcia82 - a file named "Old-me.zip". Harry accepts the download, anxious to see a picture of the young woman he has been chatting with. He unzips the file and finds a single file inside, named "Old-me.scr". Harry is unfamiliar with that filename extension. He knows he should not run suspicious EXE files, but what is an SCR file? He decides it must be some kind of image file like a JPEG or GIF, but to be on the safe side, he decides to scan it with his desktop antivirus scanner just in case. He checks to make sure that the virus definitions are current. They were updated an hour ago, so he proceeds with the scan of the file. It comes up clean. Thinking the file is safe to open, he double-clicks the icon.
An Internet Explorer window opens on his desktop and displays a normal picture of a somewhat bored-looking young woman staring at her web cam. Harry decides to continue the conversation, but Marcia82 is no longer talking. Thinking she must have stepped away from the keyboard, Harry finishes his tuna-salad sandwich while waiting. When lunch is over, Harry says a final "See you later" in the chat window before shutting it down and getting back to filing his daily reports.
What Harry doesn't know is that he is now infected by a backdoor Trojan. Is Marcia an evil hacker? No, Marcia is a worm - a malicious program, which spreads from computer to computer on its own. In this case it uses social engineering to fool the user into thinking they are chatting with a real human being. Once the program is run, Harry's computer connects to IRC on its own and assumes the identity of Annie93. Harry's computer now lies in wait for more victims to prey upon. The hackers that control all the infected hosts from a secret chat room on the IRC network can now download additional remote-control programs to Harry's computer. They can read his files and email, sniff the network traffic, disable his antivirus software, delete files, or anything else they desire. For all intents and purposes, now they can utilize your internal network as if they were Harry.
This is not a made-up scenario; this is a real worm, which is spreading on IRC right now. The antivirus companies are not able to keep up with the number of variants being released every day. Unlike your average email virus, being up-to-date on your virus definitions won't stop this. Unlike the latest Internet Explorer exploits, being up-to-date on your patches won't stop this. The only thing stopping IRC users on your network from being infected is their own level of expertise. Ask yourself, would your users be taken in by the conversation above, or would they recognize the malicious intent?
Sometimes, but not very often, when LURHQ is integrated into a new network, we discover a very lax outbound policy on the firewall. In these cases employees are allowed to use any port or protocol outbound. The idea of keeping the "bad guys" out while allowing the "good guys" full access is archaic at best and is a dangerous proposal indeed. If you are allowing full outbound access for your users, you are at risk from the scenario above, which is just one of many. The moral of the story is stay abreast of the latest threats, define strict firewall rule-sets and work to raise the security awareness inside your organization