We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic.
Couple tricks that may help:
- Implement a proxy server to filter outbound port 80 traffic. This is a good idea anyway as it may help you to implement additional filtering for web traffic as well.
- If you suspect an IRC server on port 80 in your own network, a quick scan with nmap can help:
nmap -A -p 10.0.0.0/24 (The '-A' option will look for service banners)
Interesting ports on 10.0.0.a:
PORT STATE SERVICE VERSION
80/tcp open tcpwrapped <--- expect this from devices
using web admin interfaces.
Interesting ports on 10.0.0.b:
PORT STATE SERVICE VERSION
80/tcp open http? <--- this server is running apache
with customized headers.
Interesting ports on 10.0.0.c:
PORT STATE SERVICE VERSION
80/tcp open irc ircu ircd <--- this server is running IRC!
Service Info: Host: megaserver
- implement a snort rule to look for IRC traffic on port 80. Snorts 'chat.rules' has a number of rules to detect IRC, but they are limited to port 6666:7000 by default. You could try some of them to see if they work for you. But the way they are written could easily cause false positives. A slightly improved rule:
alert tcp any any -> any 80 (msg:"irc traffic on port 80";
flow: established, to_server; content: "NICK "; depth: 5;)
