Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Bot C&C Servers on Port 80 - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Bot C&C Servers on Port 80
We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic.

Couple tricks that may help:

  • Implement a proxy server to filter outbound port 80 traffic. This is a good idea anyway as it may help you to implement additional filtering for web traffic as well.
  • If you suspect an IRC server on port 80 in your own network, a quick scan with nmap can help:

nmap -A -p (The '-A' option will look for service banners)

Interesting ports on 10.0.0.a:
80/tcp open tcpwrapped <--- expect this from devices
using web admin interfaces.

Interesting ports on 10.0.0.b:
80/tcp open http? <--- this server is running apache
with customized headers.

Interesting ports on 10.0.0.c:
80/tcp open irc ircu ircd <--- this server is running IRC!
Service Info: Host: megaserver

  • implement a snort rule to look for IRC traffic on port 80. Snorts 'chat.rules' has a number of rules to detect IRC, but they are limited to port 6666:7000 by default. You could try some of them to see if they work for you. But the way they are written could easily cause false positives. A slightly improved rule:
alert tcp any any -> any 80 (msg:"irc traffic on port 80"; 
flow: established, to_server; content: "NICK "; depth: 5;)
I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4472 Posts
ISC Handler
Nov 16th 2006

Sign Up for Free or Log In to start participating in the conversation!