System, method, and computer program product for redirecting IRC traffic identified utilizing a port-independent algorithm and controlling IRC based malware

US 8,732,296 B1
Filed: 05/06/2009
Issued: 05/20/2014
Est. Priority Date: 05/06/2009
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computing device coupled to a network, the method comprising:

receiving network traffic via a network interface;

differentiating, within the received network traffic, internet relay chat (IRC) traffic by utilizing a programmed processor to apply a port-independent algorithm operable on the payload of the received network traffic, wherein the programmed processor identifies one or more commands included in the IRC traffic, comprising;

identifying commands included in a predetermined temporal location within the IRC traffic, comprising identifying a predetermined number of packets at a beginning of a sequence of packets of the IRC traffic;

redirecting the IRC traffic to a system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic; and

transmitting, based on the collected information, a command to a bot associated with the IRC traffic to prevent future IRC traffic from being communicated over the network with respect to the bot.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are provided for redirecting internet relay chat (IRC) traffic identified utilizing a port-independent algorithm and controlling IRC based malware. In use, IRC traffic communicated via a network is identified utilizing a port-independent algorithm. Furthermore, the IRC traffic is redirected to a honeypot.

125 Citations

21 Claims

1. A method performed by a computing device coupled to a network, the method comprising:
- receiving network traffic via a network interface;
  
  differentiating, within the received network traffic, internet relay chat (IRC) traffic by utilizing a programmed processor to apply a port-independent algorithm operable on the payload of the received network traffic, wherein the programmed processor identifies one or more commands included in the IRC traffic, comprising;
  
  identifying commands included in a predetermined temporal location within the IRC traffic, comprising identifying a predetermined number of packets at a beginning of a sequence of packets of the IRC traffic;
  
  redirecting the IRC traffic to a system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic; and
  
  transmitting, based on the collected information, a command to a bot associated with the IRC traffic to prevent future IRC traffic from being communicated over the network with respect to the bot.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the redirected IRC traffic includes instructions for controlling the bot.
  - 3. The method of claim 1, wherein the act of receiving network traffic comprises receiving network traffic with a firewall.
  - 4. The method of claim 1, further comprising identifying a destination address and a destination port of the IRC traffic, prior to redirecting the IRC traffic to the system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic.
  - 5. The method of claim 4, further comprising automatically redirecting the network traffic destined for the destination address and the destination port.
  - 6. The method of claim 1, further comprising:
    - identifying a source of the IRC traffic; and
      
      automatically redirecting the network traffic sent from the source to the system that attracts IRC traffic for collecting information relating to such IRC traffic.

7. A device, comprising:
- a network interface;
  
  a memory or storage unit; and
  
  a processor coupled to the network interface and to the memory or storage unit;
  
  wherein the memory or storage unit is configured to store and the processor is configured to execute instructions to cause the device to;
  
  monitor network traffic received via the network interface;
  
  differentiate, within the received network traffic, internet relay chat (IRC) traffic from other network traffic by utilizing a port-independent algorithm operable on the payload of the received network traffic, by identifying one or more commands included in the IRC traffic, wherein the instructions to cause the device to differentiate by identifying one more commands comprise instructions that when executed cause the device to;
  
  identify commands included in a predetermined temporal location within the IRC traffic, wherein the instructions to identify commands included in a predetermined temporal location within the IRC traffic comprise instructions that when executed cause the device to identify a predetermined number of packets at a beginning of a sequence of packets of the IRC traffic;
  
  redirect the IRC traffic to a system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic; and
  
  transmit, based on the collected information, a command to a bot associated with the IRC traffic to stop future IRC traffic from being communicated over the network with respect to the bot.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 8. The device of claim 7, wherein the redirected IRC traffic includes instructions for controlling the bot.
  - 9. The device of claim 7, wherein the device comprises a firewall.
  - 10. The device of claim 7, wherein the instructions to differentiate IRC traffic to identify one or more commands included in the IRC traffic include instructions to compare the one or more commands to predetermined commands.
  - 11. The device of claim 10, wherein the instructions to compare the one or more commands to predetermined commands include instructions to compare the one or more commands to commands predetermined to be indicative of traffic that uses an IRC protocol.
  - 12. The device of claim 10, wherein the instructions to differentiate IRC traffic include instructions to differentiate IRC traffic in response to a determination that the commands included in the IRC traffic match the predetermined commands.
  - 13. The device of claim 10, wherein the instructions to compare the one or more commands to predetermined commands include instructions to compare a signature of one or more of the commands to signatures of one or more predetermined commands.
  - 14. The device of claim 10, wherein the instructions to differentiate IRC traffic from other network traffic by utilizing the port-independent algorithm comprise instructions to compare a sequence of the commands included in the IRC traffic to predefined sequences of predetermined commands.
  - 15. The device of claim 14, wherein the predefined sequences of predetermined commands each include a sequence of the predetermined commands predefined to be indicative of traffic that uses an IRC protocol.
  - 16. The device of claim 14, wherein the instructions to differentiate IRC traffic include instructions to differentiate IRC traffic in response to a determination that the sequence of the commands included in the IRC traffic match one of the predefined sequences of the predetermined commands.
  - 17. The device of claim 7, wherein the instructions to cause the device further include instructions to cause the device to identify a destination address and a destination port of the IRC traffic, prior to redirecting the IRC traffic to the system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic.
  - 18. The device of claim 17, wherein the instructions to cause the device further include instructions to cause the device to automatically redirect network traffic destined for the destination address and the destination port.
  - 19. The device of claim 7, wherein the instructions to cause the device further include instructions to cause the device to identify a source of the IRC traffic and automatically redirect network traffic sent from the source to the system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic.

20. A non-transitory computer-readable medium comprising instructions stored thereon to cause one or more processors to:
- monitor network traffic received via a network interface;
  
  differentiate, within the received network traffic, internet relay chat (IRC) traffic from other network traffic utilizing a port-independent algorithm operable on the payload of the received network traffic, by identifying one or more commands included in the IRC traffic, the instructions to cause the one or more processors to differentiate by identifying one or more commands included in the IRC traffic comprising instructions that when executed cause the one or more processors toidentify commands included in a predetermined temporal location within the IRC traffic, wherein the instructions to identify commands included in a predetermined temporal location within the IRC traffic comprise instructions that when executed cause the device to identify a predetermined number of packets at a beginning of a sequence of packets of the IRC traffic;
  
  redirect the IRC traffic to a system that attracts IRC traffic for the purpose of collecting information relating to such IRC traffic; and
  
  transmit, based on the collected information, a command to a bot associated with the IRC traffic to stop future IRC traffic from being communicated over the network with respect to the bot.
- View Dependent Claims (21)
- - 21. The non-transitory computer-readable medium of claim 20, further comprising instructions to cause the one or more processors to:
    - identify a source of the IRC traffic; and
      
      automatically redirect the network traffic sent from the source to the system that attracts IRC traffic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Thomas, Vinoo, Jyoti, Nitin, Cochin, Cedric, Mathur, Rachit
Primary Examiner(s)
Daftuar, Saket K

Application Number

US12/436,723
Time in Patent Office

1,840 Days
Field of Search

709/206, 709/225, 709/232, 709/201, 709/202, 709/203, 709/204, 709/205, 709/207, 709/230, 709/231, 709/233, 709/234, 709/235, 709/236, 709/237, 709/238, 709/239, 709/240, 709/241, 709/242, 709/243, 709/244, 709/213, 709/223, 709/224, 709/227, 709/228, 709/229, 726 22- 30, 726/34, 370241-242, 370/252, 370/389, 370/392, 370/401, 370/400, 370/230, 370/235, 713/182, 713/187, 713/188, 713/189, 714/E11.001, 714/E11.002, 714/E11.007, 714/E11.017, 714/E11.018, 714/E11.019, 714/E11.021, 714/E11.144, 714/E11.145, 714/E11.178, 714/E11.179
US Class Current

709/224
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 51/04   Real-time or near real-time...

H04L 51/212   using filtering or selectiv...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1441   Countermeasures against mal...

H04L 63/1491   using deception as counterm...

System, method, and computer program product for redirecting IRC traffic identified utilizing a port-independent algorithm and controlling IRC based malware

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

125 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for redirecting IRC traffic identified utilizing a port-independent algorithm and controlling IRC based malware

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

125 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links