3 Replies Latest reply on Apr 5, 2017 5:00 AM by Richard Carpenter

    Curious about some policies

    jwood.mls

      There are some policies that are set as default that I've always wondered why.  Not saying they aren't good to have in place, but sometimes the reasoning would be nice.

       

      An example for me is under Anti-virus Standard protection the "prevent IRC communications".  I've actually ended up making a separate policy for IT staff for this because I have been known to hop on Freenode before for chat about various tech subjects.

       

      I'm curious if there have ever been outbreaks associated with IRC, or if this is more in the vein of productivity and preventing file transfers that may be in violation of copyright.

       

      Does anyone know the answer?

       

      Thanks

        • 1. Re: Curious about some policies
          tao

          IRC connections are usually unencrypted and typically span long time periods, they are an attractive target for DoS/DDoS attackers and hackers.  There has been numerous cases of client-side bugs which can be exploited to cause a crash or run arbitrary code on a client machine; exposing internal network information. 

           

          Ransomware Leads The Path of Growing Malware Attacks - February 22, 2017

           

          JBossjmx (4.5%) – the name of this virus may sound familiar to you. It is a worm, named after the program it targets. Only systems which use a vulnerable version of the JBoss Application Server are susceptible to this infection. The worm creates a JSP page which executes arbitrary commands. In addition, it opens a backdoor to receive commands from a remote IRC server.

           

          Ransomware Leads The Path of Growing Malware Attacks

           

           

          New GhostAdmin Malware Used for Data Theft and Exfiltration - Jan 17, 2017

           

          Under the hood, GhostAdmin is written in C# and is already at version 2.0. The malware works by infecting computers, gaining boot persistence, and establishing a communications channel with its command and control (C&C) server, which is an IRC channel.

           

          GhostAdmin's authors access to this IRC channel and issue commands that will be picked up by all connected bots (infected computers).

           

          New GhostAdmin Malware Used for Data Theft and Exfiltration

          • 2. Re: Curious about some policies
            jwood.mls

            Thank you for the reply. 

            I certainly could see the danger if someone leaves that connection open which as you said, I know there are people who stay parked out on IRC permanently.  I just hadn't really thought of it.  Personally, I just occasionally use IRC during the course of a day but don't usually keep the connection open permanently.

            • 3. Re: Curious about some policies
              Richard Carpenter

              Moved to ePO for the benefit of a future user searching for a similar question.

               

              Rich

              McAfee Volunteer Moderator - Business Products