DDOS IRC Bot Analysis


This post was contributed by my good friend and all around good guy, @hkmalwares.

In the last couple weeks I saw some interesting PHP CGI remote file include attempts that contained a few DDOS IRC bots. I know these attempts are quite common in the wild but this one stood out as it downloaded two different IRC bots. In this post i’m going to share my encounter in what I thought was interesting and do a basic breakdown.
The IDS Rule that brought this to my attention was SERVER-WEBAPP PHP-CGI Remote file include attempt SID 22063.


What triggered this rule is the auto_prepend_file content within a truncated request.

In this case if the exploit was successful, it would try to wget, curl, and fetch in order to pull down a possible malicious payload.

Basically, what it’s doing is changing directories to /tmp, wgets seed.jpg, untars it, grants file execution permissions on seed.jpg, runs it, and then deletes itself.
Let go ahead and try to simply cat seed.jpg

As expected.. garble. Notice seed.tar. Lets go ahead and untar it and cat it out.

The tar contains a bash script that pulls down two payloads. First lets dig into ddosperl.jpg. When untar’d it spits out libssl3.so.2 into /var/temp. So what is libssl3.so.2? DDOS Perl IRC bot v1.0. A quick Google search revealed a [pastebin] containing the perl script.


The next payload observed is little bit more interesting. Going back to the second payload defined in seeds.jpg we see another wget for flbotbsd.jpg. Again it’s a tar and it extracts a hidden directory “.d” followed by removing flbotbsd.jpg and executing ./autorun.

I came across what appears to be another IRC bot config belonging to the same group within mech.set.

After performing a quick Google searches I came across others who have encountered this bot before. Caffsec is calling it FlooderIRCBot.


A [pastebin] posted back in April contains a description of most of the files seen within “.d”. Looks like this bot contains a variety of flooder options.


However on my example I see some tools missing and some tools that have been added such as ZmEu v0.2 , XHide – Process Faker and ZAP. As for AV detection’s, a lot of these hack tools have been around for a while so the detection ratios were quite high.
I think this is a good place to stop as this post is getting to long and was only meant to be a basic dive.