Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Linux, FreeBSD and Mac (!) bot - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Linux, FreeBSD and Mac (!) bot

Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc).

After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway.

The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like.

I decided, for the fun of it, to run the sample through VirusTotal, just to see what results AV programs will have. It was .. erm.. interesting, as you will see below.

There were in total 3 files:

$ md5sum linux freebsd darwin
fbab7e9bf1780fd2bc99e44d46535be5  linux
17eb3a901811ea86f7d71394cde36202  freebsd

a93b41466e330fc3cf8e6602e5cd03c2  darwin

The FreeBSD version of the bot was detected by 23 out of 32 AV programs (decent) and the Linux one by 24 out of 32 AV programs (even better). This was clearly signature detection since almost all AV programs detected the FreeBSD version as something for Linux (Linux/RST.B) – my guess is that they trigger on some text in the binary.

Finally, the Darwin version was a bit of a shock – 0 detections in total (!). Since it was a Mach-O executable for PPC, my guess is that AV programs didn't know how to parse the file format and just thought of it as data.

--
Bojan

Web App Penetration Testing and Ethical Hacking - SANS Dublin 2018

Bojan

375 Posts
ISC Handler
Wow. Where did you receive the samples from? The fact that it made it to your organization tells me that someone thought this was suspicious or possibly malicious in nature. If the bots are fully functional, the configuration must be hardwired (most of these type bots have a .conf file)...in my experience, they won't run without a .conf file. A .conf file may tell more (if you even have that file or if you haven't already looked at it)...
Ron

29 Posts
Yeah, we got the configuration files as well. They are relatively simple and point to Undernet IRC servers. The configuration files have been sent to LE as well so maybe we'll see some action.
Bojan

375 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!