PERL_SHELLBOT.DI

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel. It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This backdoor connects to any of the following Internet Relay Chat (IRC) servers:

• {BLOCKED}.{BLOCKED}.240.38:1337

It joins any of the following Internet Relay Chat (IRC) channels:

• #xrt

It executes the following commands from a remote malicious user:

• !die - Terminate current process
• !killall - Terminate all Perl processes
• !reset - Reconnect to IRC server
• !jo - Join a channel
• !part - Leave a channel
• !nick - Change nickname
• !pid - Send fake process name and process ID
• ! - Execute a shell command
• !raw - Send raw IRC message
• !say - Send private message
• !act - Send an action command
• !timot - Set timeout value used in performing HTTP GET
• !matek - Terminate current process
• !modarkabeh - Terminate all Perl processes
• !reset - Reconnect to IRC server
• !jo - Join a channel
• !part - Leave a channel
• .sh - Execute a shell command
• {current nickname} - Execute a shell command
• !Goox - Enable or disable usage of Google search engines
• !engine - Enable or disable usage of non Google search engines
• !pid - Send fake process name and process ID
• !cari - Search for websites with accessible Magento database configuration file
• !jnews - Search for websites that uses vulnerable jNews extensions
• !jnews2 - Search for websites that uses vulnerable jNews extensions
• !open - Search for websites using vulnerable OpenEMR
• !civ - Search for websites using vulnerable CiviCRM
• !civic - Search for websites using vulnerable CiviCRM
• !letter - Search for websites that uses vulnerable jNews extensions
• !letter2 - Search for websites that uses vulnerable jNews extensions
• !tum - Search for websites using PBV MULTI VirtueMart theme with vulnerable TimThumb
• !piwik - Search for websites using vulnerable Piwik
• !slim - Search for websites using vulnerable Slimstat Ex
• !seo - Search for websites using vulnerable SEO Watcher
• !sql - Search for websites vulnerable to SQL injection
• !civicrm - Search for websites using vulnerable CiviCRM
• !acymailing - Search for websites using vulnerable AcyMailing
• !acymailing2 - Search for websites using vulnerable AcyMailing
• !jinc - Search for websites using vulnerable JINC
• !jinc2 - Search for websites using vulnerable JINC
• !maianmedia - Search for websites using vulnerable Maian Media
• !maianmedia2 - Search for websites using vulnerable Maian Media
• !joomleague - Search for websites using vulnerable JoomLeague
• !joomleague2 - Search for websites using vulnerable JoomLeague
• !woopra - Search for websites using vulnerable Woopra
• !jce - Search for websites using vulnerable JCE
• !gento - Search for websites using vulnerable Magento API
• !zimbra - Search for websites using vulnerable Zimbra
• !zim - Search for websites using vulnerable Zimbra
• !shock - Search for websites with CVE-2014-6271 vulnerability and download and execute http://{BLOCKED}x.com/shock/cgi in the vulnerable sites
• !wplfd - Search for websites vulnerable to directory traversal attacks