PERL_SHELBOT.SMO

This backdoor connects to Internet Relay Chat (IRC) servers. It joins an Internet Relay Chat (IRC) channel. It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This backdoor may be downloaded from the following remote sites:

• http://{BLOCKED}host.us/bots/pl

This malware arrives via the following means:

• CVE-2014-6271

Backdoor Routine

This backdoor connects to any of the following Internet Relay Chat (IRC) servers:

• linksys.{BLOCKED}shellz.net:25
• irc.{BLOCKED}-newbie.org:6667
• irc.{BLOCKED}thien.net:6667
• {BLOCKED}2.{BLOCKED}7.181.100:53
• {BLOCKED}briel.{BLOCKED}u.cc:8080
• {BLOCKED}7.{BLOCKED}4.250.46:80
• {BLOCKED}za.{BLOCKED}briel.{BLOCKED}u.cc
• {BLOCKED}h.rocks
• irc.{BLOCKED}net.com:6667

It joins any of the following Internet Relay Chat (IRC) channels:

• #shellshock
• #bug
• #DNC
• #w00t
• #fr2
• #113
• #vafe
• #cabal
• #scan
• #exit

It executes the following commands from a remote malicious user:

• multiscan - Scan sites for multi-scan vulnerabilities
• socks5 - Set up SOCKSv5 protocol and return an IP address
• sql2 - Scan for sites with vulnerable SQL server
• portscan - Scan an IP address for the following ports: 15, 19, 98, 20, 21, 22, 23, 25, 37, 39, 42, 43, 49, 53, 63, 69, 79, 80, 101, 106, 107, 109, 110, 111, 113, 115, 117, 119, 135, 137, 139, 143, 174, 194, 389, 389, 427, 443, 444, 445, 464, 488, 512, 513, 514, 520, 540, 546, 548, 565, 609, 631, 636, 694, 749, 750, 767, 774, 783, 808, 902, 988, 993, 994, 995, 1005, 1025, 1033, 1066, 1079, 1080, 1109, 1433, 1434, 1512, 2049, 2105, 2432, 2583, 3128, 3306, 4321, 5000, 5222, 5223, 5269, 5555, 6660, 6661, 6662, 6663, 6665, 6666, 6667, 6668, 6669, 7000, 7001, 7741, 8000, 8018, 8080, 8200, 10000, 19150, 27374, 31310, 33133, 33733, 55555
• logcleaner - Deletes all files in the following directories:
  • /var/log/lastlog
  • /var/log/wtmp
  • /etc/wtmp
  • /var/run/utmp
  • /etc/utmp
  • /var/log
  • /var/logs
  • /var/adm
  • /var/apache/log
  • /var/apache/logs
  • /usr/local/apache/log
  • /usr/local/apache/logs
  • /root/.bash_history
  • /root/.ksh_history
• sendmail - Send an email to a target
• system - Get OS name and version, system uptime, current process name, user ID, group ID and current directory
• cleartmp - Delete all files in /tmp
• rootable - Enumerates possible root exploits in the infected system
• nmap - Search an IP address for open ports in a specified range
• back - Execute a remote shell (/bin/sh)
• packetstorm - Enumerate advisories in http://www.packetstormsecurity.org/whatsnew20.xml
• milw0rm - Enumerate exploits listed in milw0rm's website
• udpflood - Perform UDP flooding
• tcpflood - Perform TCP flooding
• httpflood - Perform HTTP flooding
• sqlflood - Perform SQL flooding
• killme - Disconnect from the IRC server and terminate self
• join - Join a channel
• part - Leave a channel
• reset - Disconnect from the IRC server
• voice - Grant a user the voice status
• owner - Grant a user channel ownership
• deowner - Revoke a user's channel ownership
• devoice - Revoke a user's voice status
• halfop - Grant a user the half operator status
• dehalfop - Revoke a user's half operator status
• op - Grant a user the operator status
• deop - Revoke a user's operator status
• msgflood - Perform private message flooding to a target
• dccflood - Perform DCC flooding to a target
• ctcpflood - Perform TCP flooding to a target
• noticeflood - Perform a NOTICE message flooding to a target
• channelflood - Join 25 random IRC channels
• maxiflood - Perform msgflood, ctcpflood and noticeflood simultaneously

NOTES:

This backdoor changes its process name to usr/sbin/httpd. It uses the IRC nickname ontet and ald.