Greetings Artillerymen and women,
As I was combing through RFI attacks on the IDS to fish for IP addresses to add to the RFI blacklist for project OverWatch, something new caught my eye. I'm use to seeing perlbot payloads and have been considering added a malware menageria to the OverWatch project for budding malware analysts to cut their teeth on for fun. Once a while, a binary payload comes in and it tends to be a little more interesting.
Enter BossaBot. So sadly, I wasn't the first to discover this new bot out in the wild, but my experiences with this bot and the author of that article differ in various ways. Let's start with the similarities.
1) BossaBot appears to be spread via RFI attacks via CVE 2012-1823, 2311, 2335 and 2336 (all related). Here is the PHP an attack bot attempts to execute:
The script attempts to wget binary files from hxxp://32.multicsdb.com and hxxp://64.multicsdb.com. the filename "8FcGFwAT" is a 64-bit binary, while gcRLUd8K appears to be a 32-bit payload. I got to work setting up a FakeNet network and dropping the binaries on a Linux VM. FakeNet is so damned useful. Start it up and it'll catch DNS requests, HTTP requests, can do custom listeners, and so many other functions. For an amateur malware analyst like me, it makes dynamic analysis insanely easy. I combined this with a python-based irc server called miniircd . Getting this to run on a windows host with FakeNet was trivial; simply remove all instances of the chroot and setuid code and it'll run with no complaints. I was able to log the bot joining the channel #sloboz on port 8067/tcp. I didn't bother trying to test commands or determine capabilities, but could do so if there's enough demand.
Here are my observations:
-Execution sleeps for a few seconds.
-Queries for irc[.]dreamboxdb[.]com (220.127.116.11)
-Connects to 18.104.22.168 on port 8067
-Joins Channel #sloboz for commands.
I did run strings against the binary, and I think I may have found hints of another channel as well #bitchly_ or #bitchly
Here are SHA-1 sums for the two files I pulled:
What surprises me about this is how quickly it appears to be spreading. I got news of this malware yesterday, the first article was published on 8/26, the malware has already changed CnC, and I already have over 40 attack attempts from 16 unique bots.
I've decided to add another category to OverWatch for tracking known BossaBot hosts pitching the exploit and this payload. Enjoy!