Friday, August 29, 2014

BossaBot - New IRC Backdoor Running Around out in the wild.

Greetings Artillerymen and women,

As I was combing through RFI attacks on the IDS to fish for IP addresses to add to the RFI blacklist for project OverWatch, something new caught my eye. I'm use to seeing perlbot payloads and have been considering added a malware menageria to the OverWatch project for budding malware analysts to cut their teeth on for fun. Once a while, a binary payload comes in and it tends to be a little more interesting.

Enter BossaBot. So sadly, I wasn't the first to discover this new bot out in the wild, but my experiences with this bot and the author of that article differ in various ways. Let's start with the similarities.

1) BossaBot appears to be spread via RFI attacks via CVE 2012-1823, 2311, 2335 and 2336 (all related). Here is the PHP an attack bot attempts to execute:

As you can see, tons of Base64 encode blocks and obfuscated variable names. Let's take away the bullshit and cut to the chase:
If you're not fluent in PHP (Don't worry, I'm not either) this script checks to see if a file exists in the system's tmp directory. If it doesn't exist, it will try to wget two files and execute both of them.

The script attempts to wget binary files from hxxp:// and hxxp:// the filename "8FcGFwAT" is a 64-bit binary, while gcRLUd8K appears to be a 32-bit payload. I got to work setting up a FakeNet network and dropping the binaries on a Linux VM. FakeNet is so damned useful. Start it up and it'll catch DNS requests, HTTP requests, can do custom listeners, and so many other functions. For an amateur malware analyst like me, it makes dynamic analysis insanely easy. I combined this with a python-based irc server called miniircd . Getting this to run on a windows host with FakeNet was trivial; simply remove all instances of the chroot and setuid code and it'll run with no complaints. I was able to log the bot joining the channel #sloboz on port 8067/tcp. I didn't bother trying to test commands or determine capabilities, but could do so if there's enough demand.

Here are my observations:
-Execution sleeps for a few seconds.
-Queries for irc[.]dreamboxdb[.]com (
-Connects to on port 8067
-Joins Channel #sloboz for commands.

I did run strings against the binary,  and I think I may have found hints of another channel as well #bitchly_ or #bitchly

Here are SHA-1 sums for the two files I pulled:
0779f7734d06c1657f20e966c6633867f81fee8c  gcRLUd8K
bb5c5a893dda5314cb60f7214f339183b285f59c  8FcGFwAT

What surprises me about this is how quickly it appears to be spreading. I got news of this malware yesterday, the first article was published on 8/26, the malware has already changed CnC, and I already have over 40 attack attempts from 16 unique bots.

I've decided to add another category to OverWatch for tracking known BossaBot hosts pitching the exploit and this payload. Enjoy!


No comments:

Post a Comment