[nsp-sec] Strange self-obfuscating malware found on one of our webservers
David Freedman
david.freedman at uk.clara.net
Mon Jan 28 20:47:05 EST 2008
Guys, we've come across some strange malware on some of our linux shared webservers that I would like to share with you.
It appears to be an perl CGI script which is obfuscated 5 times and de-obfuscates itself in order to run.
We think it uses a PHP script to help it.
It seems to suck down porn and turn hosted websites into porn sites and sends out spam, most annoying!
( we can see from the script it does send the spam allthough the porn bit may be done manually )
Worst of all, it clones itself across the machine and attempts to hide.
I've de-obfuscated it and present it to anybody who has not seen it before and wants to analyse it, I'm sure its common and has a name but I've not seen it before.
In the tarball (attached) is also a README file, all the perl scripts have had their extentions renamed from .cgi to .cgi.txt
------------------------------------------------
David Freedman
Group Network Engineering
Claranet Limited
http://www.clara.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dob.tar.gz
Type: application/x-gzip
Size: 470523 bytes
Desc: dob.tar.gz
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080129/0b953b9c/attachment-0001.bin>
More information about the nsp-security
mailing list