[nsp-sec] Strange self-obfuscating malware found on one of our webservers

Nicholas Ianelli ni at cert.org
Tue Jan 29 13:25:07 EST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I can't add a whole lot to their comments, but I can add at least this:

The perl CGI can deobfuscate itself at runtime, it appears.  I don't see
where it might need a PHP script to help it, but since I don't have a
full picture of the compromised server's configuration, I can't
affirmatively say any more about that.

The perl code is just a mass-mailer tool.  It doesn't appear to do
anything further than that.  It does have the capability to do a
directed mailing or a "flood" mailing, but its only purpose appears to
be to send email.  I might be missing the point where it re-creates
itself (this behavior is listed in the "README" file in the archive),
but I don't recall seeing functionality in this script to re-seed itself.

The behavior listed in the email and in the README detailing how
compromised sites were "turned into" porn sites, how mtimes of files on
the compromised sites were modified, and the cloning/hiding behavior are
probably indicative of another malicious script associated with these
servers.  I wouldn't put a rootkit out of the question, but the fact
that they were able to find and modify some of these files probably
rules-out a full-blown system-level rootkit.  Rather, I would suspect an
additional script or set of scripts running in the background to try to
maintain the compromised site's files.  The note about files being
modified a few minutes prior to looking at them seems to indicate that,
too.  It might even be a simple cron job doing the dirty work.

The PHP script in the archive uses a handy feature of PHP that allows
one to do what looks like a variable assignment that *actually* calls
base64_decode on a block of text.  The script in the archive file is
incomplete, though--it's missing part of the encoded block of text at
the end.  Besides the trademark "==" commonly associated with base64
encoding, it is missing the end quote, semicolon, and end PHP script
tag.  It is possible to do a partial decoding of the script.  Though the
file is syntactically unreadable, a human relatively familiar with HTML
text will probably be able to parse most of it by eye.  Many of the
lowercase vowels are still in numeric form, but consonants and capitals
are generally in the right places, so one can still "read" the file.
The output of the PHP script is a form of some variety, with fields
asking for "from", "real name", "your name", "reply to", "subject", has
a prompt to attach a file, etc.  It looks like another form for a script
to send email, and may possibly be another mass mailer form.  Since it
isn't complete, though, it is hard to say what it is for or exactly what
it does.


Nick

David Freedman wrote:
> ----------- nsp-security Confidential --------
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> Guys, we've come across some strange malware on some of our linux shared webservers that I would like to share with you.
> 
> It appears to be an perl CGI script which is obfuscated 5 times and de-obfuscates itself in order to run.
> We think it uses a PHP script to help it.
> 
> It seems to suck down porn and turn hosted websites into porn sites and sends out spam, most annoying!
> ( we can see from the script it does send the spam allthough the porn bit may be done manually )
> 
> Worst of all, it clones itself across the machine and attempts to hide.
> 
> I've de-obfuscated it and present it to anybody who has not seen it before and wants to analyse it, I'm sure its common and has a name but I've not seen it before.
> 
> In the tarball (attached) is also a README file, all the perl scripts have had their extentions renamed from .cgi to .cgi.txt 
> 
> 
> ------------------------------------------------
> David Freedman
> Group Network Engineering 
> Claranet Limited
> http://www.clara.net
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFHn2+Di10dJIBjZIARCIB1AJ0QTc7bxOS21raoUNMuYPD4kD3AuACfR/+c
iuPtldEenp2cEttKavHIyWg=
=wAlN
-----END PGP SIGNATURE-----

More information about the nsp-security mailing list