[nsp-sec] [EGI-20120419-01] Linux botnet with IRC C&C

Serge Droz serge.droz at switch.ch
Tue Apr 24 07:06:25 EDT 2012 

Hello List,

On of our customer  discovered a breaking where where the unix hosts
where turned in to drones.
The write up is below

@Team Cymru: Could you take that the CCs into your feeds

@T-Systems: Could you check 217.150.150.137, as well as the requests we
sent to your.


Let me know if there any questions

Best regards
Serge


------------- Customer write up ---------------------------

The details of the C&C are as follow:

Server: irc.king.be:5822 (advertising Unreal3.2.8.1)
Channel: #idle

The clients had a configuration file that included:
SERVER printesa.be 6667
SERVER kingofkings.compress.to 6667
SERVER king.changeip.org 5822
SERVER king.changeip.org 7000
SERVER king.changeip.org 6669
SERVER king.changeip.org 6668
SERVER king.changeip.org 6666

NICK          back
USERFILE      cyc.acc
CMDCHAR       @
LOGIN         root
IRCNAME       ^C2there was a sudden silence^C
MODES         +ix-ws
#VIRTUAL       my.silly.vanity.domain.com

handle pink
mask *!*@pink.ro
channel *
access 100

The attacker downloaded the IRC bot software from
hxxp://217.150.150.137/pigspy.tgz.

At the time of the incident, the hosts resolved as:
king.changeip.org - 64.184.96.7
printesa.be - 88.191.131.198
kingofkings.compress.to - 88.191.131.198

irc.king.be was obtained from a memory dump, and at the time of the
incident, I *think* it was resolving to 64.184.96.7.

Other involved parties believe the attacker exfiltrated credentials to
k1ngofk1ngs at live.it.

The bot was installed under /etc/.ssh/ or /var/tmp/.../.bash/ The
attacker also installed a user cronjob (found at
/var/spool/cron/crontabs/) to keep the bots alive.

>From the memory dump we can see the following:
[21:22] :skdjh[100]: Executing SHELL[100]
[21:22] SHELL             pink[100] (*@pink.ro)

And a bit later:
back___!root at king-870D4890.cern.ch

Just like expected from the configuration file, the victims have a name
based on "back". And the ops seems to be "skdjh" and "pink".

The botnet seems to be still active and among the data we collected, the
following is interesting:

:irc.king.be 003 back___ :This server was created dimanche 18 mars
(UTC+0100) at 2012, 18:37:26
:irc.king.be 004 back___ irc.king.be Unreal3.2.8.1
iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:irc.king.be 005 back___ WALLCHOPS WATCH=128 WATCHOPTS=A SILENCE=15
MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+
CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=king
CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ :are
supported by this server
:irc.king.be 251 back___ :There are 30 users and 366 invisible on 1 servers
:irc.king.be 253 back___ 1 :unknown connection(s)
:irc.king.be 254 back___ 9 :channels formed
:irc.king.be 255 back___ :I have 396 clients and 0 servers
:irc.king.be 265 back___ :Current Local Users: 396  Max: 431
:irc.king.be 266 back___ :Current Global Users: 396  Max: 431
USERS
:irc.king.be 446 back___ :USERS has been disabled
NAMES #idle
:irc.king.be 366 back___ #idle :End of /NAMES list.
WHO #IDLE
:irc.king.be 352 back___ #idle root <anonymised_host>.cern.ch
irc.king.be back___ H :0  root
:irc.king.be 352 back___ #idle king pink.ro irc.king.be skdjh H@ :0
aquadoodoo, rock my voodoo.
:irc.king.be 315 back___ #IDLE :End of /WHO list.

(<anonymised_host> is an anonymised CERN host)

So this server was created only last wednesday and has 366 members,
quite likely mostly composed of victims;
There are still victims connected, for example:

WHOIS back
:irc.king.be 311 back___ back root king-2DC61CE0.dunakanyar.net *
:2there was a sudden silence
:irc.king.be 319 back___ back :#idle :irc.king.be 312 back___ back
irc.king.be :king
:irc.king.be 317 back___ back 255103 1334938233 :seconds idle, signon time
:irc.king.be 318 back___ back :End of /WHOIS list.
WHOIS back_
:irc.king.be 311 back___ back_ root king-58840B0E.com * :2there was a
sudden silence
:irc.king.be 319 back___ back_ :#idle :irc.king.be 312 back___ back_
irc.king.be :king
:irc.king.be 317 back___ back_ 738895 1334454540 :seconds idle, signon time
:irc.king.be 318 back___ back_ :End of /WHOIS list.
WHOIS back__
:irc.king.be 311 back___ back__ root AE4E3442.AE25AA93.101EAF1A.IP *
:2there was a sudden silence
:irc.king.be 319 back___ back__ :#idle :irc.king.be 312 back___ back__
irc.king.be :king
:irc.king.be 317 back___ back__ 1044639 1334148816 :seconds idle, signon
time
:irc.king.be 318 back___ back__ :End of /WHOIS list.

Interesting enough, the ops are also available:
WHOIS pink
:irc.king.be 311 back___ pink ek3k34k
king-E686424.red-88-16-96.dynamicip.rima-tde.net * :te mai lili san di cur ?
:irc.king.be 312 back___ pink irc.king.be :king
:irc.king.be 301 back___ pink :who's your king?
:irc.king.be 317 back___ pink 239693 1334651908 :seconds idle, signon time
:irc.king.be 318 back___ pink :End of /WHOIS list.
WHOIS skdjh
:irc.king.be 311 back___ skdjh king pink.ro * :aquadoodoo, rock my voodoo.
:irc.king.be 319 back___ skdjh :@#idle :irc.king.be 312 back___ skdjh
irc.king.be :king
:irc.king.be 317 back___ skdjh 19217 1334115834 :seconds idle, signon time
:irc.king.be 318 back___ skdjh :End of /WHOIS list.

An analysis of the malicious process revealed the following string also:
g : 192.168.165.187 doba:doba2681

But I don't know what this is for.

More information about the nsp-security mailing list