PERL_SHELLBOT.SM

This malware figures in a Shellshock-related SMTP attack.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be downloaded from the following remote site(s):

• http://208.{BLOCKED}.238/.x/hb/php09
• http://2{BLOCKED}.223/jurat
• http://2{BLOCKED}.223/ji
• http://7{BLOCKED}.69/ec.z

This malware arrives via the following means:

• CVE-2014-6271

Backdoor Routine

This Backdoor connects to any of the following IRC server(s):

• {BLOCKED}d.{BLOCKED}yz.info
• {BLOCKED}s.{BLOCKED}ftp.org:443
• {BLOCKED}7.{BLOCKED}0.45.138:1835
• {BLOCKED}.{BLOCKED}.100.90:6667
• gov.{BLOCKED}t.org
• blacklotus.ca.us.{BLOCKED}et.org
• zmeu.{BLOCKED}o.it
• local.{BLOCKED}c.so
• irc.{BLOCKED}s.hk
• {BLOCKED}.{BLOCKED}-newbie.org:6667
• {BLOCKED}1.{BLOCKED}p.org:443
• {BLOCKED}6.{BLOCKED}7.97.158:7000
• {BLOCKED}tasy.{BLOCKED}nd.rocks:7777
• {BLOCKED}csl.{BLOCKED}ip.org:443
• irc.{BLOCKED}oe.net:6667
• 89.{BLOCKED}.139:6660
• {BLOCKED}fia.{BLOCKED}t.nu:4444
• {BLOCKED}9.{BLOCKED}9.68.5:6667
• {BLOCKED}9.{BLOCKED}4.220.147:8443
• {BLOCKED}s.{BLOCKED}ot.nu:5190
• {BLOCKED}rl1.{BLOCKED}ack.org:443,23,6660,6667 or 6669
• {BLOCKED}cd.w3h.co.uk:443
• {BLOCKED}d3n.pikolata.net:6121
• {BLOCKED}i.{BLOCKED}ot.nu:5190
• {BLOCKED}aos.{BLOCKED}gend.rocks:7777
• {BLOCKED}ics.no-ip.org:443
• 9{BLOCKED}.10:6667
• 6{BLOCKED}.237:6969
• 5{BLOCKED}.238.185:80
• 4{BLOCKED}.158:443
• 4{BLOCKED}.mn:8080
• 3{BLOCKED}.147:443
• 3{BLOCKED}.6:80
• 2{BLOCKED}.38:1337
• 19{BLOCKED}.17:6667
• 19{BLOCKED}.202.24
• 18{BLOCKED}.247:6667
• 18{BLOCKED}.209.84:443
• 17{BLOCKED}.233:6667
• {BLOCKED}4.{BLOCKED}5.56.228:443
• irc.{BLOCKED}s-newbie.org:6667

It joins any of the following IRC channel(s):

• #XDOS
• #root
• #bbox
• #esmtp
• #play
• #xtr
• #xrt
• #tamerlinux
• #rnd
• #php
• #perls
• #perl
• #nrpe
• #new
• #main
• #gnu
• #bot
• #bash
• #b
• #apache
• #113
• #0day-new
• ##n3
• ##jboss
• #JohnnyH
• #homenet.org
• #mihai
• #noi
• #local.irc.so
• #welcome
• #tes
• #Tangodown
• #pma
• #dos :ddos

It accesses a remote Internet Relay Chat (IRC) server where it receives the following commands from a remote malicious user:

• join - Join a channel
• part - Leave a channel
• rejoin - Leave and rejoin a channel
• op - Grant a user an operator status
• deop - Revoke a users operator status
• voice - Grant a user an voice status
• devoice - Revoke a users voice status
• nick - Change nickname
• msg - Send a private message
• quit - Disconnect from the IRC server
• raw - Send raw data to the IRC server
• die - Terminate itself
• udp1, udp2, udp3 - Perform UDP flooding
• tcp - Perform TCP flooding
• http - Perform HTTP flooding
• ctcpflood - Send 20 IRC private messages to a target
• msgflood - Send a long IRC private message to a target
• noticeflood - Send two long IRC notice messages to a target
• cback - Execute a remote shell (/bin/sh or cmd.exe)
• download - Download from a URL and save to a specified file
• portscan - Scans an IP address for the following ports: 1, 7, 9, 14, 20, 21, 22, 23, 25, 53, 80, 88, 110, 112, 113, 137, 143, 145, 222, 333, 405, 443, 444, 445, 512, 587, 616, 666, 993, 995, 1024, 1025, 1080, 1144, 1156, 1222, 1230, 1337, 1348, 1628, 1641, 1720, 1723, 1763, 1983, 1984, 1985, 1987, 1988, 1990, 1994, 2005, 2020, 2121, 2200, 2222, 2223, 2345, 2360, 2500, 2727, 3130, 3128, 3137, 3129, 3303, 3306, 3333, 3389, 4000, 4001, 4471, 4877, 5252, 5522, 5553, 5554, 5642, 5777, 5800, 5801, 5900, 5901, 6062, 6550, 6522, 6600, 6622, 6662, 6665, 6666, 6667, 6969, 7000, 7979, 8008, 8080, 8081, 8082, 8181, 8246, 8443, 8520, 8787, 8855, 8880, 8989, 9855, 9865, 9997, 9999, 10000, 10001, 10010, 10222, 11170, 11306, 11444, 12241, 12312, 14534, 14568, 15951, 17272, 19635, 19906, 19900, 20000, 21412, 21443, 21205, 22022, 30999, 31336, 31337, 32768, 33180, 35651, 36666, 37998, 41114, 41215, 44544, 45055, 45555, 45678, 51114, 51247, 51234, 55066, 55555, 65114, 65156, 65120, 65410, 65500, 65501, 65523, 65533
• mail - Send an email to a target
• port - Open a connection to a specified IP address and port
• dns - Resolve an address to its IP address

NOTES:
It chooses a nickname randomly from the following:

• abbore
• ably
• abyss
• acrima
• aerodream
• afkdemon
• ainthere
• alberto
• alexia
• alexndra
• alias
• alikki
• alphaa
• alterego
• alvin
• ambra
• amed
• andjela
• andreas
• anja
• anjing
• anna
• apeq
• arntz
• arskaz
• as
• asmodizz
• asssa
• athanas
• aulis
• aus
• bar
• bast
• bedem
• beeth
• bella
• birillo
• bizio
• blackhand
• blacky
• blietta
• blondenor
• blueangel
• bluebus
• bluey
• bobi
• bopoh
• borre
• boy
• bram
• brigitta
• brio
• brrrweg
• brujah
• caprcorn
• carloto
• catgirl
• cathren
• cemanmp
• chainess
• chaingone
• chck
• chriz
• cigs
• cintat
• clarissa
• clbiz
• clex
• cobe
• cocker
• coke
• colin
• conan
• condoom
• coop
• coopers
• corvonero
• countzero
• cracker
• cread
• crnaruka
• cruizer
• cubalibre
• cure
• custodes
• dan
• dangelo
• danic
• daniela
• dario
• darker
• darknz
• davide
• daw
• demigd
• des
• devastor
• diabolik
• dimkam
• dital
• djtt
• dogzzz
• dolfi
• dolphin
• dottmorte
• dracon
• dragon
• drtte
• dumbblnd
• dusica
• ebe
• edgie
• eggist
• einaimou
• elef
• elly
• emmi
• encer
• engerim
• erixon
• eurotrash
• fairsight
• fin
• fireaway
• fjortisch
• floutti
• fluffer
• flum
• forever
• fqw
• fra
• freem
• freew
• freud
• funny
• furia
• furunkuli
• fwsmou
• gad
• gamppy
• gerhard
• ghostie
• gili
• girlie
• giugno
• gizmo
• glidaren
• gold
• gomora
• gracie
• grave
• graz
• grron
• gsund
• gufoao
• hali
• hallas
• hammer
• harri
• harry
• hayes
• hazor
• herbiez
• hlios
• hoffi
• honeii
• hongkong
• hug
• iasv
• ibanez
• ibanz
• ibar
• igi
• illusins
• imp
• inkworks
• iplord
• ivan
• ja
• jaffa
• jaimeafk
• james
• jamezdin
• janet
• janne
• jason
• javagrl
• jayc
• jazz
• jejborta
• jester
• jj
• jn
• jockey
• joe
• joelbitar
• johannes
• johndow
• johnny
• joni
• jonni
• jornx
• joshua
• jossumi
• judy
• juge
• juha
• juhas
• julze
• juutsu
• kajman
• kalca
• kamileon
• kardinal
• kasandra
• katarina
• kaviee
• kbee
• ken
• keung
• kewin
• khan
• kikeli
• kikii
• kilroi
• kiwi
• klaara
• kliimax
• klimas
• kode
• kojv
• koopal
• kralj
• krash
• krista
• kronos
• ktx
• kungen
• kuppa
• kurai
• lala
• lamour
• latina
• legend
• lenisaway
• lily
• linda
• lingyee
• linux
• lisa
• lisha
• litta
• littleboy
• liverpoo
• liyen
• liz
• liza
• lonely
• lonelygal
• lonewolf
• lopez
• lordie
• lovebyte
• lph
• luarbiasa
• lucignol
• lullaby
• lunatic
• luny
• lupo
• mac
• macesgl
• madd
• mailman
• malkav
• malr
• mamakians
• mamaw
• manarimou
• manarisou
• maradona
• marakana
• marco
• marillion
• mark
• mary
• master
• maurino
• max
• mcalcota
• melanie
• melinda
• meph
• mephisto
• mg
• mhj
• mhz
• mig
• miina
• mika
• mikav
• mike
• mikemcgii
• mikko
• mikma
• mimma
• miss
• moladmin
• monikaw
• monkeyboy
• monroe
• monstop
• mooks
• mordeshur
• mpdike
• mrbate
• mrbeauty
• mrblom
• mrbx
• mrjee
• mro
• mrtabizy
• mrx
• mrxx
• msd
• mu
• muimui
• musashi
• musc
• musce
• musicgal
• muti
• myboy
• mystr
• mythic
• mywife
• nallllle
• nanask
• natalie
• natborta
• ncubus
• neutrino
• niceguy
• nico
• niklas
• nimfa
• nino
• nurul
• obiwanbip
• ogre
• olivia
• omega
• only
• orac
• orace
• oranzzzzz
• organza
• ourlove
• outworld
• outzake
• oxygn
• paliadog
• pazarac
• permaloso
• perroz
• pessaar
• phre
• phreaky
• pihkal
• pinball
• poesje
• poison
• poofie
• popy
• powerpc
• pper
• primera
• primetime
• proxyma
• pshyche
• psioncore
• psiximou
• psixisou
• psychosis
• psyidle
• pszaah
• puppetm
• pzzzz
• quattro
• question
• ra
• ragio
• ragnetto
• raiden
• raindance
• raistln
• ranu
• raska
• raul
• raye
• reartu
• red
• reflect
• ribica
• richard
• rick
• rigo
• rikuta
• rikuxr
• rita
• rix
• rob
• roku
• ronaldo
• ronwrl
• roticanai
• rugiada
• ruthless
• saalut
• sammi
• sand
• satanins
• schzsh
• scorpin
• sealink
• sean
• secret
• serpentor
• servant
• sethi
• sexbolek
• sexyman
• sharmm
• shearer
• shekel
• shio
• shortys
• shred
• sidewalk
• sil
• siren
• skar
• skill
• skru
• sky
• skygun
• skylink
• slaktarn
• slash
• slgon
• smarties
• smck
• snake
• snike
• snoopgirl
• sodoma
• sopocani
• sorceress
• spacebbl
• spacedump
• spanker
• spermboy
• spirtouli
• srk
• stazzz
• steve
• stinga
• stj
• stjf
• studenica
• stussy
• suez
• suhoj
• sukun
• sunsola
• surfer
• sutera
• svearike
• sweetii
• sweetlady
• sweklopi
• swepilot
• switch
• syncphos
• szern
• takumura
• tallaxlc
• tampone
• tarabas
• tatano
• tato
• tennis
• tenx
• terence
• terkukur
• tero
• thefox
• thesint
• timer
• timewalk
• tmhd
• tnxfck
• to
• tomihki
• tommy
• topo
• triumph
• trustme
• tungau
• tupac
• turbozzzz
• turing
• tvrdjava
• tysn
• unicron
• uoff
• uptimer
• utopia
• vader
• vaismi
• vajje
• vanda
• varjo
• vass
• vento
• venusguy
• vertie
• viagara
• vicious
• vidxxx
• virex
• vodafone
• vone
• vrgnie
• vuubeibe
• wanderer
• warrr
• wasabboy
• weebee
• wellu
• wendy
• whiskey
• willgood
• wing
• winny
• wknight
• wlly
• wolfman
• wow
• wp
• xarasou
• xtreme
• xxx
• xzone
• yakzr
• yang
• yashy
• yasin
• yenyen
• ykbug
• yogiebear
• zai
• zfstr
• zinj
• zizu
• zvezda
• zwimou
• zwisou
• zwsiew
• zwsiewale