Thursday, January 31, 2008

Fast-Fluxing PHP IRC Bot

Via F-Secure Blog -

Coming across a PHP RFI (Remote File Inclusion) exploit is an everyday event. (At least if you're analyzing malware…)

Typically, most of the exploits we see install a web-based backdoor such as the C99 shell for the attacker to use.

Every once in a while we run into something more sinister.

Today we discovered a nice crossbreed of different techniques. We saw a PHP script that was heavily obfuscated and the configuration was encrypted. It's an IRC bot, written in PHP. On top of that, it uses nine DNS's to go to its masters C&C (Command and Control) server.

The domain names are fast-fluxing so this botnet can move around nicely and since most of the compromised machines are webservers this botnet is packing a nice amount of bandwidth.

Detection for Backdoor:PHP/Obfu.A was added to our 2008-01-30_07 update.

No comments:

Post a Comment