[Community-sigs] SPEEDTEST Shellbot

Tue Sep 22 05:16:39 EDT 2015

Hi Jorg!
Thanks for your submission.
We have analysed your sample, I suggest another more targeted signature,
because the string "# Stealth Shellbot " could be too much generic (imagine
what could happen if someone write the same to a text file).

With this kind of signature all the files that contains the string:
"###
# Stealth Shellbot "
will trigger on the signature.

Furthermore, I deleted the 2 lines of comments that say "Stealth Shellbot"
(line 41, 18) in the sample you provided. The sample still runs with the
same functionality but your signature didn't trigger. Therefore, I propose
another signature that would target commands used by ShellBot. I believe
this signature will be better at targeting this file and possible variants.
Take a look at the following strings:

# Connection function, I would like to detect if the script sends the
"ircname" and "realname" fields:
sendraw("USER $ircname ".$IRC_socket->sockhost." $servidor_con :$realname");

# Commands analysed in the parse function
if ($args =~ /^\001VERSION\001$/)  -> notice("$pn", "");
elsif ($args =~ /^\001PING\s+(\d+)\001$/)  ->  notice("$pn",
"\001PONG\001");
elsif ($args =~ /^(\Q$meunick\E|\Q$prefixo\E)\s+(.*)/ )

# Function bfunc:
if ($funcarg =~ /^pscan (.*)/) {
elsif ($funcarg =~ /^portscan\s+(.*)\s+(\d+)\s+(\d+)/)
elsif ($funcarg =~ /^udp\s+(.*)\s+(\d+)\s+(\d+)/)
elsif ($funcarg =~ /^arme\s+(.*)\s+(\d+)\s+(\d+)/)

# Function ircase:
   elsif ($case =~ /^voice/) {
  elsif ($case =~ /^devoice/) {
    elsif ($case =~ /^ctcpflood\s+(\d+)\s+(\S+) (.*)/)
   elsif ($case =~ /^estatisticas (.*)/)
   elsif ($case =~ /^pacotes (.*)/)

If I would like to catch the connection packet, a parsed argument
("001VERSION\001"), and a pair of commands ("portscan" and "tcpflood") I
can create a more generic signature:
Backdoor.Perl.ShellbotA;Engine:51-255,Target:0;0&1&2&3;73656e64726177{-4}55534552??246972636e616d65{-60}247265616c6e616d65;30303156455253494f4e??303031;656c73696620282463617365{-16}746370666c6f6f64;6966??282466756e63617267{-8}706f72747363616e

Composed as:

VIRUS NAME: Backdoor.Perl.ShellbotA
TDB: Engine:51-255,Target:0
LOGICAL EXPRESSION: 0&1&2&3
 * SUBSIG ID 0
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
sendraw{WILDCARD_ANY_STRING(LENGTH<=4)}USER{WILDCARD_IGNORE}$ircname{WILDCARD_ANY_STRING(LENGTH<=60)}$realname
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
001VERSION{WILDCARD_IGNORE}001
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
elsif ($case{WILDCARD_ANY_STRING(LENGTH<=16)}tcpflood
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> DECODED SUBSIGNATURE:
if{WILDCARD_IGNORE}($funcarg{WILDCARD_ANY_STRING(LENGTH<=8)}portscan

I would like to ask if the next time you submit a signature if you could be
kindly to send us even the SHA256 of the dropper. In this case I have
calculated the SHA256 for your script:
SHA256: 624c93f65173281710e0ceee0c076ffd122daa538629998e84e2ffc20095424d

Hope that this could help you.
Again, thank you very much!

Best regards,
Andrea

On Wed, Aug 12, 2015 at 8:58 AM, Jörg Stephan <jost2208 at gmail.com> wrote:

> Good morning,
>
> my honeypot came across a shellbot injection
>
> Source: hxxp://194.60.242[.]251/minispeedtest/speedtest/.z/hb/plk03
> Zonealam: Backdoor.Perl.Shellbot.a
>
> I created the following signature to detect it
>
>
> SHELL.Shellbot.SPEEDTEST:0:*:2323230D0A2320537465616C7468205368656C6C626F7420
>
> It basically searches for the ## SHELLBOT  tag within the file.
> --
> Regards
>
> Joerg Stephan
> IDSBlog: http://sendmespamids.blogspot.nl/
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

-- 
Andrea Allievi
aallievi at sourcefire.com
Security Research Engineer
TALOS Security Intelligence and Research Group
Cisco Systems Inc.