A few days ago, an IRC based botnet was spotted conducting a denial of service attack. The DDoS attack is quite massive – it has a bandwidth of about 6 Gbps (gigabits per second), which equates to around 12 million PPS (packets per second).
The bots used for these DDoS botnet is Linux based, not a Windows bot. The bot runs on “GLIBC_2.1.3, GLIBC_2.1, and GLIBC_2.0 compatible x86 Linux boxen.”
Moreover, it was discovered that these bots are propagated through a PHP exploit.
The PHP exploit is not targeted at a specific vulnerability in a PHP-based application; rather, the exploit is targeted at PHP applications in general. The vulnerability lies in poorly-written PHP application that performs includes without doing any validation to the include string.
For this particular botnet, the inserted command will download an ELF file from a server sitting somewhere in Japan. This ELF file is the bot software, which will report to an IRC-based C&C server residing in the same machine from where the ELF file is downloaded.
It was reported that the C&C and download server has been taken down by the Japanese government.
There had been a rising trend in the number of Linux bots captured. These bots are in fact written in several programming languages. So far we have captured bots that comes as ELF files, and Perl and PHP scripts. Samples of which are
- ELF_KAIGENT family
- PHP_CHAPLOIT family
- ELF Binaries
- PERL_SHELLBOT family
Note that several of these Linux bots are being propagated through exploits in several Perl and PHP-based web applications, like AWStats, PHPBB, Mambo, Coppermine, and XML-RPC, to name a few.
The source code for the ELF Kaiten bot has been around since 2001. This predates several Windows-based bots.
The rising trend in the popularity of Linux bots prompted the ISC to post a warning, saying that bots are not just for windows anymore. Furthermore, it writes “… its so much easier to write a bot for Linux. You got perl after all. I wouldn’t be surprised to find one written in bash.”