Wednesday, January 30, 2008 2:39 PM
cmosby
PHP IRC Bot - F-Secure Weblog : News from the Lab
PHP IRC Bot
Posted by Toni @ 14:51 GMT | Comments
Coming across a PHP RFI (Remote File Inclusion) exploit is an everyday event. (At least if you're analyzing malware…)
Typically, most of the exploits we see install a web-based backdoor such as the C99 shell for the attacker to use.
Every once in a while we run into something more sinister.
Today we discovered a nice crossbreed of different techniques. We saw a PHP script that was heavily obfuscated and the configuration was encrypted. It's an IRC bot, written in PHP. On top of that, it uses nine DNS's to go to its masters C&C (Command and Control) server.
The domain names are fast-fluxing so this botnet can move around nicely and since most of the compromised machines are webservers this botnet is packing a nice amount of bandwidth.
Detection for Backdoor:PHP/Obfu.A was added to our 2008-01-30_07 update.
You can find some additional information at teamfurry.
Source: F-Secure Weblog : News from the Lab
Filed under: Security and Anti-Virus, Internet Hacks, Internet Applications