NEWS FROM THE LAB - Wednesday, January 30, 2008

PHP IRC Bot Posted by Toni @ 14:51 GMT

Coming across a PHP RFI (Remote File Inclusion) exploit is an everyday event. (At least if you're analyzing malware…)

Typically, most of the exploits we see install a web-based backdoor such as the C99 shell for the attacker to use.

Every once in a while we run into something more sinister.


Today we discovered a nice crossbreed of different techniques. We saw a PHP script that was heavily obfuscated and the configuration was encrypted. It's an IRC bot, written in PHP. On top of that, it uses nine DNS's to go to its masters C&C (Command and Control) server.

The domain names are fast-fluxing so this botnet can move around nicely and since most of the compromised machines are webservers this botnet is packing a nice amount of bandwidth.

Detection for Backdoor:PHP/Obfu.A was added to our 2008-01-30_07 update.

You can find some additional information at teamfurry.