Perlbot Analysis

By | April 24, 2006

We got this code from a reader who got hit by this malware just as he patched his horde install. Again, one of these examples that tells you how fast these exploits are spreading, and not to waste any time patching. We do see a lot of these perl bots/worms. They are not to special but kind of a "e;classic"e; at this point so I figure its worth while to deconstruct a sample.

These simple perl based bots are in particular popular with lower skilled kids. I left a lot of the special strings like server names and such intact or little obfuscated. A few unimportant details got deleted or modified in order to make the code a bit easier to read and anotate.

Highlights for this bot: it will remove the vulnerability (or at least attempt to); it got no simple “kill” command.

The initial exploit triggers 3 attempts to download the bot from http://butt er cream card.com/p. This three download attempts use wget, fetch and curl. In the past most of these bots only tried wget, but given that wget may not be installed on all systems, this bot goes a step further.

The download is dropped into /tmp. As a reminder: Its usually best to make /tmp its own partition and remove the execute, suid and dev capabilities. Next, make sure that /usr/tmp and /var/tmp are symlinks to /tmp.Read Full Story

Leave a Reply