The obfuscated code contains malicious instructions and creates a botnet

Jul 18, 2009 10:59 GMT  ·  By

A fake exploit for a zero-day OpenSSH vulnerability, which was allegedly used in some high-profile attacks, has been circulating on the Internet recently. Compiling and running it is not a good idea, as the code contains instructions to install a botnet client and delete directories from the file system.

About two weeks ago, rumors of the existence of an undisclosed vulnerability in OpenSSH started spreading. A system log showing an attack in progress suggested that a group named "anti-sec" was being in possession of an OpenSSH exploit called "Open0wn," which was being used to compromise Linux and FreeBSD servers.

Not long after, anti-sec took credit for an attack against ImageShack and positioned itself as a contestant of full disclosure and the security industry. Security researchers eventually agreed that these compromises were most likely the result of brute force attacks rather than the exploitation of an OpenSSH vulnerability.

Source code masquerading as the Open0wn exploit has been spotted on pastebin, as well as on other websites, for the past few days now. The fake exploit has three obfuscated code strings, defined as jmpcode[], shellcode[] and fbsd_shellcode[].

Thierry Zoller, one of the security researchers who inspected the code, warns that it is by no means related to the exploitation of an OpenSSH vulnerability. The jmpcode[] is actually the HEX form of "rm -rf ~ /* 2> /dev/null &", a command that will delete the entire contents of the home directory or the root directory, if the code is run as root.

The shellcode[] and fbsd_shellcode[] open a socket connection to euIRC, an Internet Relay Chat network, where it joins a key-protected channel. "We're investigating this resulting botnet and are about to shut it down asap," someone from the euIRC staff writes.

It is unclear as to who might have released this code, which reportedly executes and has the same effect on MacOS X too, or what their intention was. It might as well be the work of the anti-sec group itself, in an attempt to target vulnerability researchers or script kiddies who are always looking for new exploits.

However, security experts are unlikely to fall for this trap, as it is standard procedure to inspect the code before running it in a controlled environment, such as a virtual machine that can easily be restored.