Old CGI-PHP vulnerability used to spread Bitcoin botnet

Attackers targeting a flaw patched in 2012 are looking to build a botnet

bitcoin
Credit: REUTERS/Benoit Tessier

In 2012, researchers discovered a flaw in some PHP builds that would enable a remote attacker to execute commands on the server, if PHP was configured as a CGI script (PHP-CGI) at the time. Now, it's being used again to propagate a botnet and mine for Bitcoins.

Scanning for said flaws was easily automated, and the issue has been linked to various attacks several times over the years. This week, following a spike back in August, researchers at Trustwave noticed an uptick in attacks targeting the PHP-CGI flaw, and the endgame is the installation of BoSSBoTv2.

The malware is botnet script, and the fact that it's been coded in C is a bit of a unique twist on the common botnet developments, which are often written in Perl or PHP.

In August, after honeypots detected automated scans targeting the PHP-CGI vulnerability, one researcher discovered an ad online offering the full source code to BoSSBoTv2 to the highest bidder. It isn't clear if someone bought the code, but several weeks later the malware was circulating again.

If the server is vulnerable to the PHP-CGI issue, the attacker will attempt to install both 64-bit and 32-bit software. There are no OS checks, so the automation simply attempts both to see what sticks.

The target in this case isn't home users, but businesses that rent their servers (dedicated webhosting or VPS hosting) or co-locate them. The reasoning is simple. Enterprise servers have stronger processing power and are connected to faster pipes, offering speeds of up to 100Mbps or more in some cases.

Once installed, the malware enables the attacker to control the servers directly via remote shell or IRC. The IRC aspect is the main selling point for the software, as it's promoted as a botnet tool (for DDoS), but with the additional feature of Bitcoin mining, since the servers have the processing power.

Fees for BoSSBoTv2 are $125 for lifetime updates, or $25 for the basic package, but upgrades will be extra. Currently, there isn't much detection coverage on the latest binaries used in the attack [Example 1] [Example 2].

Administrators are advised to look for strings that contain POST variables that are Base64 encoded, which result in anything other than a 404 error. The discovery of such log messages could be an indicator of compromise. The following directories are being targeted during the automated scans:

  • /cgi-bin/php
  • /cgi-bin/php4
  • /cgi-bin/php5
  • /cgi-bin/php.cgi
  • /cgi-bin/php-cgi
To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.