Active Perl/Shellbot Trojan, (Sat, Oct 26th)

ISC received a submission from Zach of a Perl/Shellbot.B trojan served by fallencrafts[.]info/download/himad.png[1]. The trojan has limited detection on Virustotal [2] and the script contains a “hostauth” of sosick[.]net[3] and the IRC server where the compromised systems are connecting to is located at What we have so far, it appears it is exploiting older version of Plesk.

md5: bca0b2a88338427ba2e8729e710122cd  himad.png
sha-256: 07f968e3996994465f0ec642a5104c0a81b75b0b0ada4005c8c9e3cfb0c51ff9  himad.png



Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.