New malware with user-agent value: Parser::Template::Auto=CODE(<hex addr>)

There is a new piece of malware attempting to guess WordPress account credentials. You can recognize it by its odd user-agent header. Here is the first one I saw:

Parser::Template::Auto=CODE(0xa1d5ff0)

All subsequent occurrences have been identical other than the hexadecimal value inside the parentheses.

The first incidence of this user-agent on my site occurred at 2015-09-02T07:35:06 UTC; that is, ten days ago. Since then I’ve seen at least 241 attacks with that signature (see note below). Googling for "Parser::Template::Auto=CODE" (including the quotes) returns a lot of hits from web log analysis tools. I didn’t see any predating the first instance I found in my logs. Which isn’t to say there aren’t any but it’s pretty clear this malware probably started attacking within a day or two of the first attack my system logged. Which is to say, around September 1st.

Of those 241 attacks the breakdown by country is

46 NL
  43 FR
  34 US
  25 CH
  24 DE
  18 GB
  13 SE
  11 RO
   5 CZ
   3 LU
   3 CA
   2 UA
   2 RU
   2 PL
   2 MD
   2 FI
   2 BY
   1 SK
   1 HU
   1 ES
   1 AT

More interesting is that 218, 90%, of those 241 attacks originated from ToR exit nodes. The remaining 23, 10%, are probably ToR exit nodes since they originate from cloud hosting providers with known ToR exit nodes and whose reverse-DNS (rDNS) host names are generic (e.g., ovh.net addresses) or highly suggestive (e.g., privateinternetaccess.com).

Based on the double colons and CODE token I am confident this is from a Perl language module meant to convert templates into concrete text. Most likely the person using the module made a mistake in how they invoke the method thus causing the module to emit a diagnostic rather than the expected interpolated template. However, I did a bit of Googling and searching CPAN and could not find a published module with that signature. So another possibility is this is a module written by the malware author.

Note: I say “at least 241 attacks” because I installed the Mac OS X El Capitan “golden master” release during this period which resulted in my losing almost a full days worth of Apache logs.

P.S., The address 18.243.0.29 shows up in my logs with this attack signature. That address is owned by MiT and resolves to hostname zscore.mit.edu. That does not appear to be a known ToR exit node but MiT does have many known ToR exit nodes so I would not be surprised if this address was simply not yet classified as such.

Update 2015-09-15: Given that all the attacks appear to be originating from ToR exit nodes it occurs to me the strange user-agent header could be the result of ToR software anonymizing the request rather than a characteristic of the malware. In other words the odd HTTP user-agent header might be just an artifact of the malware using ToR to hide the origin of the attack and not a mistake on the part of the hacker.