Password theft has been a growing problem within the security community. Researchers at Arbor Networks have uncovered a botnet called Fort Disco that was used to compromise more than 6000 websites based on popular CMSs such as WordPress, Joomla and Datalife Engine.
The Fort Disco botnet is currently made up of nearly 25,000 Windows machines and receives a list of sites to attack from a central command and control server. The bots receive also a list of common username-password combinations, typically composed of default combinations with password options including admin or 123456.
Arbor Networks security researcher Matthew Bing said the attack has several advanced features that make it next to impossible to fully track and they obtained precious info on the botnet exploiting a misconfiguration on the attackers’ side that made possible the analysis of logs on several of the six command and control servers discovered.
“We stumbled upon these detailed logs the attacker left open on some of the command and control servers,” “We were able to piece together enough of the picture.” Bing said.
The Fort Disco botnet was responsible for a series of brute-force attacks against thousand of websites, security experts found on compromised websites a variant of the FilesMan PHP backdoor used by the botmaster to remotely control victims PC.
The backdoor allows file management on victims and also the download and execution of malicious payload and of course it is used to send commands to bots. A PHP shell uploaded to compromised sites enable in fact botmaster to use commands to tens of thousands of bots quickly.
Fort Disco is similar to Brobot attacks being used in the ongoing attacks against financial services firms. Arbor does not have evidence that the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns that have been used against the banks.
"Beginning with the Brobot attacks in early 2013, we’ve seen attackers focusing on targeting blogs and content management systems," "This marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms." Bing states.
Another particular emerged from investigation is that a small number of websites presented also a PHP-based redirector used to hijack victims to websites hosting the Styx exploit kit.
The top three countries in terms of infections are the Philippines, Peru, and Mexico. Bing added that the authors are likely Russian given that the C&Cs were found on Russian and Ukrainian IP addresses, the default characters are in Cyrillic, and some error strings within the malware were written in Russian.