Password theft has been a growing problem within the security community. Arbor Networks researchers have discovered a botnet called "Fort Disco" which was used to involve more than 6,000 websites based on popular CMS such as WordPress, Joomla and DataLife Engine.
The botnet "Fort Disco" currently consists of about 25,000 Windows machines and receives a list of sites to attacks from a central command and control server. Robots also receive a list of combinations of username-password common, usually made up of combinations default password as administrator options or 123456.
Arbor Networks security researcher Matthew Bing said the attack has several advanced features that make it almost impossible to make a full and valuable information is obtained exploiting the botnet misconfiguration on the side of the attackers, who made it possible to analyze records in several of the six command and control servers discovered.
"We stumbled upon these detailed records that the attacker left open in some of the command and control servers," "We were able to reconstruct quite the picture together." Said Bing.
The botnet "Fort Disco" was responsible for a series of brute force against thousands of websites, security experts have found compromised websites FilesMan a variant of PHP backdoor that uses the botmaster to remotely control PC victims.
The backdoor allows managing files on the victims as well as downloading and executing malicious actions and of course that is used to send commands to bots. A PHP shell uploaded to compromised sites botmaster can actually use commands to tens of thousands of bots quickly.
Fort disk is similar to Brobot attacks used in ongoing attacks against financial services companies. Arbor has no evidence that the attacks "Fort Disco" are related to incidents QCF / Brobot or phishing campaigns that have been used against the banks.
"From Brobot attacks in early 2013, we have seen that the attackers focus on targeting blogs and content management systems", "This marks a tactical shift in the exploitation of weak passwords and software outside the date on popular platforms. "Bing states.
Another particular emerged from the research is that a small number of websites also has a PHP based redirection used to hijack victims to websites that host the exploit kit Styx.
The top three countries in terms of infections are the Philippines, Peru and Mexico.Bing added that the authors are probably Russians, as the C & C IP addresses found in Russia and Ukraine, the default characters are in Cyrillic, and some error strings in the malware were written in Russian.
0 comments:
Post a Comment