Large Botnets Attack WordPress And Joomla

Two large botnets are using or targeting various content management systems, including the massively popular WordPress and Joomla.

The most recent campaign has been labelled Fort Disco, which began in late May 2013, according to Arbor Networks. Arbor has found six command and control servers, running over 25,000 infected Windows machines that have been used to attack CMS systems using brute force (running through large lists of possible passwords).

To date, 6,000 installations of WordPress, Joomla and Datalife Engine have been compromised.

Botnets target CMSs

Arbor got an insight into the campaign, because those behind the Fort Disco campaign left there log files publicly accessible. Despite that slip up, the botnet master had used some semi-smart malware to avoid detection.

At least four kinds of malware have been used, with a command telling them to focus on a variable list of target sites, consisting of between 5,000 to 10,000 sites at a time.

Another command tells them what password to use, sometimes offering a  URL to a password list. Successful hacks are reported back to the botnet master.

In 788 cases, a PHP backdoor was installed on the targeted sites, allowing the attackers to browse the filesystem, upload or download files and execute commands on the affected server. “By uploading a PHP shell to compromised sites, an attacker can easily issue commands to thousands of compromised sites in seconds,” said Arbor’s Matthew Bing.

On several sites, a redirector was sending users to the Styx exploit kit. Arbor also believes the attackers were recruiting CMSs and blogs to be part of the botnet for future attacks.

Arbor believes the perpetrator is based in a post-Soviet state. Most of the targeted sites were based in Russia or the Ukraine, and all of the command and control sites are based in the two countries.

What remains a mystery is how malware is finding its way onto machines in the first place. “We were able to find reference to the malware’s original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis’ book ‘The Big Short: Inside The Doomsday Machine’ in Russian with an executable attachment,”

“Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It’s unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The C&C sites did not offer additional clues as to the infection mechanism.”

Trend Micro has also warned thousands of compromised sites based on WordPress, Drupal and Joomla are being used as part of a spamming botnet. The compromised sites contain a payload link and a spamming script, which are sent to users in a bid to spread malware.

Trend believes 195,000 domains and IPs have been infected as part of the StealRat spambot campaign. “The common denominator among these compromised sites is that they are running vulnerable CMS software,” it said in a blog post this week.

What do you know about Internet security? Find out with our quiz!