On Wednesday, Arbor Networks released a report on a massive password bruteforcing attack campaign. CSO followed the trail left by the attackers and independently confirmed many of Arbor's findings. However, the campaign is ongoing, and the attackers look to be covering their tracks.
Since April of this year, a campaign has systematically targeted websites running either WordPress or Joomla, the top two blogging and CMS development platforms on the Web. A smaller number of attacks have focused on the Russian platform Datalife Engine.
In each attack, infected Windows systems are called up to bruteforce the targeted domain, by hitting the administration pages and guessing common usernames and passwords until access is granted. Once that happens, the attackers upload additional files, passing them off as add-on modules for the platforms, which are in reality nothing more than a PHP shell that enables complete control over the webserver.
How the host systems became infected remains a mystery. However, Arbor was able to track the attackers, initially at least, due to the use of hardcoded Command and Control (C&C) addresses in the malware itself. Incidentally, it was the File Description used by one of the malware variants -- Fort Disco -- that helped Arbor name the botnet recently discovered pushing the attack.
The hardcoded C&C address in the malware led Arbor to the attacker's logs and the discovery of additional details into these attacks. One discovery was the fact that indeed, compromised hosts, and not the webservers themselves, were behind the bruteforce attempts. In April, speculation on the matter went both ways, so Arbor confirmed that (at least for this campaign) the heavy lifting comes from a desktop.
"That's kind of what makes this case interesting, is that we were able to find detailed logs, showing all of the activity. That's extremely rare in these types of cases," Matthew Bing, one of Arbor's main researchers on the Fort Disco investigation, told CSO.
The logs were a wealth of data. According to what was made available, logs from across six C&C servers (four of which CSO independently examined), show some 25,000 infected Windows systems running the attacks, and more than 6,000 compromised domains. Arbor says that the bulk of the compromised websites reside in Russia and the Ukraine, a fact that CSO confirmed when looking at the logs for ourselves.
However, we also noticed a number of confirmed compromised domains, and attempts against domains in Belarus, Canada, Germany, the U.K., and Uzbekistan, just to name a few. More over, the timestamps on some of the logs show recent activity, suggesting that not only is the attack ongoing, it's growing.
This growth however, also includes changes by the attackers themselves. CSO located a copy of the control script that feeds the bots commands from the C&C. In this script, the logging function was disabled, meaning that the newest data on the latest compromised domains isn't recorded publically as the others were. Instead, this information is fed to a MySQL database, hosted either offsite or by the C&C itself.
One file obtained by CSO contains a list of 411,667 domains to be targeted, once we removed the duplicates from that list. Further, a list of 1,200 domains (412 more than initially reported) with at least one shell script installed was also discovered, leaving 4,800 domains with compromised admin areas, where the attackers have yet to install a backdoor on the server.
However, this data is only valid up to the point of the last log entry, which is July 31, 2013. Since the logs stopped recording, there is no way to confirm if additional webservers have been shelled. The other interesting aspect to the Fort Disco campaign is that the attackers seem to be hoarding the compromised domains.
"So far it seems like they haven't utilized the breadth of the number of compromised logins that they currently have," Bing said.
"Other than the few exploit kits we found, the tools were installed, but we didn't see any evidence that [the attackers] actually used them, or modified any of the compromised sites in anyway."
As mentioned, once compromised, the attackers upload shell scripts in order to keep their foothold. As evidenced by some of the logs viewed by CSO, the attackers also track their validity, creating separate lists of valid compromised servers, and ones that have since been cleaned of backdoors.
Such scripts would enable the attacker to upload additional files, as well as modify the server itself -- assuming it wasn't properly configured. Otherwise, unless a vulnerability is exploited, standard webserver permissions and restrictions apply.
When it comes to why these servers are being collected as it were, there are two likely options. The first option is to use them for DDoS attacks. Once the shell scripts are enabled, then adding DDoS tools to the compromised server would be a trivial task.
The bandwidth from these servers is many times greater than that of a typical home connection. By targeting blogging and CMS platforms that are poorly implemented, such as using default credentials, and weak or easily guessable passwords, the attackers have turned a target of opportunity into a dangerous weapon.
[Related: The botnet hunters]
The second option is to use the compromised domains to host exploit kits and deliver malware. While investigating, Arbor noted the existence of a redirection script (CSO confirmed this on three domains) that eventually leads to the Styx exploit kit. Styx is a rather expensive crime kit, costing upwards of $3,000.00 USD, but is versatile enough that criminals with a budget favor it over the others on the market.
Detecting / Mitigating Fort Disco and similar threats
The methods used by those behind Fort Disco are both clever and technical. However, the scripts powering the infected Windows systems are easily detected on a webserver. The following files are consistent on each of the C&C servers that were examined.
- This file will contain the following unique strings, which can be filtered out during a directory file search: "shell_check" "brut"
- jm.txt / jm.php
- These two files are the shell scripts. They're usually in a /tmp/ folder (or /img/) inside /public_html/ or /www/
- They may also appear as mod_system.php (WordPress) or mod_msn.php (Joomla). On Datalife Engine, the shell is usually jm.php, but it's been listed as tmp.php as well.
- The shell scripts have also been discovered inside the /wp-content/ folder, under plugins or uploads. In some cases they've been found inside the /themes/ directory. It's rare to see them in the root directory of the website.
- Within each file is a mention of "FilesMan" as well as a call for "auth_pass" at the start of the file. The shell scripts are password protected once installed. Unfortunately, the password to access them is readily available online.
- Another way to look for signs of attack is to search for files using Windows-1251 as the character set. Unless Cyrillic is the expected character set on your webserver, then this could be a clear indication something has gone wrong.
- You can also use the find command and check for changes to directories. Using it with a switch of -mtime -2, via CRON twice a week is a good place to start.
The key factor in these attacks however are the passwords used for the administrator accounts on the various websites. They are easily guessed, and the wordlists used by the Fort Disco bots hit all of the basics, including the most commonly used password -- admin.
After that, '123456'; '123123'; and '12345' were the other favorites. However, the password lists also include variants, such as using the domain plus additional letters or numbers (example: xyz.com123 or xyzcom123).
"The top ten passwords for these sites seem to indicate that these are targets of opportunity as these passwords are the weakest of the weak," Bing wrote in his blog post on the topic.
On average, the bots are using password lists of anywhere from 150, to 1,000 passwords. In addition to the common ones, CSO observed a list that targets keyboard patterns, as well as music related terms, and common names.
Finally, the C&C script itself, makes heavy use of PHP's fopen and fwrite functions. Thus, another step to protecting your organization's digital assets is to harden the webserver, and limit functions that can be leveraged in scripting attacks.
Doing so will mitigate some of the damage on shared hosting environments to a single domain, as the shell scripts will be unable to operate outside of the user's folders.