Large Botnets Attack WordPress And Joomla

Two large botnets are using or targeting various content management systems, including the massively popular WordPress and Joomla.

The most recent campaign has been labelled Fort Disco, which began in late May 2013, according to Arbor Networks. Arbor has found six command and control servers, running over 25,000 infected Windows machines that have been used to attack CMS systems using brute force (running through large lists of possible passwords).

To date, 6,000 installations of WordPress, Joomla and Datalife Engine have been compromised.

Botnets target CMSs

Arbor got an insight into the campaign, because those behind the Fort Disco campaign left there log files publicly accessible. Despite that slip up, the botnet master had used some semi-smart malware to avoid detection.

At least four kinds of malware have been used, with a command telling them to focus on a variable list of target sites, consisting of between 5,000 to 10,000 sites at a time.

Another command tells them what password to use, sometimes offering a  URL to a password list. Successful hacks are reported back to the botnet master.

In 788 cases, a PHP backdoor was installed on the targeted sites, allowing the attackers to browse the filesystem, upload or download files and execute commands on the affected server. “By uploading a PHP shell to compromised sites, an attacker can easily issue commands to thousands of compromised sites in seconds,” said Arbor’s Matthew Bing.

On several sites, a redirector was sending users to the Styx exploit kit. Arbor also believes the attackers were recruiting CMSs and blogs to be part of the botnet for future attacks.

Arbor believes the perpetrator is based in a post-Soviet state. Most of the targeted sites were based in Russia or the Ukraine, and all of the command and control sites are based in the two countries.

What remains a mystery is how malware is finding its way onto machines in the first place. “We were able to find reference to the malware’s original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis’ book ‘The Big Short: Inside The Doomsday Machine’ in Russian with an executable attachment,”

“Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It’s unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The C&C sites did not offer additional clues as to the infection mechanism.”

Trend Micro has also warned thousands of compromised sites based on WordPress, Drupal and Joomla are being used as part of a spamming botnet. The compromised sites contain a payload link and a spamming script, which are sent to users in a bid to spread malware.

Trend believes 195,000 domains and IPs have been infected as part of the StealRat spambot campaign. “The common denominator among these compromised sites is that they are running vulnerable CMS software,” it said in a blog post this week.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

View Comments

Recent Posts

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

30 mins ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

16 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

18 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

20 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

20 hours ago