Research from Arbor ASERT describes a new PC botnet campaign designed to compromise such web servers. Dubbed Fort Disco, a brute force logon campaign started in May and is continuing today. It delivers its attack to targeted servers, primarily CMS sites such as Wordpress and Joomla. "To date," say the researchers, "over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing."
The reason for criminal attention on such sites is basically threefold. Firstly, notes the Arbor report, "Blogs and CMSs tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison." This makes a server botnet particularly attractive for delivering high volume spam and DDoS attacks.
Secondly, these sites are designed to be interactive. Once compromised, they can be used for drive-by or waterhole attacks on visitors; while outward transmissions can be missed by both the site administrator and internet spam filters.
And thirdly, most blog operators are not security experts – they frequently employ weak passwords for access to the site's administration. It is this tendency that the Fort Alice campaign is attempting to exploit.
The researchers at Arbor Networks admit that they have limited knowledge of the campaign so far, and are continuing to investigate. Nevertheless, they have located six C&C servers that control a botnet of 25,000 infected Windows computers, and have gathered enough evidence to understand the basics of the campaign.
An infected PC checks in with one of the C&C servers to receive its commands. Two of these commands specify the web servers to attack, and the passwords to attempt – the latter could be the URL of a password list. A small number of the most common – and weakest – passwords is hard coded for speed. These are usually based around 'admin' or 'administrator.'
Arbor doesn't know how the PCs are infected, but has been able to track the success of the campaign against the web servers: it found a total of 6,127 usernames and passwords in the C&C logs. It also notes that the attacks primarily seem to be directed against Russian sites – 2582 have a .RU suffix. Moreover, more than 2000 of the compromised sites use 'admin', '123456', '123123' or '12345' as the log-in password.
The moral from Arbor Network's research is simple. Remember that Fort Disco is a current and ongoing campaign – so if you operate your own blog and use a weak password, change it to a strong one as soon as you can.