According to website security firm Incapsula, its security team uncovered the situation when it noticed suspicious behavior by one of its client's website. “A small and seemingly harmless general interest UK website was suddenly a focal point of a rapidly increasing number of security events,” said researchers, in a blog. “The cause? Numerous requests with encoded PHP code payload. A closer look revealed that these intercepted requests were attempts to operate a backdoor and use the website as a bot - an unwilling foot soldier in a DDoS army.”
Tellingly, the backdoor was instructed to launch HTTP and UDP flood attacks against several US banks, including PNC, HSBC and Fifth Third Bank.
Izz ad-Din al-Qassam in 2012 launched its “Operation Ababil” to protest “The Innocence of Muslims,” an anti-Islam video that mocked the Prophet Muhammad. On New Year’s Day the group said that that the cyber-attacks will continue, noting in an online manifesto that “rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks.”
It is unclear – yet – whether the botnet strategy is part of the same offensive (Incapsula managed to trace the attempt back to a Turkish website design company), but the timing suggests a possible connection.
The botnet appeared to be a mercenary hired gun, Incapsula uncovered. “As we continued to monitor the incoming DoS commands we saw that the attacks were precisely timed, limited for periods that varied from seven minutes to an hour,” researchers wrote. “The Botnet C&C [command and control] was commanding it to work in shifts, maximizing its efficiency and ordering it to renew the attack just as the target would start to recover. During some of these shifts the backdoor was instructed to change target and attack unrelated commercial and e-commerce sites. This all led us to believe that we were monitoring the activities of a botnet for hire.”
Botnet zombies for hire is part of a growing trend in DDoS prevention. “In an attempt to increase the volume of the attacks, hackers prefer web servers over personal computers,” the researchers added. “It makes perfect sense. These are generally stronger machines, with access to the high quality hoster’s networks and many of them can be easily accessed through a security loophole in one of the sites.”
Meanwhile, the root vulnerability came down to the most basic of security mistakes. The administrative ID and password to the compromised site was: admin / admin.
“This is just another demonstration of how security in the internet is always determined by the weakest link,” researchers noted. “Simply neglecting to manage administrative password in a small site in the UK can be very quickly exploited by Botnet shepherds operating obscurely out of Turkey to hurl large amounts of traffic at American banks. This is a good example of how we are all just a part of a shared ecosystem where website security should be a shared goal and a shared responsibility.”
That type of misstep has potentially severe consequences. In this instance, the sheer volume of an attack carried out this way is also a new wrinkle: PHP DoS code was designed to multiply itself, so it could take advantage of the full capacity available on the server.
“Since this is a server on hoster’s backbone, it was potentially capable of producing much more traffic volume than a regular old-school botnet zombie,” Incapsula said. To boot, the backdoor was controlled using an API, which used the server’s PHP environment to inject dynamic attack code. This allows the attacker to adapt very quickly to any changes in the website's security.