Fort Disco botnet compromised more than 6000 websites

Researchers at Arbor Networks discovered a botnet called Fort Disco that was used to compromise more than 6000 websites based on popular CMSs.

A botnet called Fort Disco was used to compromised more than 6000 websites based on  popular content management systems such as Joomla, WordPress and Datalife Engine.

The Fort Disco botnet is currently made up of nearly 25,000 Windows machines and is considered still active, according to security researcher at Arbor Networks Matt Bing. Bing revealed that Arbor experts obtained precious info on the botnet exploiting a misconfiguration on the attackers’ side that made possible the analysis of logs on several of the six command and control servers discovered.

“We stumbled upon these detailed logs the attacker left open on some of the command and control servers,” “We were able to piece together enough of the picture.” Bing said.

The Fort Disco botnet was responsible for a series of brute-force attacks against thousand of websites, security experts found on compromised websites a variant of the FilesMan PHP backdoor used by botmaster to remotely control victims PC.

The backdoor allows file management on victims and also the download and execution of malicious payload and of course it is used to send commands to bots. A PHP shell uploaded to compromised sites enable in fact botmaster to use commands to tens of thousands of bots quickly.

The victims since now are maily concentrated in Peru, Mexico and in the Philippines, the U.S. and Europe were not nearly as affected.

The brute-force attacks made by the Fort Disco botnet began in May and the botnet spreads malware to nearly 25,000 Windows machines, once installed the malware request to command and control server the list of content management system sites to try to infect.

“Beginning with the Brobot attacks in early 2013, we’ve seen attackers focusing on targeting blogs and content management systems,” “This marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms.” Bing states.

The bots receive also a list of common username-password combinations, typically composed by default combinations with password options including admin or 123456.

“The most common password was “admin,” which worked 893 times. The next most popular was “123456,” which worked on 588 of the compromised sites.”

Another particular emerged from investigation is that a small number of websites presented also a PHP-based redirector used to hijack victims to websites hosting the Styx exploit kit.

“We were only able to find a couple of cases where he installed the Styx malware exploit kit,” Bing said.

The botnet author’s strategy is to targets weak passwords in principal content management systems to gain control of the victim.

Bing added that Arbor security analysts discovered that all the Command & Control servers were hosted in either Russia or the Ukraine.

Which are the risks for a rapid growth of the botnet?

Bing explained that the botnet could be also used for different purposes such as DDoS attacks:

“These are brute-force attacks with common usernames and passwords—really low-hanging fruit. Attackers are realizing too that these content management systems are just as easily exploited. The real risk is that a lot of these sites are hosted on big data centers with lots of bandwidth. You could easily turn this into a DDoS bot.”

From Russia with love

No doubt Russian underground is considered the reign of cybercrime, the most prolific ecosystem for cyber threats, also in this case the rule seems to be respected, the C&C servers were identified with Russian and Ukrainian IP addresses, and the circumstance that the default characters are in Cyrillic and some error strings within the malicious code were written in Russian led researchers to believe that Russian cybercrime is behind the Fort Disco botnet.

 “Based on what we could tell, it looked like one of those things where the attacker tried to entice users to run the executable through a social engineering campaign targeted at Russians,” Bing revealed.

The researchers found two examples including an executable referring to the Michael Lewis book “The Big Short: Inside the Doomsday Machine” .

Pierluigi Paganini

(Security Affairs – Fort Disco botnet , cybercrime)