For some time infosec pros have known that plugins for WordPress, Joomla and other content management systems are being leveraged by attackers.
More evidence of that has come in a report from Akamai’s Security Intelligence Research Team (SIRT), which discovered a widely distributed botnet that leverages CMS systems to launch co-ordinated brute-force spamming campaigns.
“The portions that could be mapped account for over 83,000 unique infections across 2 of the 4 infection layers,” says the report. While binary infections only target Linux, other php based infections were found running on all major server operating systems—Windows, Linux, os x, Unix, SunOS, and variants of bsd.
Akamai has dubbed the botnet ‘Torte’ because of its multiple layers.
“It attempts to, in a highly distributed and parallel manner, brute force email address combinations for the sake of pushing spam. While this doesn’t seem like an especially efficient manner of operating a spam botnet, due to the sheer number of incorrect possibilities it undoubtedly generates, the reality is a system of this size running nonstop would burn through any legitimate email address list it was fed very quickly, leaving it with nothing to do and wasted opportunity.
“Rather than let that happen, it appears the operators have decided to capitalize on those wasted cycles. If we consider the remote udp (user datagram protocol) reporting capabilities of the spoolers and how they could be used in conjunction with a logging server and specialized address generation configurations, it would be very possible to brute force a target domain’s entire list of deliverable email addresses in a fairly short timespan or even leverage them for a DDoS campaign,” the report says.
Among the targeted email domains are top free email service providers (such as gmail, MSN, hotmail) for distributing the spam.
Organizations concerned about exposure to this threat should start by checking Web servers for the presence of active infections, Akamai says. It provides shell scripts to help.
“Attackers will always target low-hanging fruit like CMS’ and web-based software, and botnets like this will continue to grow in popularity,” concludes the report. Authors also believe the number of Linux-targeted attacker will increase because an estimated one-third of the public servers on the Internet running some variant of the operating system.