Spam bot leverages Linux-based CMSs, report warns

For some time infosec pros have known that plugins for WordPress, Joomla and other content management systems are being leveraged  by attackers.

More evidence of that has come in a report from Akamai’s Security Intelligence Research Team (SIRT), which discovered a widely distributed botnet that leverages CMS systems to launch co-ordinated brute-force spamming campaigns.

“The portions that could be mapped account for over 83,000 unique infections across 2 of the 4 infection layers,” says the report. While binary infections only target Linux, other php based infections were found running on all major server operating systems—Windows, Linux, os x, Unix, SunOS, and variants of bsd.

Akamai has dubbed the botnet ‘Torte’ because of its multiple layers.

“It attempts to, in a highly distributed and parallel manner, brute force email address combinations for the sake of pushing spam. While this doesn’t seem like an especially efficient manner of operating a spam botnet, due to the sheer number of incorrect possibilities it undoubtedly generates, the reality is a system of this size running nonstop would burn through any legitimate email address list it was fed very quickly, leaving it with nothing to do and wasted opportunity.

“Rather than let that happen, it appears the operators have decided to capitalize on those wasted cycles. If we consider the remote udp (user datagram protocol) reporting capabilities of the spoolers and how they could be used in conjunction with a logging server and specialized address generation configurations, it would be very possible to brute force a target domain’s entire list of deliverable email addresses in a fairly short timespan or even leverage them for a DDoS campaign,” the report says.

Among the targeted email domains are top free email service providers (such as gmail, MSN, hotmail) for distributing the spam.

Organizations concerned about exposure to this threat should start by checking Web servers for the presence of active infections, Akamai says. It provides shell scripts to help.

“Attackers will always target low-hanging fruit like CMS’ and web-based software, and botnets like this will continue to grow in popularity,” concludes the report. Authors also believe the number of Linux-targeted attacker will increase because an estimated one-third of the public servers on the Internet running some variant of the operating system.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web