Internet security firm Arbor Networks reports that a new botnet, Fort Disco, is made up of over 25,000 Windows PCs and is targeting blog sites and content management systems (CMS)es. Once these are infected, they can then be used to spread the botnet's malware and to attack other systems.
Matthew Bing, an Arbor Security Engineering & Response Team (ASERT) research analyst, wrote, "Arbor ASERT has been tracking a campaign we are calling Fort Disco which began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing."
Arbor Networks has determined that there are at least four variants of the Windows malware used by the Fort Disco botnet. These, in turn, appear to spring from what the security expert Brian Krebs calls a high-end, "malware-as-a-service" Styx Exploit kit. With this kit a wide-variety of attacks can be made on Windows PCs.
Fort Disco-infected Windows systems then use brute-force password guessing to break into blogs and CMSes that use PHP. The botnet has installed a variant of the all too common “FilesMan” PHP back-door on almost 800 PHP-powered sites.
All the infected systems, in turn, are controlled from the half-dozen Russian and Ukrainian C&C sites. So far Fort Disco has been used for little more than spreading itself to Windows PCs and vulnerable blogs and CMS Web sites. This won't last.
Bing said, "Blogs and CMSes tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison. While we have no evidence the Fort Disco campaign is related to Brobot or denial-of-service (DoS) activity, we’ve experienced the threat that a large blog botnet can deliver." Brobot has been used to attack U.S. Banks with distributed denial of service (DDoS) attacks.
In an e-mail, Bing expanded on this theme, "This is similar to the type of botnet being used on the ongoing attacks against financial services firms. Rather than tens of thousands of PCs making up a botnet, each throwing off a relatively small amount of bandwidth, Fort Disco accesses WordPress and Joomla servers, so they need far fewer machines to have much greater impact."
That said, Bing continued, "Arbor does not have evidence that the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns that have been used against banks. The best evidence we have for the motivation of Fort Disco is to install drive-by exploit kits on compromised sites. But as the Brobot incidents demonstrated, WordPress/Joomla sites tend to be located in data centers with access to large network bandwidth. A botnet of these compromised sites can deliver a powerful denial of service attack. While we haven't seen the Fort Disco campaign show any interest in denial of service, the risk is certainly present."