Fort Disco: The new brute-force botnet

Fort Disco: The new brute-force botnet

Summary: There's a new Windows-powered botnet, Fort Disco, slowly building up strength and cracking into PHP-based blog and content management system Web sites.

SHARE:

Internet security firm Arbor Networks reports that a new botnet, Fort Disco, is made up of over 25,000 Windows PCs and is targeting blog sites and content management systems (CMS)es. Once these are infected, they can then be used to spread the botnet's malware and to attack other systems.

Arbor-logo

Matthew Bing, an Arbor Security Engineering & Response Team (ASERT) research analyst, wrote, "Arbor ASERT has been tracking a campaign we are calling Fort Disco which began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing."

Arbor Networks has determined that there are at least four variants of the Windows malware used by the Fort Disco botnet. These, in turn, appear to spring from what the security expert Brian Krebs calls a high-end, "malware-as-a-service" Styx Exploit kit. With this kit a wide-variety of attacks can be made on Windows PCs.

Fort Disco-infected Windows systems then use brute-force password guessing to break into blogs and CMSes that use PHP. The botnet has installed a variant of the all too common “FilesMan” PHP back-door on almost 800 PHP-powered sites.

All the infected systems, in turn, are controlled from the half-dozen Russian and Ukrainian C&C sites. So far Fort Disco has been used for little more than spreading itself to Windows PCs and vulnerable blogs and CMS Web sites. This won't last.

Bing said, "Blogs and CMSes tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison. While we have no evidence the Fort Disco campaign is related to Brobot or denial-of-service (DoS) activity, we’ve experienced the threat that a large blog botnet can deliver." Brobot has been used to attack U.S. Banks with distributed denial of service (DDoS) attacks.

In an e-mail, Bing expanded on this theme, "This is similar to the type of botnet being used on the ongoing attacks against financial services firms. Rather than tens of thousands of PCs making up a botnet, each throwing off a relatively small amount of bandwidth, Fort Disco accesses WordPress and Joomla servers, so they need far fewer machines to have much greater impact."

That said, Bing continued, "Arbor does not have evidence that the Fort Disco attacks are related to the QCF/Brobot incidents or phishing campaigns that have been used against banks. The best evidence we have for the motivation of Fort Disco is to install drive-by exploit kits on compromised sites. But as the Brobot incidents demonstrated, WordPress/Joomla sites tend to be located in data centers with access to large network bandwidth. A botnet of these compromised sites can deliver a powerful denial of service attack. While we haven't seen the Fort Disco campaign show any interest in denial of service, the risk is certainly present."

Related Stories:

Topics: Networking, Security, Windows, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

32 comments
Log in or register to join the discussion
  • Fort Disco: The new brute-force botnet

    Attention all Windows users......stand by for your next attack.
    Over and Out
    • Actually, it is Linux that is under attack

      Not Windows.
      toddbottom3
      • Its PHP-based blog and CMS Web sites under attack

        Not Linux......
        RickLively
        • Linux is beleaguered

          #1 most attacked in mobile and on the web.

          Too bad Linux didn't have better security but that's what you get when you start with a single user, non networked OS and just start adding security bandaids to it.
          toddbottom3
          • Its PHP-based blog and CMS Web sites under attack

            Not Linux......
            RickLively
          • Windows is attacking Linux

            And Linux is buckling under the pressure.
            toddbottom3
          • How so? nothing listed as "buckling".

            Windows however... yet another windows botnet. Should shorten that to YAWB.

            And it happens to be attacking more windows systems to grow.
            jessepollard
          • Hey IDIOTS! Linux isn't being attacked!

            Did you miss the part that said over **25,000** Windows PC's were compromised and infected with the same piece of malware that can be centrally controlled!
            The ones in control of the malware (botnet) target CMSes that use PHP.
            A CMS that uses PHP can be on Windows, just as much as it can on Linux. In fact, the word Linux isn't even mentioned in this article!

            You people...
            ingramproductions
          • MS Stooges

            SSSSHHHH!! Don't try to use logic against the MS Stooges. It only confuses them and makes them angry.

            /s
            THavoc
          • Too bad windows has such lousy security.

            Then there would be no massive botnets to attack PHP flaws (not linux)
            frankieh
      • Windows *is* the attack

        It's an NSA mole spying on innocent Americans through the Microsoft backdoor:
        http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data
        T1Oracle
      • Obvious Troll

        However, they couldn't add the machines to the botnet if they were not Windows machines, so for now, it's Windows machines that are targeted. Once they start using the botnet for something other than spreading itself, then it could be used for a brute force attack on anything.
        CFWhitman
      • thats right..

        The windows machines surrender already... that is why there is a botnet to attack PHP.
        frankieh
  • Everybody - switch to Linux - NOW!!!

    Then when all the malware peddlers and botnets move there (and they will - it's the money, stupid) us Windows users will be left alone in peace. And we can see how long it takes SVJN to write positive Windows stories and negative Linux stories.
    jwspicer
    • If you switched to Linux now

      You could be using one of the most configurable, user friendly, absolutely visually stunning operating systems available to the general public, by this evening. That's including updates and adding your favorite open source (free as in beer) programs from the software manager in your chosen OS.
      While I don't use it a lot, Linux Mint is great for noobs, as is Ubuntu. Mint is ready to go multimedia wise, with Ubuntu you have to add non-free sources to your software repositories and then add what you need from there.
      x-windows user
      • Sounds very nice

        Almost as nice as Windows 8.

        Thanks for the post x-windows user.
        toddbottom3
        • Almost as nice - just happens to be better.

          Much more secure.
          jessepollard
    • Let's switch!

      Yeah because this botnet is targeting PHP blogs and CMSes...

      And I'm sure there are more PHP running on Windows than on Linux.

      /s
      Samic
  • Fort Disco: The new brute-force botnet

    Just goes to show how powerful Microsoft Windows can be for distributed computing. Eat your heart out supercomputers.
    Loverock-Davidson
    • Now that was funny!

      Not quite Mike Cox, but much better than your usual offering.
      Zogg