Brute Force Attacks and Their Consequences

There is a lot of interesting discussion going on at the moment across the interwebs on the intention of the latest string of Brute Force attacks, much of which I find very interesting. While I can’t repudiate what is being said, I can add my own insight into the anatomy post attack success.

How Are These Attacks Happening

First, let’s address the first, and most important piece of information, the how. What we know, based on the data we reported earlier is that a very large majority of the attacks are coming from local PC boxes. How do we know? We’re seeing the IP’s and their incoming signatures.

A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia

What is the end-game?


This is a lot harder to address. Some of the discussion I’m seeing is specific to things post attack, what they’re doing once they gain access.

The discussion at the moment is the creation of a large WordPress botnet. While we haven’t seen evidence of this, it’s an interesting theory. Some are describing similar tactics being employed as those employed last year in 2012.

This is where I get confused because the tactics used in 2012 were exploiting TimThumb, fundamentally different than web-based brute-force attacks against CMS administrator panels.

That finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads. – Information Week Security

In this scenario, the attackers were making use of a Remote File Inclusion (RFI) vulnerability, not an authentication vulnerability that comes from poor access control – i.e., poor passwords..

This in itself changes the entire attack signature and brings about very little similarities in all seriousness. This doesn’t mean though that they are wrong, could they be looking to build a large botnet for some nefarious use? Absolutely, but that is one of many things they can do as well.

The other thing to understand about the botnet used last year, to disrupt the financial institutions, is that they were performed by hactivists using what is known as the itsoknoproblembro Distribute Denial of Service (DDoS) toolset which was then wired into a large criminal botnet. Why is this important? Because hacktivists, as the name implies are out to push a cause, an agenda, of some kind, this event was no different:

A self-described hacktivist group, the Cyber fighters of Izz ad-din Al qassam, has taken credit for organizing the related Operation Ababil, which it claims is a grassroots campaign to protest the recent release of a film that mocked the founder of Islam. – InformationWeek Security

Is this attack similar and run by hacktivists? I honestly don’t know, haven’t seen any evidence of that at all. Why is this important? To me, the people behind the attacks are as important as the attacks themselves, they help us understand intent.

What am I getting at?

There are many things that can be done once access is gained, the creation and distribution of a large botnet is but one of them. In our experience these are the two things we know happens, in many cases, once an environment is compromised:

Time Delay

Similar to bombs, there is a time delay once access is gained. This makes sense, it allows for all the traffic to die down, more importantly move beyond the logs. We have seen this too often, some hosts will retain up to 7 days of logs, and in some instances no more than 24 hours (which is kind of sad). This means if they wait long enough they can log in however they like and website owners are none the wiser, making for a horrendous incident handling case.

Decisions Decisions

Once the attacker does gain access they have to figure out what to do. Do they wait? Do they inject a shell? Do they create new accounts? What kind of malicious payload do they add to the site? Do they want to sell access to the site? These are but a few thoughts running through their heads. Each one though will dictate a different approach and infection unfortunately.

Final Thoughts

Many could argue though that the real objective is for large scale search engine poisoning (SEP) attacks. This is perhaps one of the more lucrative attacks, in terms of financial gain, with the least amount of overhead and risk. Most of the other scenarios will include the integration of more complex attack sequences which would include things like various toolkits, like the Blackhole Exploit kit. A SEP also has more immediate return, just look at the recent issues with Joomla and WordPress.

What this also tells us is that the creation of a large botnet for a simliar DDoS attack, while plausible, is one of many various scenarios. The reality being that no-one really knows the objective, except for the attacker[s]. Is there an end-game? Isn’t there always? Will it be nefarious? Yeah, of course, but there are just too many possible scenarios at this point.

The one thing that is probably more realistic than anything else is the shear value that this data will have in the underground. Imagine a new updated wordlist, not only with the latest usernames and passwords, but the website link itself.

Can I get a cha’ching? But again, only speculation.. :)

Scan your website for free:
About Tony Perez

I'm a technologist with a passion for the Information Security domain. I am especially interested in malware reverse engineering, incident handling and response as well as offensive counter measures. Catch my personal rants on tonyonsecurity.com and follow on twitter at perezbox.

  • http://www.facebook.com/people/Jim-Walker/100000736622420 Jim Walker

    Simple answer really. Hacking WordPress sites- just makes a hackers day.

    WordPress is the easiest type of website to compromise today as a result of client neglect and/or niavete regarding basic security policies.
    – My password is “Password123″

    Someone bought a botnet to “acquire real estate” for their current of future nefarious search engine promotion scam (read, pharma, payday loans, et al). Or, just as likely, some good ‘ol bragging rights.
    – “I’ve jacked way more sytz than you newb!”

  • http://absolutivity.org/ Anton Lorenz Vrba

    What I do not understand is that if 90000 IP addresses are known that have a bot behind them, why it is not possible for the ISPs to dump and not carry any data belonging to those 90000 IP addresses or any other IP address that is caught trying to be malicious.

    That a innocent user suddenly no longer has internet access – I can only reply so what – it is time that all PCs become internet-worthy – if a motor car is not road-worthy nobody cries foul if that car is pulled off the road.- the same mentality needs to prevail on the data highways.

    If the ISPs show some guts then these problems would not occur – this is not curtailing free speech or freedom of information, arguments that hackers hide behind.

    • http://twitter.com/CallADeveloper Call A Developer

      90,000 IPs was the starting pool – then they infect X hosts / day and 2 days later it’s 110,000+. They are infecting both websites and computers. The infections are advanced, pervasive, and extremely difficult to remove on both sides. And still nobody thinks this is serious – people are telling others not to worry and to just change passwords. That attitude is what will keep this attack going well into next week, and possibly into next month.

      ISPs are in fact blacklisting individuals, but generally this can only happen if there is outbound traffic, so these are only the computers that have received TDL3 or one of the mailers. Many of these will run virus scans or have someone who doesn’t really know what they are doing “clean” the system, maybe even remove the “active” portion of the rootkit or just the mailer, and the user will get back online. Within 3 days the rootkit will rebuild itself and possibly infect one or more additional hosts.

      The general user attitude toward security is the reason this attack was even slightly successful. If nobody used the user “admin” or any common passwords, everyone who had a website had a webmaster that knew how to run one, and people kept things up to date, this attack would have had little success.

    • Dubious

      You are website vendor A, I am a competitor of yours. I get ahold of this and compromise your server, and essentially get your ISP to block you. I have denied you revenue and boosted my business in the process.

      It doesn’t come down to denying anyone free speech or freedom of information. It then becomes a way for some to essentially take out their competition.

      There is also a reason ISP’s don’t show any guts and are trying to stay out of it other than providing a service. If provider X blocks you and you jump to provider Y they lose profits, and most likely would not see those customers return. The blocking of 90000+ IP’s could kill a small provider.

  • http://www.facebook.com/marilyn.tomlins Marilyn Z. Tomlins

    Tony, thanks for this. I have been getting this – WordPress administrator area access disabled temporarily due to widespread brute force attacks – now for four days. I am desperate. I am a freelance journalist and writer and I need access to my website and my Admin. Can you help me in any way please? Thanks in advance. Marilyn

  • http://twitter.com/CallADeveloper Call A Developer

    Unfortunately this attack seems to be very large yet very precise, and run by some very smart people with money to spend. I don’t think anyone would spend this much for SEO spam or pharma stuff, so my guess is that stuff is either “rentals” or just a distraction placed intentionally. The fact that they are distributing advanced versions of rootkits like TDL3 / TDL4 is a clue, but I am guessing that is just another method of spreading the reach of the botnet. Basically we have seen all of those things during this attack – SEO injections, pharma spam, and malware distribution. So I think we are missing the real payload here, or it just hasn’t been deployed yet – as you mentioned, attackers often leave a delay before delivering the payload.

    I recommend following this guide if your site was attacked – note you will also need to get help cleaning up the TDL / TDSS rootkit if your computer was infected:

    http://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html

    If you do not follow the whole guide, at least change your admin username to something that is not a variant of “admin”. The best thing we can do is clean up and educate users to help reduce the “reach” of the botnet.

  • http://twitter.com/Stone_MB Michael Stone

    Maybe this is the ultimate in vertical integration for porn copyright trolls. You get served with malware that illegally downloads porn from some site, then you get a letter from some law firm demanding $3000 or else they will jam you up like Jammie Thomas.

  • Hercules

    Sorry, not going to help with this kind of infection.

  • Dom

    Why “SSHD-based brute force attacks”? From sites and servers I’ve had to clean up, I reckon a poorly coded web application (or wordpress plugin) and an outdated kernel with a privilege escalation vulnerability seems more likely.

  • http://megahost.ro/ megahost

    Thanks for the post. Already changed the standard SSH port 22 on all servers and disabled password login. Using SSH keys now.

  • http://www.facebook.com/stchesmeli Serge Tchesmeli

    This post is a joke ? Are you *really* a security expert ? chattr on file ? If you have the right to modified a file, you have the right to change attribute too! In fact, the real security flaw in this example is the unix user for web service can change web server configuration file. Every sysadmin knows that ! The use that server web content (www-data on linux) should not have the right to modify any /etc file.

    • http://twitter.com/perezbox Tony Perez

      Hi Serge

      Nope, not an expert, where do you see that?

      I’m curious though, you state:

      If you have the right to modified a file, you have the right to change attribute too!

      Really? I am pretty sure you have a to be a root, superuser, user to leverage chattr in NIX distro’s. Are you sure it’s all users when the file is writable?

      I’m also confused, you mention:

      In fact, the real security flaw in this example is the unix user for web service can change web server configuration file.

      Weird, I don’t recall making any reference to the change being made by the user that controls the web service. In fact, I make specific reference to making changes as root or the administrator user. Did I miss it?

      Thanks for the insight and feedback.

      Tony

  • Ben

    Nice article. Maybe a silly question but how is an attacker able to modify /etc/httpd/conf.d/php.conf ? Wouldn’t the attacker need to have ssh root access to server? Or upload an evil script to the server somehow which is run as root?

  • Uribe100.com

    The fact is that Malsubjects will continue to cause havoc in
    cyberspace using everything they have in their power. It is time that we all
    realize that we are fighting a cyberwar where in many cases the malsubjects are
    winning many of these battles. It’s about time we defend ourselves with ALL we’ve
    got!

  • Pingback: Dissecting a WordPress Brute Force Attack | Sucuri Blog