There is a lot of interesting discussion across the interwebs on the intention of the latest string of brute force attacks. While I can’t repudiate what is being said, I can add my own insight into the anatomy post-attack success.
How Are These Attacks Happening
First, let’s address the most important piece of information, the how. Based on the data we reported earlier a majority of the attacks are coming from local PC boxes. How do we know this? We’re seeing the IP addresses and their incoming signatures.
A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks. – Wikipedia
What is the End Game?
This is a lot harder to address. Some of the discussion is specific to things post attack; what they’re doing once they gain access.
Another interesting theory is the creation of a large WordPress botnet. While we haven’t seen evidence of this, some are describing similar tactics being employed as those employed last year in 2012.
The tactics used in 2012 were exploiting TimThumb, fundamentally different than web-based brute-force attacks against CMS administrator panels.
This finding comes from Arbor Networks, which said that attackers had compromised numerous PHP Web applications, such as Joomla, as well as many WordPress sites, many of which were using an outdated version of the TimThumb plug-in. After compromising the sites, attackers then loaded toolkits onto the sites that turned them into DDoS attack launch pads. – Information Week Security
In this scenario, the attackers were making use of a Remote File Inclusion (RFI) vulnerability, not an authentication vulnerability that comes from poor access control – i.e., poor passwords.
This changes the entire attack signature and brings about very little similarities. Could they be looking to build a large botnet for some nefarious use? Absolutely! But that is one of many things they can do as well.
The botnets last year, which disrupted financial institutions, were used by hacktivists using what is known as the itsoknoproblembro Distribute Denial of Service (DDoS) toolset, then wired into a large criminal botnet. Why is this important? Because hacktivists, as the name implies, are out to push a cause or an agenda of some kind. This event was no different:
A self-described hacktivist group, the Cyber Fighters of Izz ad-din Al qassam, has taken credit for organizing the related Operation Ababil, which it claims is a grassroots campaign to protest the recent release of a film that mocked the founder of Islam. – InformationWeek Security
Is this attack similar and run by hacktivists? I haven’t seen any evidence of that at all. But to me, the people behind the attacks are just as important as the attacks themselves. They help us understand intent.
What Am I Getting At?
There are many things that can be done once access is gained. The creation and distribution of a large botnet is only one of them. In our experience once a compromise occurs two things happen:
Similar to bombs, there is a time delay once access is gained. This allows for all the traffic to die down, more importantly move beyond the logs. Some hosts will retain up to 7 days of logs, and in some instances no more than 24 hours (which is kind of sad). This means, if they wait long enough they can log in however they like and website owners are none the wiser, making for a horrendous incident handling case.
Once the attacker does gain access they have to figure out what to do. Do they wait? Do they inject a shell? Do they create new accounts? What kind of malicious payload do they add to the site? Do they want to sell access to the site? These are but few options. Each one though will unfortunately dictate a different approach and infection.
Many could argue that the real objective is for large scale search engine poisoning (SEP) attacks. This is perhaps one of the more lucrative attacks – in terms of financial gain – with the least amount of overhead and risk. Most of the other scenarios will include the integration of more complex attack sequences which would include various toolkits, like the Blackhole Exploit kit. A SEP also has more immediate return. Just look at the recent issues with Joomla and WordPress.
What this also tells us is that the creation of a large botnet for a similar DDoS attack, while plausible, is one of many scenarios. The reality being that no one really knows the objective, except for the attacker. Is there an end-game? Isn’t there always? Will it be nefarious? Yeah, of course, but there are just too many possible scenarios at this point.
The one thing that is probably more realistic than anything else, is the sheer value that this data will have in the underground. Imagine a new updated wordlist, not only with the latest usernames and passwords, but the website link itself.
Simple answer really. Hacking WordPress sites- just makes a hackers day.
WordPress is the easiest type of website to compromise today as a result of client neglect and/or niavete regarding basic security policies.
– My password is “Password123”
Someone bought a botnet to “acquire real estate” for their current of future nefarious search engine promotion scam (read, pharma, payday loans, et al). Or, just as likely, some good ‘ol bragging rights.
– “I’ve jacked way more sytz than you newb!”
Anton Lorenz Vrba
What I do not understand is that if 90000 IP addresses are known that have a bot behind them, why it is not possible for the ISPs to dump and not carry any data belonging to those 90000 IP addresses or any other IP address that is caught trying to be malicious.
That a innocent user suddenly no longer has internet access – I can only reply so what – it is time that all PCs become internet-worthy – if a motor car is not road-worthy nobody cries foul if that car is pulled off the road.- the same mentality needs to prevail on the data highways.
If the ISPs show some guts then these problems would not occur – this is not curtailing free speech or freedom of information, arguments that hackers hide behind.
Call A Developer
90,000 IPs was the starting pool – then they infect X hosts / day and 2 days later it’s 110,000+. They are infecting both websites and computers. The infections are advanced, pervasive, and extremely difficult to remove on both sides. And still nobody thinks this is serious – people are telling others not to worry and to just change passwords. That attitude is what will keep this attack going well into next week, and possibly into next month.
ISPs are in fact blacklisting individuals, but generally this can only happen if there is outbound traffic, so these are only the computers that have received TDL3 or one of the mailers. Many of these will run virus scans or have someone who doesn’t really know what they are doing “clean” the system, maybe even remove the “active” portion of the rootkit or just the mailer, and the user will get back online. Within 3 days the rootkit will rebuild itself and possibly infect one or more additional hosts.
The general user attitude toward security is the reason this attack was even slightly successful. If nobody used the user “admin” or any common passwords, everyone who had a website had a webmaster that knew how to run one, and people kept things up to date, this attack would have had little success.
You are website vendor A, I am a competitor of yours. I get ahold of this and compromise your server, and essentially get your ISP to block you. I have denied you revenue and boosted my business in the process.
It doesn’t come down to denying anyone free speech or freedom of information. It then becomes a way for some to essentially take out their competition.
There is also a reason ISP’s don’t show any guts and are trying to stay out of it other than providing a service. If provider X blocks you and you jump to provider Y they lose profits, and most likely would not see those customers return. The blocking of 90000+ IP’s could kill a small provider.
Marilyn Z. Tomlins
Tony, thanks for this. I have been getting this – WordPress administrator area access disabled temporarily due to widespread brute force attacks – now for four days. I am desperate. I am a freelance journalist and writer and I need access to my website and my Admin. Can you help me in any way please? Thanks in advance. Marilyn
Call A Developer
Unfortunately this attack seems to be very large yet very precise, and run by some very smart people with money to spend. I don’t think anyone would spend this much for SEO spam or pharma stuff, so my guess is that stuff is either “rentals” or just a distraction placed intentionally. The fact that they are distributing advanced versions of rootkits like TDL3 / TDL4 is a clue, but I am guessing that is just another method of spreading the reach of the botnet. Basically we have seen all of those things during this attack – SEO injections, pharma spam, and malware distribution. So I think we are missing the real payload here, or it just hasn’t been deployed yet – as you mentioned, attackers often leave a delay before delivering the payload.
I recommend following this guide if your site was attacked – note you will also need to get help cleaning up the TDL / TDSS rootkit if your computer was infected:
If you do not follow the whole guide, at least change your admin username to something that is not a variant of “admin”. The best thing we can do is clean up and educate users to help reduce the “reach” of the botnet.
Maybe this is the ultimate in vertical integration for porn copyright trolls. You get served with malware that illegally downloads porn from some site, then you get a letter from some law firm demanding $3000 or else they will jam you up like Jammie Thomas.
Sorry, not going to help with this kind of infection.
Why “SSHD-based brute force attacks”? From sites and servers I’ve had to clean up, I reckon a poorly coded web application (or wordpress plugin) and an outdated kernel with a privilege escalation vulnerability seems more likely.
Thanks for the post. Already changed the standard SSH port 22 on all servers and disabled password login. Using SSH keys now.
This post is a joke ? Are you *really* a security expert ? chattr on file ? If you have the right to modified a file, you have the right to change attribute too! In fact, the real security flaw in this example is the unix user for web service can change web server configuration file. Every sysadmin knows that ! The use that server web content (www-data on linux) should not have the right to modify any /etc file.
Nope, not an expert, where do you see that?
I’m curious though, you state:
Really? I am pretty sure you have a to be a root, superuser, user to leverage chattr in NIX distro’s. Are you sure it’s all users when the file is writable?
I’m also confused, you mention:
Weird, I don’t recall making any reference to the change being made by the user that controls the web service. In fact, I make specific reference to making changes as root or the administrator user. Did I miss it?
Thanks for the insight and feedback.
Nice article. Maybe a silly question but how is an attacker able to modify /etc/httpd/conf.d/php.conf ? Wouldn’t the attacker need to have ssh root access to server? Or upload an evil script to the server somehow which is run as root?
The fact is that Malsubjects will continue to cause havoc in
cyberspace using everything they have in their power. It is time that we all
realize that we are fighting a cyberwar where in many cases the malsubjects are
winning many of these battles. It’s about time we defend ourselves with ALL we’ve