Analyzing the Fort Disco bruteforce campaign
In recent months, several researchers have highlighted an uptick in bruteforce password guessing attacks targeting blogging and content management systems. Arbor ASERT has been tracking a campaign we are calling Fort Disco that began in late May 2013 and is continuing. We’ve identified six related command-and-control (C&C) sites that control a botnet of over 25,000 infected Windows machines. To date, over 6,000 Joomla, WordPress, and Datalife Engine installations have been the victims of password guessing.
Background
Understanding an attack campaign by only analyzing a malware executable file is a Sisyphean task. The malware alone can be picked apart by disassemblers, poked and prodded in a sandbox, but by itself offers no clues into the size, scope, motivation, and impact of the attack campaign. It’s much like a historian finding a discarded weapon on an ancient battlefield. Several things can be inferred, but painting a complete picture is difficult.
Researchers have several techniques at their disposal to gauge the size of a botnet. They can sinkhole discarded domains or monitor traffic to live attack sites to observe infected hosts checking in to a C&C site. In rare instances, the controller of a botnet may inadvertently leave clues publicly accessible for anyone to observe.
The controller of the campaign we call Fort Disco, named after one of the strings found in the PE metadata field, inadvertently left publicly accessible log files that lay out a complete picture of the campaign. There are six C&C sites that we believe are related. The sites either share a subdomain or are co-hosted with each other, and have similar structures.
Windows malware
There are at least four variants of the Windows malware related to the Fort Disco campaign. A newly infected machine registers with the C&C site hardcoded into the malware:
> POST /cmd.php HTTP/1.0
>
> status=0
The malware then checks in to receive commands:
> GET /cmd.php HTTP/1.0
< 1
< 30
< http://[xxx]/10823.txt
< qazxsw
< 480
The command structure can vary, but the important commands are the third and fourth lines. The third line is a URL of a list of sites to attack. We've observed the target list being anywhere from 5,000 to 10,000 sites at a time. The C&C tends to give out the same list to multiple infections.
The fourth line is the password to use, and in some cases can be a URL to a password list. What's particularly interesting about this bruteforce list is that it supports the dynamic values {domain} and {zone}. These values are replaced with the targets domain name and top-level zone, respectively. For instance, if the malware were targeting a blog at www.example.com and was configured to use “{domain}” as a password, the malware would attempt logging in with the password “example”. We’ve observed the password lists being used anywhere from 150 to 1,000 entries.
The malware has a URL of usernames hardcoded. The list is small, anywhere from one to five, and usually consists of “admin” or “administrator”. The login names also support {domain} values.
The malware will attempt to login to the target list with combinations of the supplied usernames and passwords. Successful username/password combinations are reported back to the C&C by posting to the file /bruteres.php. Results are appended to a text file publicly accessible via the web.
It’s unclear exactly how the malware gets installed. We were able to find reference to the malware’s original filename (maykl_lyuis_bolshaya_igra_na_ponizhenie.exe) that referred to Michael Lewis’ book “The Big Short: Inside The Doomsday Machine” in Russian with an executable attachment. Another filename, proxycap_crack.exe, refers to a crack for the ProxyCap program. It’s unclear if victims were enticed to run these files, and if so, if that is the only means of infection. The C&C sites did not offer additional clues as to the infection mechanism.
The log files found on the C&C sites included the IP addresses of victims. Some level of skepticism is required, since we are analyzing data that could have been altered by the attacker. We found 25,611 unique IP addresses connecting to the six C&C sites. Mitigating factors such as double-counting infections behind a NAT, and infected machines changing IP addresses may affect the final tally.
The top three countries with infections are the Philippines, Peru, and Mexico. Interestingly, it seems the United States and Western Europe are underrepresented. For an interactive map showing infected clients, click here.
Compromised sites
Continuing to analyze the logs recovered from the C&C, we were able to compile a list of usernames and passwords for 6,127 sites. Only three types of platforms were targeted: Joomla (/administrator/index.php), WordPress (/wp-login.php), and Datalife Engine (/admin.php).
The attacker chooses the sites to attack, which based on the top ten top-level domains where usernames and passwords are listed, appear to favor Russia:
The top ten passwords for these sites seem to indicate that these are targets of opportunity as these passwords are the “weakest of the weak”.
With the compromised credentials, the commander of the botnet also installed a variant of the “FilesMan” PHP backdoor on to 788 of the sites. This password-protected backdoor allows the attacker to browse the filesystem, upload or download files, and execute commands.
The ultimate intent of the campaign remains unclear. On several compromised sites we found two tools:
- A simple PHP-based redirector that sends browsers running Windows with either “MSIE”, “Firefox”, or “Opera” in the User-Agent to a website through several more layers of redirection ultimately landing on a Styx exploit kit.
- A WordPress plugin and supporting library to import posts from a Tumblr blog.
We were not able to find any evidence that the tools were actually used, but based on their nature, we can speculate that the intent of the attacker is to serve exploit kits on these compromised sites.
Attribution
There are several clues that lead us to believe the owner is based in a post-Soviet state:
- The majority of the sites targeted are in Russia or the Ukraine.
- All of the C&C sites are hosted in Russia or the Ukraine.
- A Russian error string which translates to “Unable to connect to database!” was found on several C&C sites.
- Although this appears to be the default, the character set of the FilesMan backdoor is set to “Windows-1251”, or the Cyrillic code page.
- The Datalife Engine platform appears to be popular in Russia.
Conclusion
Beginning with the Brobot attacks in early 2013, we’ve seen attackers focusing on targeting blogs and content management systems. This marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms. By uploading a PHP shell to compromised sites, an attacker can easily issue commands to thousands of compromised sites in seconds.
Blogs and CMSs tend to be hosted in data centers with immense network bandwidth. Compromising multiple sites gives the attacker access to their combined bandwidth, much more powerful than a similarly sized botnet of home computers with limited network access by comparison. While we have no evidence the Fort Disco campaign is related to Brobot or denial-of-service activity, we’ve experienced the threat that a large blog botnet can deliver.
Related MD5 hashes
722a1809bd4fd75743083f3577e1e6a4
750708867e9ff30c6b706b7f86eb67b5
976f77d6546eb641950ef49a943449f1
062dae6ee87999552eae4bb37cdec5d4
7931709fd9b84bbb1775afa2f9dff13a
9b8b185ce66b6887cc19149258ba1d1b
Author: Matthew Bing, Arbor ASERT Analyst.