The recently observed Trojan, Sathurbot, offers a fascinating insight into the various parts of the malware spreading ecosystem. The bot compromises websites – primarily those running WordPress – and uses this to spread malware to end-users. Once it infects the end-users, it then uses them to hack more websites, and then uses the newly compromised sites to spread more malware, use for attacks, as malware C&C servers or SEO spam.
The entire process starts by compromising a site. Once this site is compromised, it serves torrent files, masquerading as legitimate torrents. These torrents appear well seeded and show up on Bing or Google searches. Users trust these torrents and use them to download the movies or software that the torrents seem to offer. The downloaded files convince the user into running them by masquerading as legitimate software and infect the user's computer. Once the malware has launched, the bot then connects to its C&C servers and uses this to update itself. The C&C server can also push other malware executables to the infected system to perform further tasks.
The bot, once installed on the end-user's computer, performs randomized search queries on websites, based on a set of 5000+ words, that are randomly combined to form search phrases. These searches are used to harvest new domain names. Once these domains are harvested, the bot looks specifically for sites running WordPress (though some variants also look for Drupal, Joomla, etc.,) and then sends the list of domains to the C&C server. The C&C server responds with a list of domain access credentials, and then the botnet probes the various sites to try and login with the credentials.
Note that the last statement said “the botnet probes” – and not “the bot probes.” When a single IP tries a lot of logins, it typically gets blocked after 3 or 5 tries, as part of brute force mitigation. In this case, the bot tries to avoid this, by ensuring that each bot only tries to log in once – defeating most brute force algorithms. The bot also tries to attack the WordPress XML-RPC API, though most attempts are made against the wp-login.php page.
Last year, we saw a huge increase in the number of attacks against WordPress and similar CMS-based sites. In many cases, these attacks are against fixed vulnerabilities, after the disclosure and fix availability – like the new WordPress REST API vulnerability. That specific vulnerability has led to about a million sites being compromised so far. There are two very specific reasons why this happens – the popularity of WordPress and the fact that admins need time to update their WordPress installations, to avoid breaking their sites.
A hacked WordPress (or really any) website used to be hacked for defacement or to steal data. These days, they are being hacked for much more – including being used as hosts to perform DDoS attacks, to stage malware command and control servers, and to distribute malware updates. This graph, taken from the Cisco Annual Security Report 2016 shows the drastic increase in the numbers of sampled WordPress domains being used by malware creators as a base of operations:
The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target the applications hosted on your web servers—and the sensitive or confidential data to which they have access. For more information on the Barracuda Web Application Firewall, visit the product page here. To get a risk-free 30-day trial of a physical appliance or virtual edition of the Barracuda WAF, visit this page.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.