Botnet Launches DDoS Attacks Using Compromised Web-Servers

According to security researchers at Imperva, a botnet, instead of comprising individual computers, has web-servers for launching DDoS assaults that's even more destructive.

While being the only servers at the organizations they were installed in, the servers probably weren't cautiously supervising outbound traffic.

A hacker named 'Exeman', responsible for the botnet, has infected some 400 web-servers using an ordinary PHP script of 40 lines. The script contains a malware, which can help to launch DDoS assaults, revealed Amichai Shulman, CTO of Imperva. SCMagazine published this on May 12, 2010.

With a control panel and dashboard of the malware, a planned target's URL is introduced and the IP port and the length of the assault are configured, Shulman stated. Moreover, it's possible that the hacker exploited a commonly found vulnerability known as the remote-file-insertion flaw for taking control over the servers.

To unveil the assault, Imperva acquired the source code that attacked the server. When executed through Google, it brought up a servers' list that the code had infected. Consequently, the security firm could observe when the hacker utilized one of the hijacked servers to execute an actual DoS assault against a Dutch ISP.

Specifically, during the DoS assault, Imperva saw that a pair of web-servers was attacking one anonymous ISP situated in Holland. According to Shulman, the ISP knew about the situation, as per the news published by cnet news published on May 12, 2010.

Elucidating why the botnet hijacked web-servers instead of computers, Shulman stated that with web-servers there were greater volumes of bandwidth available to launch an attack; therefore, fewer zombies were needed in comparison to hijacking individual PCs. Also, with hijacked web-servers, there were fewer chances of the compromise being found since web-servers normally didn't run anti-virus solutions.

Shulman said that rather than 50 PCs, one could use just one server. Comparatively it was more convenient to maintain such an assault as there were a smaller number of PCs involved and lower possibilities of the exploit being detected.

To a question as to what purpose may be behind the assaults, Shulman answered that several DoS assaults were utilized for money extortion exercises from website-owners.

Related article: Botnet Misuses Google Analytics

» SPAMfighter News - 5/24/2010