Blog Sites and CMS Websites Attacked by ‘Fort Disco’ Botnet

Internet security firm Arbor Networks reports that a new botnet Fort Disco has been discovered which has infected over 25,000 Windows PCs and targeting blog sites and content management systems (CMS)es.

Threatpost.com reported on 7th August, 2013 quoting Matthew Bing, a Research Analyst with Arbor Security Engineering & Response Team (ASERT) as saying that we were capable to get such thorough insight into a reasonably young operation because of a mis-configuration on the part of attacker leaving logs uncovered on six C&C (command and control) servers which are discovered by Arbor.

Bing explained that the aforesaid operation or campaign started in May 2013 and Arbor has been monitoring it for around a month. The botnet purveys malware to Windows PCs. Once the malware verifies on a computer with a C&C server and obtains a list of CMS or content management system sites (CMS)es to infect with a listing of regular username and password combinations.

These are usually default permutations with options for password including 'admin' or '123456' or some combination.

V3.co.uk reported on 7th August 2013 quoting Bing as saying that the intention of collection of the password remains unclear although it is unquestionably only the initial phase of a bigger campaign as the cyber crooks usually left one of the two dormant tools on the victim's systems.

One was a PHP based redirector which could direct web browsers running Windows with IE (Internet Explorer), Mozilla Firefox or Opera to a web site connected to a Styx Exploit Kit and the second was a WordPress plug-in which could bring in posts from a Tumblr blog.

As the majority of sites targeted are in Russia or Ukraine, it is believed that the attackers behind the campaign are from post-Soviet states. Also a Russian error string was found on several command and control sites.

The top three countries infected are Philippines, Peru and Mexico.

Darkreading.com published a report on 7th August, 2013 stating "We have seen attackers targeting blogs and CMSes starting with the Brobot attacks in early 2013 and this marks a tactical change in exploiting weak passwords and out-of-date software on popular platforms."

» SPAMfighter News - 8/16/2013