Spam Botnet Leverages Vulnerable WordPress Sites

[Karamjit]

Botnet infects machines via Linux binaries and PHP scripts

Akamai SIRT (Security Intelligence Research Team) discovered a new spam botnet in the wild, and according to the company's analysis, the botnet, named Torte, infects machines via ELF Linux binaries and PHP scripts placed on the server's filesystem.

Akamai says the botnet is not the largest they've seen, but it is one of the largest in recent years, accounting for 83,000 infections across 2 of 4 infection layers.

While ELF binary infections were found only on Linux machines, contaminated PHP scripts were found across all type of server operating systems, showing that the cyber-crooks behind this latest campaign have the capabilities of targeting a broader scope of vulnerable systems.

Torte bots dynamically assembled spam emails on the infected machines

Akamai was first alerted to the presence of this botnet when its SIRT team received a suspicious PHP script for analysis.

This script was the "dropper" part of the botnet, responsible for downloading and infecting the machine with more specialized tools.

Based on what type of operating system and hardware architecture it landed, the dropper would download specific files that would handle a series of tasks.

Most of them were identical, and using URLs hardcoded in the malicious files, the botnet's slaves would download email templates, start dynamically assembling emails based on C&C instructions, and then send them out to victims.

Poorly configured WordPress sites used as botnet slaves

For when PHP scripts were used to infect machines, Akamai researchers were able to narrow down the source of these infections to WordPress sites using poor configuration and plugin practices.

Funny enough, the bad configuration practices allowed researchers to use a finely-tuned Google search to find infected sites that in some cases logged their error messages to publicly accessible directories.

Some of the earlier infections attributed to the Torte botnet were recorded as of November 7, 2014 (via PHP scripts) and mid-August 2014 (for ELF binaries). The ELF binaries were not detected as malware by antivirus engines.

Akamai reports that 60% of all active infections resided in WordPress sites. Joomla accounted only for 4%.

Jetpack plugin was the biggest source of infection

Infection paths were linked back to WordPress plugin and theme files. Akamai detected 2,615 individual plugins across 16,374 domains, and 3,055 unique themes across 9,481 domains.

By double-checking their list of detected plugins and themes against the list of vulnerable plugins and themes hosted by WPScan.org, Akamai was able to find that 70% of the plugins and 24% of the themes they've found were reported as vulnerable in the past.

The biggest infringer was the Jetpack plugin from Automattic, the same company that makes WordPress. Akamai reported on finding 1,768 sites with the infection being linked back to the Jetpack plugin.

59 versions of this plugin were found running on infected sites, and despite some of them being up to date, 76% were still lagging behind when it came to updates. The problem is that while the plugin may have been up to date now, the infection could have taken place when the plugin was not properly updated when it should.

The botnet is not sophisticated, it's just large

Users that clicked on links inside the spam they would receive from this botnet would be directed to pages where ads were being hosted. Akamai suspects that these landing pages are also hosted on other, previously compromised servers.

But there is some bad news as well. "The real heart of this botnet is the mailer layer and its 56k infections," says Akamai's SIRT. "Since it uses a simple encryption and communication scheme, it can easily be leveraged by any program or botnet that knows how to speak to it."

Its weak communications layer means that the botnet can be taken over by other cyber-crime groups by force. Its multi-layered structure shows that its authors have the capability to easily repurpose the botnet later on for other types of activities.

Akamai says that the botnet is not highly efficient at what it does, employing a "shotgun approach," but that its size allows it to be quite successful in the end.

The Akamai report comes with two shell scripts to help webmasters identify and clean out infected servers.

From