By Antone Gonsalves | July 18, 2014
Russian researchers have found a new type of malware that takes control of Linux- and FreeBSD-based Web servers to form a powerful network for launching password-stealing attacks.
The researchers at Web provider Yandex call the malware Mayhem and say it is capable of compromising systems configured to restrict access to only select administrators, a security measure commonly used to protect servers.
A total of 1,400 servers have been compromised to date with most of them in the United States, Russia, Germany and Canada.
The paper on Mayhem was published July 17 by Virus Bulletin, a specialist security publication. The researchers are Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov.
What to Do:Keep server operating systems up to date to patch all known vulnerabilities. Enforce the use of strong passwords by employees accessing corporate networks.
The initial stage of the malware infection is the execution of hypertext preprocessor (PHP) script. PHP is a server-side scripting language designed for web development.
In 2013, PHP was used on 244 million sites, according to Internet services company Netcraft. Roughly 80 percent of the sites were powered by Linux servers and almost 10 percent FreeBSD.
Once a server is compromised, Mayhem calls to a command-and-control server and downloads additional code. The purpose of the malware can vary.
One function is to look for websites with known vulnerabilities in order to extract information from pages.
The hackers also use the compromised servers for so-called brute-force attacks against sites based on WordPress and Joomla content management systems. Such an attack involves continuously trying password combinations in hopes of striking the actual credential.
The attacks are particularly useful against people who use easy-to-guess passwords. The most commonly used password on the Web in 2013 was "123456," followed by "password" and "12345678," according tothe latest annual report by SplashData, a maker of password management applications.
The researchers said Mayhem was the continuation of a bigger brute-force campaign called Fort Disco.
In 2013, security vendor Arbor Networks reported that the attackers behind the malware had built a botnet comprising 25,000 compromised Windows computers. The criminals had hacked the passwords of thousands of Joomla-, WordPress and Datalife Engine-based sites.
The researchers in the latest campaign warned that servers powered by Unix-based operating systems, such as Linux and FreeBSD, often contain known vulnerabilities.
This is due to the "vast majority" of webmasters and system administrators having to refresh software manually and testing whether the update works properly.
"For ordinary websites, serious maintenance is quite expensive and often webmasters don’t have an opportunity to do it," the researchers said. "This means it is easy for hackers to find vulnerable web servers and to use such servers in their botnets."
No comments:
Post a Comment