Botnet Operators Infecting Servers, Not Just PCs

Posted by Tech Paranoia on December 17, 2009 – 12:00 pm      
Filed under Malware
Tagged as ,

Botnet operators have always been able to easily infect and convert PCs into bots, but they also are increasingly going after servers — even building networks of compromised servers.

Web servers, FTP servers, and even SSL servers are becoming prime targets for botnet operators, not as command and control servers or as pure zombies, but more as a place to host their malicious code and files, or in some cases to execute high-powered spam runs.

“FTP servers are a hot commodity in the underground. They are regularly used by drive-by download malware as well as a downloading component for regular bots,” says Mikko Hypponen, chief research officer at F-Secure. “Another thing we’ve noticed is the use of SSL servers. Sites with a valid SSL certificate get hacked and are used by drive-by-downloads.”

Why SSL servers? “If a drive-by download gets the malware file through an HTTPS connection, proxy and gateway scanners won’t be able to scan for the malware in transit, making it easier to sneak in,” Hypponen explains.

Shadowserver, a nonprofit that tracks botnet activity, has seen botnets building their own networks of compromised servers as sort of sub-botnets for the botnet’s use. “Now we’re starting to see a botnet of servers … What’s interesting is we’re finding these networks of connected servers are under a certain person’s control,” says Andre DiMino, director of Shadowserver.

Botnet operators are using these networks of captured servers to expand their operations. The servers are used to host exploits, serve up drive-by downloads, and help them distribute more malware to the bot-infected PCs in the botnet, experts say.

For some time the bad guys have been hijacking FTP servers and using SQL injection to compromise legitimate Websites, which they in turn use to recruit more bots or to steal valuable credentials, data, or credit-card numbers. And some botnet operators are going after certain types of servers specifically to harness their horsepower and bandwidth. Joe Stewart, director of malware research for SecureWorks, says he sees bot code written in PHP and Perl that’s designed for server-based bots. These bots are typically used as spamming engines: “The general purpose of these attacks is to send spam, either email spam or blog spamming,” he says. “The benefits are having a large amount of bandwidth available and enhanced processing capacity to maximize the amount of spam you can send out.”

Source: DarkReading



Permalink - Comments RSS Feed - Post a comment - Trackback URL

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*