A new type of botnet composed of Web servers rather than PCs has been discovered launching distributed-denial-of-service attacks, security company Imperva said May 12.
The botnet, which consists of hundreds of Web servers, is a change of pace of sorts for attackers, who often use compromised PCs to build their botnets.
The botnet operators refer to themselves as Exeman. Infecting the servers with a malicious DDoS application, the attackers use a simple software program with a dashboard and control panel to configure the IP, port and duration of an attack. Then they insert the URL they want to target, click a button and go.
The source code of the application consists of just 90 lines of PHP code. While servers are often harder to compromise than PCs, they also provide greater horsepower for these kinds of DDoS attacks.
“While we don’t have direct evidence of how the servers were compromised, we do believe that it was a result of a ‘remote file include’ vulnerability typical of PHP,” Amichai Shulman, CTO of Imperva, told eWEEK in an e-mail. “This kind of vulnerability allows attackers to execute code from an attacker’s controlled server on the vulnerable PHP server. By using PHP code and compromising PHP-based servers, attackers are not bound to a specific OS platform or Web server type.
“The attack we witnessed was carried out by two compromised servers and was targeted against a hosting provider in the Netherlands,” Shulman continued. “The incident we observed lasted for a couple of minutes. It might have been just a trial run or a declaration of intent.”
Not much is known about the attackers at this point, he added, but the change in tactics shows hackers are always looking for ways to “get more bang for their buck.”
He noted, “Servers are easier to manage, you need fewer of them to create the same impact and it’s less likely that AV has been installed on them, meaning that compromised servers will last longer before detection.”